Weekly Update

The NSA scandal’s relevance to the use of public cloud-based platforms

Just when you thought it was safe to make a phone call, the NSA spy scandal story broke. The concept is simple: the NSA was culling through communication records to discover the bad guys for the greater good. Still, most of us needed to take a very long shower after hearing about that one.

As reported by GigaOM’s  Mathew Ingram, “Guardian blogger and former lawyer Glenn Greenwald reports that the NSA has gotten a secret order from the Foreign Intelligence Surveillance Court that allows it to collect data about phone calls made by ‘millions of customers’ on the Verizon network: location data, time and other identifying info about the call — everything except the actual content of the calls themselves (the Guardian has a background piece about what kind of metadata is available with such an order).”

As Greenwald discovered, “The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April. The order… requires Verizon on an ‘ongoing, daily basis’ to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.”

While there is not a direct link to cloud computing, there are certain aspects of this situation that may have both existing and future public cloud computing consumers a bit more paranoid than before they heard about the NSA scandal. Moreover, other countries that leverage U.S.-based public cloud computing services — already paranoid around the use of the Patriot Act to potentially seize their data — now have last week’s revelation to consider as well.

The public cloud providers have to be concerned about a few key issues:

  • The government views all communications and on-line transactions as fair game for its monitoring programs. Thus, cloud providers currently, or at some point, will have to turn over customer information and data to the government under similar secret court orders. This could have a hugely negative impact on their business, just as the market for public cloud-computing services is inflating.
  • They could have some liability around the protection of the data that spans borders. Responding to U.S. court orders in the U.S. could get the cloud provider sued in other countries. Thus, the public cloud provider is truly between a rock and a hard place, with no easy choices.
  • The NSA scandal slows the growth of public cloud computing as enterprises inside and outside of the U.S. consider the potential impact for moving key applications and databases to systems that are no longer in their direct control. Thus, they are more vulnerable to government surveillance.

Of course, the other side of this issue is that enterprise IT must now factor in the implications of this situation into their migration to public cloud providers. The reality is that there is little reason to slow or stop migration to the public cloud, even given the scare around the recent NSA spying. There is no hard evidence today that public cloud computing providers are monitored without the knowledge of the owners of the data.

So if enterprise IT is seeking guidance around the considerations with the new NSA spying scandal, it should be one of staying the course already set. However, the advice should also include being diligent around the laws that govern the government’s ability to monitor and cull through business data in the public cloud, as well as the laws in other countries in which the enterprise may do business.

This is not an excuse to be overly paranoid. However, it does make a case for being more pragmatic and savvy about impending laws.

The bottom line is that, if the government wants to get at your data, no matter if it’s on a public cloud, in your data center, or even in your home, it can find a way to get it. The use of public cloud computing does increase the likelihood that the data could be monitored without your knowledge, considering that the caretaker of the data is a third party. Although I’ve yet to hear of such a case coming to light, it would not surprise me if it were occurring, given recent events.

While the NSA spying scandal does have a chilling effect on the world of cloud computing, the benefits of leveraging cloud-based platforms far exceed the risk that the government will be spying on you. I suspect you could take the tinfoil hat approach and keep your servers in direct line of sight, but that would be very bad for business.  Don’t let the government scare you…too much, that is.