Much has been written about NSA eavesdropping and the Snowden leaks, but one thing mostly lost in the cacophony of outrage, defensiveness and spin is the fact that cloud computing adoption rate could be significantly lessened, or – worse case – adopters could avoid U.S.-based providers.
The Cloud Security Alliance estimates that U.S. cloud providers could lose as much as $35 billion as Canadian, European, Brazilian and other overseas businesses decide they've had enough with U.S. governmental security overreach, and it's in their best interest to store their data at home.
According to Yorgen Edholm, CEO of Accellion, a provider of secure mobile and cloud collaboration services, European regulatory agencies may even mandate against using U.S.-based public clouds.
"Especially in the E.U., the Patriot Act is a major concern. European businesses understand that the local government is a necessary evil, but who wants to worry about coping with another one?" Edholm asked. "Many overseas businesses will opt out of U.S.-based public clouds simply to avoid unnecessary headaches and compliance risks."
That worry may be misplaced, since the NSA was pretty indiscriminate in collecting data from around the globe, but it's not irrational to fear becoming collateral damage as the NSA targets some terror suspect using the virtual server next door.
Yet, how much does this really change things, in practical terms?
"Had the NSA only been collecting data from cloud providers, it would be a different story," said Scott Hazdra, principal security consultant for Neohapsis, a security and risk management consulting company specializing in mobile and cloud security service. "Regardless of where the data was being stored, cloud or not, it was potentially being inspected."
Hazdra's profession is to accurately and precisely assess risks, but for non-experts the human mind is terrible at determining risks, even in our modern, Internet-enabled world. Even if the NSA scooped up data about you, will they actually take steps to decrypt it (well, assuming it's been encrypted in the first place) and analyze it? Probably not.
Yet, every business decision involves weighing benefits against costs and risks. If the NSA helps tip the scales away from the benefits of doing business with cloud providers in the U.S., the collateral damage will harm the many U.S. businesses, cloud providers or not, who lose out due to public policy.
What about potential benefits?
You don't have to search too far to realize that there are actually some benefits hidden within this mess. Let me be careful to explain that I'm not talking about the benefits of having the NSA spying on the entire world in order to stop a few terror attacks. I'll leave that discussion for others.
I'm talking about the fact that the Snowden leaks highlight how important data security best practices are – for everyone, from the elderly cat lady with an AOL account to SMBs to Fortune 100 conglomerates.
If your data is poorly protected, you're at risk, and that risk increases each and every day.
For cloud providers, this means that their data protections should become central to their messaging. And security should be built into their value proposition when talking to customers and prospects.
The truth is that many businesses trust data locked away in their own data centers more than data stored in Amazon's cloud. Sure, you can wrap all sorts of advanced security protections around your Amazon data pretty simply and affordably, but those protections are somewhat opaque to you. On the other hand, even if two different cleaning companies, several part-time IT techs and the CIO's ex-spouse all have easy access to your data center, those risks aren't perceived as immediate and threatening.
We're just not very good at assessing risk.
The NSA leaks, hopefully, will help us get a little bit better at it. "There are a few unique considerations when you move to cloud environments," Hazdra noted. "From a risk perspective, the cloud, public or private, is just a front end for provisioning virtualization, but what organization are learning is that attacks are shifting from those big targets that used to be under constant attack [like Microsoft or the DOD] to smaller and smaller targets."
A mid-sized business with a few million in revenue may think to itself, "Why would any overseas attacker target me?" The why is pretty simple: you're an easy target, with your crappy security practices, and, perhaps, a convenient beachhead to use to stage attacks on juicier targets, such as your suppliers, clients or partners.
Rather than searching for software vulnerabilities, for many attackers it makes more sense to search for vulnerabilities in the supply chain. When much of your supply chain involves services, especially cloud services, and when so much has been consolidated into smaller and smaller physical locations, it makes sense to target those locations. As Willie Sutton explained when asked why he robbed banks: "Because that's where the money is."
Assessing the Risks
In my view, Snowden is a valid whistleblower who should be protected. I'm a journalist, so I probably have industry-specific reasons that lead me to that conclusion. Yet, I think the damage stretches far beyond our rapidly eroding journalistic institutions.
Accurately assessing risks means that you need to consider the entire continuum here, from NSA intrusions to Chinese corporate espionage on down to penetrations from lightly organized groups of hackers in Nigeria and further down to insider threats.
What are the motivations of these various attackers? What's the worst-case scenario, even if it is an extremely low-probability event (say, having your organization branded as one actively helping terrorists)?
If for some reason a business drifts into the NSA cross-hairs, the best first line of defense would probably not be a technical one. A Constitutional lawyer with powerful connections in Washington could well be the most effective defense.
Legal action must be part of how any business assesses risks associated with any cloud provider. "An emerging concern is who actually owns the data," Hazdra said. "That's not a technical determination figured out by security experts, but rather by the legal team."
Snowden's revelations illuminate another troubling trend: the government knows more and more about us, but we know less and less about it as it, supposedly, represents our interests.
That should send a chill down the spine of anyone who believes the aphorism about absolute power corrupting absolutely. The government knows intimate details about us from various online activities that are being vacuumed up indiscriminately, while we know less about what the government is actually doing, since secrecy seems to be the Heisenberg blue meth of government officials in the post-9/11 era.
Why should cloud providers worry about this issue? It's a formula that doesn't benefit the business community either. The business community lobbies government relentlessly, and it shares some of the same values, secrecy being a big one. That secrecy could be anything from a "stealth-mode" approach to protecting some secret-sauce code, which isn't really all that important, to the fight against revealing CEO compensation details.
Heck, I can't tell you how many requests I've had to keep certain facts off the record that were absolutely trivial.
All I can say is: it's time to kick the secrecy addiction. It's doing far more harm than good. And if twelve-step programs are to be believed, the first step towards recovery is admitting we have a secrecy problem – a major one.
Jeff Vance is a freelance writer based in Santa Monica, Calif. Connect with him on Twitter @JWVance.
Photo courtesy of Shutterstock.