Just as a good share of consumers are concerned about their privacy after news broke about the National Security Agency’s PRISM program, some cloud-computing executives believe the news could hamper their industry as well.
In fact, government access to data in clouds could be blown wide open if the FBI gets its way in passing certain legislation. But that could be in the future. For now, actually, the workloads running on Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) clouds could be harder to get at than data inside higher-level consumer-cloud services and Software-as-a-Service (SaaS) applications.
SaaS customers concerned
Elad Yoran, CEO of cloud-security startup Vaultive, said he has fielded “dozens and dozens and dozens” of inquiries since the PRISM news hit about how companies using SaaS programs can protect their data.
“I don’t think there’s a company out there that will consider Google or Office 365 without asking themselves the question about unauthorized — from their perspective — disclosure to the government and whether they’re willing to take the risk that their data is sitting unencrypted in a database, out of their control,” Yoran said.
Yoran isn’t sure just how much the use of such services — or any public cloud, for that matter — will fall off and go back on premise, but it’s clear to him that companies are thinking about these issues now. He recommends the companies using SaaS applications keep their data encrypted when it’s in transit, at rest and in use.
The thing about SaaS is that companies sign up to run on them, and the SaaS providers — take Google with its email, for example — can just provide access in response to government requests without needing to consult with the customer. In fact, the PATRIOT Act specifically prohibits speaking up about these requests.
Why IaaS is different
Compare this with PaaS or IaaS, and the situation is different. Narrowing down to the virtual machine the data about an individual end-user federal agents want to learn about could be quite a task, if it is even possible. “In the Infrastructure-as-a-Service space it’s not possible,” said Jason Hoffman, chief technology officer at IaaS provider Joyent. “It couldn’t even provide a data feed on the backend that exposes people’s data. It just doesn’t work that way.” To put it another way, AWS doesn’t know what’s happening on its servers and doesn’t have access to those virtual machines any more than Hewlett-Packard knows how a customer is using its Moonshot servers.
There’s also a legal element to this. The third-party doctrine lets the government ask a SaaS company such as, say, Pinterest for information on end users, but when the SaaS app is running on hardware owned by an unrelated cloud provider, such as Amazon Web Services (AWS), the government can’t get that same data directly through AWS.
Regardless of whether these data grabs can and do happen, the idea of it happening might be enough to scare off cloud customers and strengthen the story for on-premise infrastructure. As my colleague Derrick Harris noted earlier this week, in an increasingly cloudy business world that might not be the best thing for the economy.
While companies have been experimenting with development and testing work and some larger workloads on IaaS from AWS and other providers, complete dependence on public-cloud infrastructure is still way off, and the PRISM news puts more of a damper on the use of it, said Luke Kanies, founder and CEO of Puppet Labs.
“When I talk to customers about why they don’t use public cloud, … a lot of it is fear,” Kanies said. That fear often stems from uncertainty on legal and other implications of processing and storing data on shared infrastructure. And uncertainty on public cloud translates to staying on premise.
This argument applies not only to companies based in the United States; those based elsewhere surely will want to dodge the sort of data mining that U.S. intelligence agencies apparently conduct.
“Nearly every other country in the world is working hard to prevent its citizens’ data from being given to the NSA,” Kanies said. The European Union’s data-protection rules are a case in point, and the PRISM revelations will only fuel the fire on this front.
Altogether, Kanies said, “I would go so far as to say I would expect to see much lower adoption of public infrastructure owned by American companies. My guess is Europe is not going to trust American companies at all, regardless of whether it’s going to be hosted here or not.”
Kanies isn’t alone in expressing these sorts of sentiments. GigaOM Research Analyst David Linthicum in recent days predicted blowback on the international front, too:
The rise of cloud computing in the European Union will see the greatest impact on this scandal. The group is already suspicious of the U.S. government’s power to either monitor or outright seize their data. While there may not be any direct logical connection behind the perceived risk, the truth is people often make decisions, such as moving to the public cloud, based on feelings as much as facts.
Just another talking point
Then again, the news on PRISM might turn out to be nothing more than another proving point for public-cloud naysayers to exploit, bringing minimal actual impact.
Mark Thiele, executive vice president of data center technologies at colocation and cloud provider Switch, doubts the PRISM news will affect the total market opportunity of public-cloud use by any more than 3-5 percent. And that estimate might be generous.
“Those people that are convinced that the public cloud is the right place to do certain things in are going to continue to do it, and it’s (the PRISM program’s existence) not going to scare anyone away,” Thiele said. The difference in expenditures speaks for itself, and concerns about keeping data out of the government view won’t necessarily outweigh the financial and operational benefits of running in public or even hybrid clouds.
The gee-whiz factor that could throw off this whole equation is what the U.S. government might do to guarantee access to company data, including that which is kept on premise, in the future.
The FBI has thought about mandating forced access to encrypted data as part of an enhancement of the Communications Assistance for Law Enforcement Act, the New York Times reported last month.
Should that come to pass, there’s a chance data kept behind a firewall in an on-premise data center would become much easier for the U.S. intelligence community to access, said Eva Galperin, a global policy analyst at the Electronic Frontier Foundation.
“Depending on how the legislation is phrased, yes, it would be (possible),” Galperin said. “It would be tremendously dangerous. It would be the end of private internet communications.”
For now, it looks like the legislation might not go that far. Rather, an expansion of the act would ask companies for assistance in relinquishing data to the federal government or impose fines.
That climate could have long-term effects, not only on the growing shared-infrastructure camp but on others, too. Entrepreneurs could move abroad, so they don’t have to comply with such stringent regulations in the name of national security. They would rather build great products quickly than devote lots of staff time to compliance.
The political question in the end is whether national security outweigh economic and technological advancements.
Feature image courtesy of Shutterstock user Bruce Rolff.