Rather than searching for software vulnerabilities, for many attackers it makes more sense to search for vulnerabilities in the supply chain. When much of your supply chain involves services, especially cloud services, and when so much has been consolidated into smaller and smaller physical locations, it makes sense to target those locations. As Willie Sutton explained when asked why he robbed banks: "Because that's where the money is."
In my view, Snowden is a valid whistleblower who should be protected. I'm a journalist, so I probably have industry-specific reasons that lead me to that conclusion. Yet, I think the damage stretches far beyond our rapidly eroding journalistic institutions.
Accurately assessing risks means that you need to consider the entire continuum here, from NSA intrusions to Chinese corporate espionage on down to penetrations from lightly organized groups of hackers in Nigeria and further down to insider threats.
What are the motivations of these various attackers? What's the worst-case scenario, even if it is an extremely low-probability event (say, having your organization branded as one actively helping terrorists)?
If for some reason a business drifts into the NSA cross-hairs, the best first line of defense would probably not be a technical one. A Constitutional lawyer with powerful connections in Washington could well be the most effective defense.
Legal action must be part of how any business assesses risks associated with any cloud provider. "An emerging concern is who actually owns the data," Hazdra said. "That's not a technical determination figured out by security experts, but rather by the legal team."
Snowden's revelations illuminate another troubling trend: the government knows more and more about us, but we know less and less about it as it, supposedly, represents our interests.
That should send a chill down the spine of anyone who believes the aphorism about absolute power corrupting absolutely. The government knows intimate details about us from various online activities that are being vacuumed up indiscriminately, while we know less about what the government is actually doing, since secrecy seems to be the Heisenberg blue meth of government officials in the post-9/11 era.
Why should cloud providers worry about this issue? It's a formula that doesn't benefit the business community either. The business community lobbies government relentlessly, and it shares some of the same values, secrecy being a big one. That secrecy could be anything from a "stealth-mode" approach to protecting some secret-sauce code, which isn't really all that important, to the fight against revealing CEO compensation details.
Heck, I can't tell you how many requests I've had to keep certain facts off the record that were absolutely trivial.
All I can say is: it's time to kick the secrecy addiction. It's doing far more harm than good. And if twelve-step programs are to be believed, the first step towards recovery is admitting we have a secrecy problem – a major one.
Jeff Vance is a freelance writer based in Santa Monica, Calif. Connect with him on Twitter @JWVance.
Photo courtesy of Shutterstock.