I have had a LOT of discussions with people over the past year about Edward Snowden, the NSA, and the impact on cloud adoption. My general response is that it would likely slow US adoption of the cloud by a few months and outside the US by a couple of years.
Well, it has be six months since this all started and I was starting to wonder about how this was panning out. Then Computerworld kindly published a piece stating that Chief Information Officers (CIOs) were sticking with the cloud despite the NSA.
While 20 CIOs are in no way a fair sample size, even if they are geographically dispersed, they did raise several excellent points.
The best point was that the NSA was thwarted by an internal resource. The NSA didn’t use the cloud but they still had a massive security breach. If anything, the Snowden episodes reveals the threats posed by disgruntled employees.
IT chiefs appear to consider insider threats a more concrete and likely danger, including disgruntled employees or contractors like Snowden who out of malice or in retaliation expose confidential data or damage IT systems.
While all employees can leak data, systems professionals are a unique risk because they have greater access to information. While one would hope that everyone acts ethically, we know that it isn’t the case. When deploying cloud solutions, IT administration staff is reduced. Reducing the number of people with access to everything can reduce both security risks and costs.
If a technology like cloud computing can better serve the organization from both a cost and security perspective, why would you eliminate that from your strategy? Are your competitors doing the same?
Even with those factors in play, this isn’t a zero sum game. There is a security balance that has to be struck with every decision.
Who is Hack Proof?
Snowden demonstrated that nobody is leak proof. What about hack proof? The short answer is that nobody has 100% security. The question really is do you have enough security for the information that you are protecting?
The truth of the matter is that for most organizations, if the NSA wanted to hack your systems, they could. In fact, they could likely do it much easier than if they tried to hack a cloud provider. Most established cloud providers have larger staffs and have invested a lot more money in security over the past few years than your organization.
“I’m more comfortable with Microsoft’s security for our email than with handling that internally,” BCBG MaxAzria’s Fuller said. “We’re a fashion company, not a tech company. We need to focus our resources on producing great dresses people want to buy.”
This isn’t to say that you should drop everything and move to the cloud. Just don’t let a false sense of security from hackers keep you in your on-premises environment.
Pick the Right Time and Balance
The real lesson here is that there are a lot of factors that go into any change in infrastructure. The cloud is no different. The needs of the business should be the guiding principles, not fear of an external entity hacking your system.
As Snowden aptly showed us, the greater security threat is, and always has been, internal people who have grudges. You can’t protect against them, but you can strive to make your place a better place for people to work. This will reduce the odds that someone will decide to act with malicious intent.
The alternative is to employ a lot of security, keep everything internal, and only grant access to any piece of information if they need to know. What’s the worst that can happen?
Ask the NSA.