How PRISM Hurts The Cloud

PrismThe NSA’s PRISM online spying operation is damaging to the public cloud as a whole, and especially to US cloud providers. If you still doubted that hosting your data in the public cloud can pose security risks, this should finally nail it.

Fortunately there are alternatives, such as private clouds and — for those outside the US — national clouds. Could it be time to evaluate those?

For many people — and especially for European politicians — the answer is yes. They argue that PRISM is clinching proof that the US approach to data protection breaks EU law and cannot be trusted.

“Recent months have proven once again that it’s very important for Europe to have its own data clouds that operate strictly under European legislation,” said Estonian President Toomas Hendrik Ilves in a statement.

Of course, that is a little unfair to the US, given that many other countries have online spying operations, and there may be some political grandstanding going on here. However, the NSA’s technology is almost certainly the most extensive and advanced, and the fact that the US is the global Internet hub makes it uniquely well positioned to spy.

The question then is what risks should you worry about, and what can you do about it?

Part of the problem is that expediency tends to be the rule for politicians and bureaucrats alike, and function creep is the order of the day. Governments may claim that the new powers and technologies they are acquiring are only for law enforcement, but the reality will be rather different.

So the NSA also spies on America’s allies, and the UK’s online and phone tapping operations were used to spy on foreign diplomats at the 2009 G20 summit. Local governments have even used anti-terror laws to spy on people suspected of putting their garbage out on the wrong day.

While it is data privacy that makes most of the mainstream headlines — and not just in Germany, where memories of state spying, first by the Gestapo and then by their East German successors the Stasi, make data protection a hot topic — the confidentiality aspect probably matters more to most organizations. Your R&D and your marketing plans will be perfectly legal — or at least I hope they are — but you probably do not want your rivals getting hold of them.

There are numerous anecdotal reports of national intelligence agencies carrying out industrial espionage, however. And for every Daniel Ellsberg, Bradley Manning, or Edward Snowden outraged by covert government activities, how many more are doing something similar for commercial reasons? A quick web search will turn up cases all around the world of police and other officials caught illegally accessing confidential data, and in some cases selling it on.

For some commentators, such as Charles Weaver, CEO of the MSP Alliance, which brings together service providers worldwide, all this is clinching proof that businesses (and governments) need to protect their users’ data better.

“I have been saying for some time now that data should stay within the country or region where the owner of that data also resides,” he says. “Put more simply, sprawling and obscure public clouds should be used only for that data which the owner is willing to allow to be seen by others.”

Could this be the time, then, to start planning your own private cloud deployment, either alone, or in partnership with a local service provider resident in the same legal jurisdiction?

If you already have multiple sites and inter-site connections in place, then if you add the right technologies — such as WAN optimization, an internal storage cloud, perhaps with a global file system and a tier of SSD for better elasticity, and, of course, an infrastructure framework like OpenStack — it could be a practical proposition.

Image credit: Wikimedia Commons