Since Edward Snowden started dishing on US intelligence practices, especially around the program known as PRISM, there have been folks spreading doom and gloom about public cloud. It’s all a rather silly bit of alarmist rhetoric that makes me want to twist a pun out of clouds and Chicken Little.
A prime example is a report from The Information Technology and Innovation Foundation entitled, “How Much Will PRISM the U.S. Cloud Computing Industry”. They project the possible cost to US providers will be between $21.5 and $35.0 billion over the next three years. Of course, the US domestic market won’t be affected, so the numbers reflect the market for US providers operating outside of the US. In fairness, they do temper the estimates by noting it’s still early in the game, and much of this is clouded by negative perception. In any case, those are big numbers, and as expected, a quick search of Google News shows the numbers are making the rounds.
I contend that this is a tempest in a teapot for some rather straightforward reasons. As a Canadian who has travelled in the US and Europe, spending most of my time interacting with other security folks and enterprise IT, I’m often in the position of straddling the European-US divide. That divide has been a bit wider than simple geography since the Patriot Act. While concerns around the Patriot Act had lowered to a simmer in recent years, concerns about storing data on US territory were always there. Of course, Snowden’s tattle-tailing has temporarily brought the heat up, but fundamentally, nothing has changed.
Since the Patriot Act was adopted in 2001, non-US companies have tended to keep their data at home. Of course, if operating in the US, a certain amount of information will reside there. Knowing what data is where, and who can access it, should darn-well already be a core element of the security practices of a multinational corporation. Simply put, a global German company is not less likely to store the secret sauce recipe in the US, or any other country, as it was before.
One could argue that pushing data to a public cloud provider that is based in America gives the US government access to that data regardless of where the data actually resides. That sounds like it could make sense, but it really doesn’t. First, what are organizations likely to store in a public cloud, regardless of the brand? Once again, it probably won’t be the secret sauce recipe. That’s more likely to leak on a lost laptop, a careless email (last I checked, the vast majority of which is sent in cleartext), or purposeful compromising of a computer (cloud or not) or a human. Here, the illusion of control may be soothing, but in the end, should a UK company trust a UK-based cloud provider more than a US one?
The perceived risk is also centric to Western countries. Today, it would be crazy-talk for an organization based in a Western country to consider storing valuable information in China, for instance. However, one gonzo upside to that crazy idea is that China is probably less likely to share government intelligence with the US than a close ally such as Canada, the UK, or Germany. Notwithstanding the political points that are gained domestically by politicians publicly frowning upon PRISM in those countries, there is no doubt that their own intelligence services work closely with the US. So, again, what is gained by avoiding a US-based public cloud provider other than nationalistic warm and fuzzies?
Of course, many folks will take all of this to mean that simply avoiding public cloud altogether, regardless of the brand and geography, is the safest option. I argue that sensitive data is always at risk. Assuming that a private datacenter is magically more secure than a public cloud provider’s datacenter is folly.
As a final, and somewhat cynical, point, wondering how much enterprises really care is valid. Certainly, smaller companies will continue to use whatever is cheapest and easiest. They don’t have the resources to pick and choose, and from something like Patriot/PRISM, they do not perceive a threat to the bottom line. As long as public cloud, software-as-a-service, and other hosted offerings provide value and good-enough security, that’s what they’ll go with.
Large enterprises will also do a cost-to-benefit analysis. As customers of those enterprises, we may worry about the data that they have about us, but let’s be realistic with our expectations. Governments use programs like PRISM so they don’t have to pay these companies for the data (remember – it’s not your data, it’s theirs). On the competitive front, they do have to secure certain data from unauthorized access, but that reality isn’t changed by PRISM, Patriot, or any other act or program in the US or elsewhere. Other companies will continue to try to get the secret sauce recipe through cloud, private datacenter, machine, or human compromise. Those companies may be sponsored by a foreign government, or they may be a domestic rival. In the end, companies secure data not because it’s the right thing to do, but because it helps protect their bottom line. Expecting a non-US enterprise to swear-off an economically superior cloud offering from a US-based company because it’s somehow ‘right’ is naïve.
To conclude, as people who value privacy, we should be questioning our local version of the Patriot Act and PRISM programs (whatever our own governments may call them). We should also understand how these programs affect us and the organizations that we interact with. In the end, though, PRISM may make a great bullet point on a sales presentation for non-US cloud providers, but that alone isn’t going to win them an additional $20 or $30 billion.
