3. PRISM Should Give You Pause About Cloud Migration Plans.
It should be obvious to all that, as in dispute as the aforementioned "direct access" claim is, it's certainly easier for the NSA to convince Microsoft, Google or any other cloud service provider to hand data to the federal government-or to monitor the data that's stored there-than it would be for them to convince you to hand over your data stored locally.
These Fortune 50 providers are big fish with big targets on their back and, naturally, much of the surveillance effort is going to be concentrated there. You would know if a black box were put in your data center, or if someone spliced a cable in your server room, and so on.
Now every organization is different. This "threat" of intercepted communications may simply not be on your radar. That's fine. Other CIOs may decide the benefits to their organization from moving to the cloud and storing data at a large service provider outweigh the risks that their communications will be monitored. That's also fine.
However, you at least consider the impact PRISM and related programs have on how your data is stored, accessed and monitored-and that you at least make educated, considered decisions about moving to the cloud in light of these revelations.
4. Understand At-Rest Encryption and Plan to Support It ASAP.
While it's impossible for most of us to know for certain, the source of the PRISM leaks believes encryption is a good bet for protecting communications you don't want intercepted or monitored. "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on," Edward Snowden said in a live chat with Glenn Greenwald of The Guardian. "Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it."
Unfortunately, encrypting email transmissions is a difficult process, not to mention one that's not very user friendly. At the least, encrypting data that is at rest-that is, data that's not being transmitted, but is simply stored, such as files on a hard drive-ensures that data cannot be easily decrypted in plain text when it's transmitted later.
In addition, some cloud service providers are offering a service that encrypts data at rest on their ervers. Look into these policies and services from cloud providers-and also ensure that your own data center enables this for sensitive information at a minimum. (This is a good security practice for a number of reasons, not just to avoid the NSA.)
5. At the End of the Day, There's Not a Lot You Can Do.
The very nature of secret surveillance is that it's secret, in that we don't often know when we're being monitored, the extent to which we're being monitored, and how that monitoring is being performed.
Sign up for CIO Asia eNewsletters.