If you are both a news and a cloud junky as I am, there has never been a more interesting — or distracting — time to hit refresh on your favorite online news site. The recent statements by whistle-blower Eric Snowden about the scope of surveillance and data capture by the National Security Agency were surprising — and highly concerning — to many.
As the media dove into this story, things got even scarier. The Washington Post uncovered documents about PRISM, a highly classified program where the FBI and the NSA supposedly tapped into servers at Internet companies and cloud service providers (CSP) for the purposes of counterterrorism. I'm certain there were some sleepless nights for executives (and PR people) as Facebook, Google, Microsoft and other cloud providers struggled to respond to the implication that they were complicit in letting the feds into their networks.
There is a significant distinction between what the cloud companies are saying, and what the PRISM documents imply. The providers have disclosed that they receive thousands of requests from the government to provide client data (and comply with these requests in somewhat staggering numbers). In contrast, the PRISM documents indicate that the government is using technology to capture whatever data they want directly from these companies' servers. Perhaps, the government wants to provide CSPs with some plausible deniability, but it's interesting to note that each of the CSP's public statements about PRISM is very carefully worded. Not a single company flat out denies the surveillance — they only state that they are making their best efforts to preserve customer data privacy. I expect the truth is somewhere in the middle.
Will PRISM kill the cloud?
So, the next logical question for those of us who regularly leverage the cloud for business or personal use: will 'PRISM kill the cloud' as Jonny Evans, a fellow Computerworld blogger, has said. I'd argue that while it may make companies think twice about moving mission critical applications to the cloud for a period of time, the siren call of Infrastructure as a Service (IaaS) will continue to lure business to the cloud. It just means we need to pay even more attention to data privacy and security.
So what can companies do to retain data privacy in the cloud?
Find a distant cloud?
If it seems logical to think that if the US has control over US-based CSPs, then you could consider a CSP with data centers outside US borders, thus escaping surveillance.
It's not that simple. The FISA Amendment Act of 2008 (also called the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, or FISAAA, for short), added even more teeth than the Patriot Act to the government's ability to seek data to support counter-terrorist activity. FISAAA technically only applies to data/people that are located outside the US (which you certainly have if you're a multi-national corporation.) FISAAA explicitly expands surveillance authority beyond telecom companies to include data held by cloud service providers (CSPs). Notably, it removes previous constraints about 'continuous surveillance', making it possible for the government to install technology that scans and collects data directly from the CSPs' systems. Sound familiar?
Sign up for CIO Asia eNewsletters.