Much has been written about NSA eavesdropping and the Snowden leaks, but one thing mostly lost in the cacophony of outrage, defensiveness and spin is the fact that cloud computing adoption rate could be significantly lessened, or – worse case – adopters could avoid U.S.-based providers.
The Cloud Security Alliance estimates that U.S. cloud providers could lose as much as $35 billion as Canadian, European, Brazilian and other overseas businesses decide they've had enough with U.S. governmental security overreach, and it's in their best interest to store their data at home.
According to Yorgen Edholm, CEO of Accellion, a provider of secure mobile and cloud collaboration services, European regulatory agencies may even mandate against using U.S.-based public clouds.
"Especially in the E.U., the Patriot Act is a major concern. European businesses understand that the local government is a necessary evil, but who wants to worry about coping with another one?" Edholm asked. "Many overseas businesses will opt out of U.S.-based public clouds simply to avoid unnecessary headaches and compliance risks."
That worry may be misplaced, since the NSA was pretty indiscriminate in collecting data from around the globe, but it's not irrational to fear becoming collateral damage as the NSA targets some terror suspect using the virtual server next door.
Yet, how much does this really change things, in practical terms?
"Had the NSA only been collecting data from cloud providers, it would be a different story," said Scott Hazdra, principal security consultant for Neohapsis, a security and risk management consulting company specializing in mobile and cloud security service. "Regardless of where the data was being stored, cloud or not, it was potentially being inspected."
Hazdra's profession is to accurately and precisely assess risks, but for non-experts the human mind is terrible at determining risks, even in our modern, Internet-enabled world. Even if the NSA scooped up data about you, will they actually take steps to decrypt it (well, assuming it's been encrypted in the first place) and analyze it? Probably not.
Yet, every business decision involves weighing benefits against costs and risks. If the NSA helps tip the scales away from the benefits of doing business with cloud providers in the U.S., the collateral damage will harm the many U.S. businesses, cloud providers or not, who lose out due to public policy.
You don't have to search too far to realize that there are actually some benefits hidden within this mess. Let me be careful to explain that I'm not talking about the benefits of having the NSA spying on the entire world in order to stop a few terror attacks. I'll leave that discussion for others.
I'm talking about the fact that the Snowden leaks highlight how important data security best practices are – for everyone, from the elderly cat lady with an AOL account to SMBs to Fortune 100 conglomerates.
If your data is poorly protected, you're at risk, and that risk increases each and every day.
For cloud providers, this means that their data protections should become central to their messaging. And security should be built into their value proposition when talking to customers and prospects.
The truth is that many businesses trust data locked away in their own data centers more than data stored in Amazon's cloud. Sure, you can wrap all sorts of advanced security protections around your Amazon data pretty simply and affordably, but those protections are somewhat opaque to you. On the other hand, even if two different cleaning companies, several part-time IT techs and the CIO's ex-spouse all have easy access to your data center, those risks aren't perceived as immediate and threatening.
We're just not very good at assessing risk.
The NSA leaks, hopefully, will help us get a little bit better at it. "There are a few unique considerations when you move to cloud environments," Hazdra noted. "From a risk perspective, the cloud, public or private, is just a front end for provisioning virtualization, but what organization are learning is that attacks are shifting from those big targets that used to be under constant attack [like Microsoft or the DOD] to smaller and smaller targets."
A mid-sized business with a few million in revenue may think to itself, "Why would any overseas attacker target me?" The why is pretty simple: you're an easy target, with your crappy security practices, and, perhaps, a convenient beachhead to use to stage attacks on juicier targets, such as your suppliers, clients or partners.