NSA revelations a mixed bag for private clouds

Life in the cloud hasn't been the same since Edward Snowden began leaking secrets about government snooping on the Internet.

Public cloud operators in the United States may be facing large losses because of the Snowden Affair, said a report last week by the Information Technology & Innovation Foundation.

"Recent revelations about the extent to which the NSA obtains electronic data from third-parties will likely have an immediate and lasting impact on the competitiveness of the U.S. cloud computing industry if foreign customers decide the risks of storing data with a U.S. company outweigh the benefits," the ITIF noted.

"Unless the White House or Congress acts soon," it said, "the U.S. cloud computing industry stands to lose $22 [billion] to $35 billion over the next three years.

If that trend develops, will more companies seek security for their data in private clouds? After all, proponents of private clouds have been taking pot shots at security in the public cloud for years and Snowden's revelations have given them a fresh magazine for their guns.

"There could be a backlash against the public cloud," Eric Chiu, president and founder of the cloud infrastructure control company HyTrust, said in an interview.

"In general, security is the biggest inhibitor for public cloud adoption," Chiu said. "This just reinforces the security concerns that lots of companies have in moving to the public cloud."

[Also see:Ã'Â U.S. openness, restraint could lessen fallout from from NSA surveillance]

Stashing data in a private cloud won't necessarily protect it from law enforcement authorities armed with judicial crowbars to pry it from a company. "Simply moving from public to private clouds will not keep sensitive data from the prying eyes of intelligence agencies," said Michael Sutton, vice president of security research for Zscaler.

"The NSA has the ability to require third parties to legally turn over data when appropriate approvals are in place," he continued. "This is a legal requirement which must be adhered to."

"Enterprises should also keep in mind that programs such as those detailed by Snowden target various communication mediums including web mail and social media -- targets that employees are likely to utilize regardless of enterprise architecture," he added.

However, there's at least one advantage to having data in a private cloud when G-persons show up on the doorstep. "If I'm operating a private cloud for my own use, and I get a subpoena or some other request from a government agency, at least I know about it," Steve Weis, CTO and co-founder of PrivateCore, said in an interview.

"If my cloud provider gets that letter, I may or may not know about it," he added.

In addition to government collection of data from public cloud providers, Snowden brought another issue to light, one that threatens the security of a company's data whether it resides in a public or private cloud. "This has really highlighted the insider threat," Todd Thiemann, marketing vice president for PrivateCore, said in an interview.

"Companies are concerned about the cloud," Thiemann said, "but it makes them realize they have issues on their own premises."

An employee like Snowden, armed with system administrator privileges and bent on data theft, is a potent threat to an organization. "Snowden had access to an application on the system,"Ã'Â Jeff Kaplan, CEO of the Breakthrough Technology Group, said in an interview. "It doesn't matter what infrastructure you choose -- public cloud, hybrid cloud, private cloud -- he'd still have access to the data."

[In depth:Ã'Â Why we can't stop malicious insiders]

If Snowden's revelations have an impact on cloud computing, they're likely to be short-lived. "It will have a short term impact ," Nirav Mehta, director of product management for EMC's RSA, said in an interview.

"There were a lot of entities that already had concerns about cloud providers," Mehta said. "Those concerns become amplified when a story like this breaks out."

"In the short term, there will be a few more corporations going to private clouds, but in the long term, financially, it doesn't make sense for them to completely reverse the trend of public cloud computing," he said.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags PRISMapplicationsEdward SnowdennsaData Protection | Cloud Securitysoftwareprivate cloudcloud computinginternetdata protectionpublic cloud

More about EMC CorporationKaplanNSARSATechnologyzScaler

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts