The fallout of the Edward Snowden scandal that broke over the summer is being felt globally, with concerns around governments’ ability to access data prompting many organisations to rethink their investment in ICT and the cloud.
It is this information that has contributed to analysts estimating that the US cloud computing industry could lose up to $180 million by 2016. This has opened up a debate – has the PRISM project spawned a culture of paranoia? Why are organisations so worried about data monitoring and is it a justifiable concern?
Following what the business community has learnt about online surveillance, organisations are now asking their cloud provider how they can improve data security. Equally, data sovereignty, the physical location where data is stored and the data centre partner are now wider organisational concerns, not simply just the remit of the CIO.
Keeping data in data centres in a country where the authorities could access or monitor it without consent constitutes a significant business risk. The ability to choose where it resides – and even transfer it from one jurisdiction to another on demand – is now a prime concern for all business leaders.
Policymakers in Europe have also lent their voices to the issue. The European Commission (EC) has said the fear over spying and data security in the wake of the PRISM scandal must not stop businesses from taking advantage of the benefits of cloud computing. But the damage from the fallout is clear.
Just last month, German internet giant Deutsche Telekom announced it was pushing forward with plans to try and keep all its web traffic within Germany to avoid the reach of spies. Yahoo too also announced plans to encrypt all of its users’ data in 2014, working hard to repair the damage done through allegations that the NSA broke into the communication links that connect Yahoo’s data centres. Eventually everyone will encrypt all data, in-flight and at rest. What remains to be seen is if the NSA (or anyone else) has compromised any of the widely used encryption algorithms.
Nonetheless, moving corporate applications and data back into private clouds – or even back in house altogether – is an anxious response. Cloud platforms do help firms become more agile, and do help foster technology innovation, even in the most risk-averse organisations. CIOs need a way to retain those benefits and protect the organisation, and the data it holds, against being compromised in any way.
Clearly, scrutinising cloud providers’ global network and data centre footprints, including where they are headquartered is a crucial first step. Arguably as important is the ability to restrict or move data to where you want it to be, quickly and securely – to support new branch offices in new countries, for example. This is highly challenging technically as it requires the entire network, server and storage infrastructure to be virtualised and automated to a large degree.
Delivering such enterprise cloud services to the world without touching any US-located infrastructure at all is even more difficult. The routing of data travelling through the internet is automated, so there is no way of predicting the fastest path and there are any number of routes which data can take. This challenge is something that the PRISM scandal has brought to the top of the agenda for cloud providers: many boardrooms are looking for a solution too.
The end result of PRISM could have a chilling effect on the uptake of cloud services outside the US, with customers unsure who to trust. This would be unfortunate, since the cloud holds out the promise of a more cost-effective and flexible approach to IT provisioning. Therefore due diligence is as important as ever when choosing a cloud provider and each business moving to the cloud will need to contemplate the following questions:
- Is your provider headquartered in the US or does it have a US presence? How, if at all, will this affect your organisation?
- What are your suppliers’ security credentials?
- Can you restrict where your data is located with your supplier’s cloud?
- Can you audit your supplier?
- Does your supplier offer data destruction?
- Is your cloud supplier experienced at handling sensitive industries such as financial institutions i.e. stock markets or retail banking data?
The cloud’s appeal has mushroomed as CIOs have embraced its promises of increased flexibility and cost control but security concerns are now more heightened than ever. Whilst the cloud cannot completely lock out all covert spying activities or indeed interception of traffic, cloud providers can offer the most robust provision and security options to their clients.
Many are aware the world the business community was operating in six months ago no longer exists. Data they thought were secure might not be. This is having a big impact on the way businesses are organising themselves and many in the cloud computing industry are only just coming to terms with this.