5 Comments

Summary:

Germany’s CloudControl has released a private PaaS product for enterprises that are feeling jittery post-PRISM. But even CloudControl thinks the move is a matter of perception – an issue we’ll be addressing at our upcoming Structure:Europe conference.

mobile security
photo: Maksim Kabakou/Shutterstock

Platform-as-a-service (PaaS) is a key pillar of the cloud revolution, giving developers a hosted platform on which to create and test new applications without having to think about the underlying infrastructure. The biggest names in this space are public PaaS providers such as the U.S. firm Heroku, but many enterprises are wary of this model, mainly for security reasons – hence the emergence of private PaaS setups like Qubell, where business users don’t have to share resources with strangers.

As we will discuss at our upcoming Structure:Europe conference in London on 18-19 September, it seems this model is becoming particularly attractive to European companies, who have always been on the conservative side when it comes to the cloud and who now feel PRISM and Tempora have confirmed their worst suspicions. But does private PaaS really make that much of a difference, given the reach of these government surveillance programs?

Going private

The Berlin-based PaaS provider CloudControl has had a public PaaS offering (based on Amazon Web Services resources) for four years, but this week it wrangled what is essentially the same product into a private PaaS service, in order to “bring all the benefits of the cloud to enterprises, while addressing data protection concerns.” The press release announcing CloudControl’s private PaaS product, the OpenStack-based Application Lifecycle Engine, even began with a reference to PRISM.

“Companies here in Germany fear already when using public infrastructure that somehow the NSA or other government agencies might be able to intercept the communications between the public cloud and their corporate computers,” CloudControl marketing chief Sebastian-Hendrik Picklum told me. “They like continuing to use their data centers and having control from the server to the user.”

However, Picklum acknowledged that this was “more about being afraid of going to the public cloud without having a real reason for that.”

There are two problems with thinking private PaaS is significantly more secure than public PaaS, Picklum suggested. The first is that the companies using private PaaS are also going mobile, which means the data flowing between server and user has to go over the public network at some point. This makes it about as vulnerable to being scooped up by Tempora or some similar surveillance scheme as data being worked on in a public PaaS system.

Inherent security

The second issue is that PaaS, public or private, comes with inherent security benefits anyway. What companies such as Heroku and CloudControl do is to spin up temporary “instances” – ephemeral virtual computers – that effectively get flushed away once the user is done with them. So even if someone theoretically got past the security and gained access to this virtual container, they would be quite likely to see it vanish pretty quickly.

“We can’t really communicate those benefits right now because people right now in Germany are not perceiving that,” Picklum said. “They don’t see that the cloud technology is even more secure because resources are temporarily assigned to applications.”

Right now it’s hard to ascertain precisely how much more secure European data centers are than their U.S. counterparts, or whether private PaaS really does offer a level of security that public PaaS does not — we don’t know the full extent of online spying in Europe yet, nor the techniques that are being employed. (Hopefully more will have come out by the time we discuss these issues at Structure:Europe in September.)

But what is clear is that many European businesses are uncertain and scared – a situation that makes perception a major factor in their decisions.

  1. My gripe with cloud is yes all this Prism has cast doubt everywhere but everyone actually knows there has been doubts for years.

    A companies biggest fear is losing their data, or having it compromised by someone else. And the conversation always comes down to “Encryption”. Current Encryption techniques require a decryption upon read or write to a block on a drive. it is this scratch area where the data is decrypted that worries customers. where is this space and is this open to penetration or infiltration by an outside source or competitor. This is why companies will not put their top secret data in the cloud, they see this as risk. Don’t forget big companies get cloud they want it, but they have teams of people pulling apart this risk analysis and it boils down to nitty gritty such as above.

    I have heard/seen companies looking at developing an Encryption technique which can be read or written too with the need for decryption. If someone cracks that then the doors will open.

    Share
  2. Lars Händler Thursday, July 25, 2013

    I don’t know why US blogs or media want to find reason why Germans fear US based cloud services without having a real reason. It is not only Germany where public discussions about cloud services takes place. I live in Switzerland and we are of a similar mind. Induviduals and companies just don’t like to have a foreign agency going through their data. Privacy of data is part of the constitution. No matter how you twist it using PRISM on this data is a violation of rights that are granted by the constitution.
    There is an increasing number of companines that uses services like Dropbox now looking for Alternatives. There is active discussion about what are European based alterntives to Salesforce.
    This will hurt US companies in the long run. You may laugh all you want about old Europe’s data paranoia but they are very serious when you interfere with their constitutional rights.

    Share
    1. I wouldn’t say I’m laughing – in fact we are broadly in agreement. I live in Berlin.

      Share
  3. If you are ultra paranoid about security…just stick to colocation. You will be better off in the long run.

    Share
  4. There’s essentially 2 attack vectors if you’re thinking about trying to avoid a PRISM style program:

    1) the network, where traffic is mirrored and stored. This is very difficult to avoid because it can happen anywhere on the network, most likely on transit links outside the control of your data centre.

    2) storage, where a legal order is made to tap the customer account from within the service. This is more likely to be able to be mitigated based on legal jurisdiction because different legal processes exist in different countries. This is the only real reason to locate your data outside the US.

    Share

Comments have been disabled for this post