I have had a LOT of discussions with people over the past year about Edward Snowden, the NSA, and the impact on cloud adoption. My general response is that it would likely slow US adoption of the cloud by a few months and outside the US by a couple of years.
Well, it has be six months since this all started and I was starting to wonder about how this was panning out. Then Computerworld kindly published a piece stating that Chief Information Officers (CIOs) were sticking with the cloud despite the NSA.
While 20 CIOs are in no way a fair sample size, even if they are geographically dispersed, they did raise several excellent points.
Internal Threats
The best point was that the NSA was thwarted by an internal resource. The NSA didn’t use the cloud but they still had a massive security breach. If anything, the Snowden episodes reveals the threats posed by disgruntled employees.
IT chiefs appear to consider insider threats a more concrete and likely danger, including disgruntled employees or contractors like Snowden who out of malice or in retaliation expose confidential data or damage IT systems.
While all employees can leak data, systems professionals are a unique risk because they have greater access to information. While one would hope that everyone acts ethically, we know that it isn’t the case. When deploying cloud solutions, IT administration staff is reduced. Reducing the number of people with access to everything can reduce both security risks and costs.
If a technology like cloud computing can better serve the organization from both a cost and security perspective, why would you eliminate that from your strategy? Are your competitors doing the same?
Even with those factors in play, this isn’t a zero sum game. There is a security balance that has to be struck with every decision.
Who is Hack Proof?
Snowden demonstrated that nobody is leak proof. What about hack proof? The short answer is that nobody has 100% security. The question really is do you have enough security for the information that you are protecting?
The truth of the matter is that for most organizations, if the NSA wanted to hack your systems, they could. In fact, they could likely do it much easier than if they tried to hack a cloud provider. Most established cloud providers have larger staffs and have invested a lot more money in security over the past few years than your organization.
“I’m more comfortable with Microsoft’s security for our email than with handling that internally,” BCBG MaxAzria’s Fuller said. “We’re a fashion company, not a tech company. We need to focus our resources on producing great dresses people want to buy.”
This isn’t to say that you should drop everything and move to the cloud. Just don’t let a false sense of security from hackers keep you in your on-premises environment.
Pick the Right Time and Balance
The real lesson here is that there are a lot of factors that go into any change in infrastructure. The cloud is no different. The needs of the business should be the guiding principles, not fear of an external entity hacking your system.
As Snowden aptly showed us, the greater security threat is, and always has been, internal people who have grudges. You can’t protect against them, but you can strive to make your place a better place for people to work. This will reduce the odds that someone will decide to act with malicious intent.
The alternative is to employ a lot of security, keep everything internal, and only grant access to any piece of information if they need to know. What’s the worst that can happen?
Ask the NSA.
Word of Pie 
Lawrence, this is not about how secure technology is or could be!
Austrian and German tax authorities are offered once a week DVDs with thousands of stolen bank account data from Switzerland, Luxemburg, Channel Islands and other tax havens.
So that makes it clear how weak data security in systems really is, when even even banks can’t close shop. What is really worrying? If people rat on individuals or businesses to government agencies they are pardoned even if they themselves were corrupt or are even paid. If some rat on military or government institutions and show how deeply corrupt the involved people are, then they face lifelong sentences. If I as an individual buy the bank data DVDs from the crook who stole them, then I am as guilty and face dire consequences.
In my mind the same judgment should apply to government employees and ministers. If they buy stolen data then they are not only guilty of fencing but also misappropriation of my money. Do we want such people to govern us?
But in the end, if we put all the bank data in the Cloud then yes, we will reduce the risk of someone stealing them. Governments can then access the data directly and do not need to pay. Already today in Germany, the tax authority can request bank data without the owner knowing. In most of Europe Internet Service providers are required to keep track of your Internet browsing and your emails for six months so that governments can request them. I was informed by Paypal a few years back that my data were handed over to the US IRS because they fit a search performed under court order. Clearly there was a fishing party going on …
SO: if you worry about individuals stealing data then you are barking up the wrong tree.
LikeLike
If the government wants your data, it doesn’t matter where you put it. That was another point in that article.
The human factor will always be a security threat. We spend so much time focusing on other aspects of the Snowden case that many people missed the point that if the NSA can’t screen out someone with an agenda then you can’t either.
LikeLike
Government organizations are less adept in most things compared to private business …
In terms of agenda, I hold the opinion that most crimes are crimes of opportunity and not criminal intent. Big data predict that …
LikeLike
The biggest drawback to the cloud for a small company is the “take it or leave it” approach to terms and conditions. Most cloud vendors simply require that you accept their terms and conditions, the ones designed by their lawyers to best serve their purpose. What do I get if there’s a failure – a month’s service fee refunded? I wrote about this years ago and I said “that wouldn’t pay for the pizza while we fixed things.” How do I enforce my rights over my data in the cloud? What role am I going to play in the event a subpoena is presented to a cloud vendor? Who is on the hook when the breach occurs? I know their security is probably better, but they are also a bigger target. With respect to the Snowden thing, I have no clue how many people in the cloud vendor’s operation have access to my data. Those are also “internal people” – the fact that they are external to me doesn’t matter, the become internal to my business process. The fact that I don’t know them, didn’t hire them, didn’t establish the requirements for employment, didn’t’ write their job description and don’t have the ability to set their compensation might make it worse. Snowden wasn’t really an “internal person” – he was a contractor. He was subject to someone else’s terms and conditions at the time he was hired. I don’t see how moving data to the cloud reduces this threat.
LikeLike
Snowden had the keys and functioned as an admin, so he was an internal threat. In the Federal space, there is a very fine line between staff and contractors. Only decisions on tough topics are left out of the hands of contractors.
How does it decrease the risk of internal hacking? If you operate under the assumption that your admin staff will decrease, be it through less resources needed or no need for 24-7 support, then the issue is with the cloud staff. There is likely minimal difference between the integrity of the cloud admin and your admin, though the integrity of orgs varies greatly. The real key is focus.
Let’s look at a large provider like Salesforce. They have access to a lot of information. A Salesforce employee could take almost anything. The odds are that they don’t care about you, one of the clients. For any vendor of scale, the admins aren’t aware of who the clients are. They can find out readily enough, but they don’t know. If they want to hurt someone, it will likely be targeted at their own company.
Trust is going to be the largest factor in driving, or limiting, cloud adoption. The cloud vendors know this and are going out of their way to build that trust. They also have more to lose if that information slips out, so they are focused on integrity. Of course the Snowden issue shows that you can’t prevent the problem.
As for the Terms of Service, a completely different conversation for a post on another day.
LikeLike