<< Back to article Print this page Loading page, please wait...

NSA revelations a mixed bag for private clouds

John P. Mello (CSO (US))
14 August, 2013 13:35

Life in the cloud hasn't been the same since Edward Snowden began leaking secrets about government snooping on the Internet.

Public cloud operators in the United States may be facing large losses because of the Snowden Affair, said a report last week by the Information Technology & Innovation Foundation.

"Recent revelations about the extent to which the NSA obtains electronic data from third-parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits," the ITIF noted.

"Unless the White House or Congress acts soon," it said, "the U.S. cloud computing industry stands to lose $22 [billion] to $35 billion over the next three years.

If that trend develops, will more companies seek security for their data in private clouds? After all, proponents of private clouds have been taking pot shots at security in the public cloud for years and Snowden's revelations have given them a fresh magazine for their guns.

"There could be a backlash against the public cloud," Eric Chiu, president and founder of the cloud infrastructure control company HyTrust, said in an interview.

"In general, security is the biggest inhibitor for public cloud adoption," Chiu said. "This just reinforces the security concerns that lots of companies have in moving to the public cloud."

[Also see:Ã'Â U.S. openness, restraint could lessen fallout from from NSA surveillance]

Stashing data in a private cloud won't necessarily protect it from law enforcement authorities armed with judicial crowbars to pry it from a company. "Simply moving from public to private clouds will not keep sensitive data from the prying eyes of intelligence agencies," said Michael Sutton, vice president of security research for Zscaler.

"The NSA has the ability to require third parties to legally turn over data when appropriate approvals are in place," he continued. "This is a legal requirement which must be adhered to."

"Enterprises should also keep in mind that programs such as those detailed by Snowden target various communication mediums including web mail and social media -- targets that employees are likely to utilize regardless of enterprise architecture," he added.

However, there's at least one advantage to having data in a private cloud when G-persons show up on the doorstep. "If I'm operating a private cloud for my own use, and I get a subpoena or some other request from a government agency, at least I know about it," Steve Weis, CTO and co-founder of PrivateCore, said in an interview.

"If my cloud provider gets that letter, I may or may not know about it," he added.

In addition to government collection of data from public cloud providers, Snowden brought another issue to light, one that threatens the security of a company's data whether it resides in a public or private cloud. "This has really highlighted the insider threat," Todd Thiemann, marketing vice president for PrivateCore, said in an interview.

"Companies are concerned about the cloud," Thiemann said, "but it makes them realize they have issues on their own premises."

An employee like Snowden, armed with system administrator privileges and bent on data theft, is a potent threat to an organization. "Snowden had access to an application on the system,"Ã'Â Jeff Kaplan, CEO of the Breakthrough Technology Group, said in an interview. "It doesn't matter what infrastructure you choose -- public cloud, hybrid cloud, private cloud -- he'd still have access to the data."

[In depth:Ã'Â Why we can't stop malicious insiders]

If Snowden's revelations have an impact on cloud computing, they're likely to be short-lived. "It will have a short term impact ," Nirav Mehta, director of product management for EMC's RSA, said in an interview.

"There were a lot of entities that already had concerns about cloud providers," Mehta said. "Those concerns become amplified when a story like this breaks out."

"In the short term, there will be a few more corporations going to private clouds, but in the long term, financially, it doesn't make sense for them to completely reverse the trend of public cloud computing," he said.

Read more about cloud security in CSOonline's Cloud Security section.