Connect with us

Hi, what are you looking for?


Data Protection

Why Snowden Doesn’t Have the Clouds Bursting in Air (to the Tune of $30 Billion)

Since Edward Snowden started dishing on US intelligence practices, especially around the program known as PRISM, there have been folks spreading doom and gloom about public cloud. It’s all a rather silly bit of alarmist rhetoric that makes me want to twist a pun out of clouds and Chicken Little.

Since Edward Snowden started dishing on US intelligence practices, especially around the program known as PRISM, there have been folks spreading doom and gloom about public cloud. It’s all a rather silly bit of alarmist rhetoric that makes me want to twist a pun out of clouds and Chicken Little.

A prime example is a report from The Information Technology and Innovation Foundation entitled, “How Much Will PRISM the U.S. Cloud Computing Industry”. They project the possible cost to US providers will be between $21.5 and $35.0 billion over the next three years. Of course, the US domestic market won’t be affected, so the numbers reflect the market for US providers operating outside of the US. In fairness, they do temper the estimates by noting it’s still early in the game, and much of this is clouded by negative perception. In any case, those are big numbers, and as expected, a quick search of Google News shows the numbers are making the rounds.

I contend that this is a tempest in a teapot for some rather straightforward reasons. As a Canadian who has travelled in the US and Europe, spending most of my time interacting with other security folks and enterprise IT, I’m often in the position of straddling the European-US divide. That divide has been a bit wider than simple geography since the Patriot Act. While concerns around the Patriot Act had lowered to a simmer in recent years, concerns about storing data on US territory were always there. Of course, Snowden’s tattle-tailing has temporarily brought the heat up, but fundamentally, nothing has changed.

Since the Patriot Act was adopted in 2001, non-US companies have tended to keep their data at home. Of course, if operating in the US, a certain amount of information will reside there. Knowing what data is where, and who can access it, should darn-well already be a core element of the security practices of a multinational corporation. Simply put, a global German company is not less likely to store the secret sauce recipe in the US, or any other country, as it was before.

One could argue that pushing data to a public cloud provider that is based in America gives the US government access to that data regardless of where the data actually resides. That sounds like it could make sense, but it really doesn’t. First, what are organizations likely to store in a public cloud, regardless of the brand? Once again, it probably won’t be the secret sauce recipe. That’s more likely to leak on a lost laptop, a careless email (last I checked, the vast majority of which is sent in cleartext), or purposeful compromising of a computer (cloud or not) or a human. Here, the illusion of control may be soothing, but in the end, should a UK company trust a UK-based cloud provider more than a US one?

The perceived risk is also centric to Western countries. Today, it would be crazy-talk for an organization based in a Western country to consider storing valuable information in China, for instance. However, one gonzo upside to that crazy idea is that China is probably less likely to share government intelligence with the US than a close ally such as Canada, the UK, or Germany. Notwithstanding the political points that are gained domestically by politicians publicly frowning upon PRISM in those countries, there is no doubt that their own intelligence services work closely with the US. So, again, what is gained by avoiding a US-based public cloud provider other than nationalistic warm and fuzzies?

Of course, many folks will take all of this to mean that simply avoiding public cloud altogether, regardless of the brand and geography, is the safest option. I argue that sensitive data is always at risk. Assuming that a private datacenter is magically more secure than a public cloud provider’s datacenter is folly.

Advertisement. Scroll to continue reading.

As a final, and somewhat cynical, point, wondering how much enterprises really care is valid. Certainly, smaller companies will continue to use whatever is cheapest and easiest. They don’t have the resources to pick and choose, and from something like Patriot/PRISM, they do not perceive a threat to the bottom line. As long as public cloud, software-as-a-service, and other hosted offerings provide value and good-enough security, that’s what they’ll go with.

Large enterprises will also do a cost-to-benefit analysis. As customers of those enterprises, we may worry about the data that they have about us, but let’s be realistic with our expectations. Governments use programs like PRISM so they don’t have to pay these companies for the data (remember – it’s not your data, it’s theirs). On the competitive front, they do have to secure certain data from unauthorized access, but that reality isn’t changed by PRISM, Patriot, or any other act or program in the US or elsewhere. Other companies will continue to try to get the secret sauce recipe through cloud, private datacenter, machine, or human compromise. Those companies may be sponsored by a foreign government, or they may be a domestic rival. In the end, companies secure data not because it’s the right thing to do, but because it helps protect their bottom line. Expecting a non-US enterprise to swear-off an economically superior cloud offering from a US-based company because it’s somehow ‘right’ is naïve.

To conclude, as people who value privacy, we should be questioning our local version of the Patriot Act and PRISM programs (whatever our own governments may call them). We should also understand how these programs affect us and the organizations that we interact with. In the end, though, PRISM may make a great bullet point on a sales presentation for non-US cloud providers, but that alone isn’t going to win them an additional $20 or $30 billion.

Related: US Tech Firms Losing Business Over PRISM: Survey

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...