There has been a lot of speculation about the impact of PRISM on data security and cloud computing; just this week alone two influential articles have been written quoting wildly different predictions on how much the revelations will cost cloud vendors, but there’s no denying that the ripples in the industry are starting to rock the boat.
The Information Technology and Innovation Forum (ITIF) recently announced that due to the fears over data privacy and security that PRISM has highlighted, the cloud computing industry stood to take a hit in the order of $36 billion by 2016. But Forrester Research has come out to say this estimate is too low and the impact could be far deeper to the tune of $180 billion.
Taking into account that by 2016, ITIF calculates the global cloud market to be worth $207 billion (Forrester estimates $270 billion by 2020) this is a staggering number to hit a maturing industry where a lot of enterprises have already invested. But now that investment is starting to crack. Only this week I learned from an analyst source that some 50-plus cloud service contracts have either been put on hold or cancelled altogether because of concerns around cloud security raised by PRISM.
These are localized issues to the U.S. presently, and foreign investment in U.S.-based cloud services are the ones taking the hit due to the American government having access to data that sits on U.S.-based servers. However, given the far-reaching implications of the NSA program and the alleged complicity of other governments in supplying data, it is safe to assume that the fear over cloud security will spread to other countries.
But this isn’t the end of cloud by any means, and we can ignore the people crying “It’s the death of cloud,” the same way we ignored those that exaggerated the death of on-premise software. It is still possible to develop a cloud-based strategy that will ensure scalability without compromising security. Here are five key considerations for any cloud strategy going forward:
- Bring your own encryption – Secure third parties like Lavabit and Silent Circle have now closed their services because they cannot ensure privacy if the U.S. government asks them for information. In order to secure your data it is essential that you investigate your own options for in-house encryption and not rely on a third-party service outside the firewall to do it for you.
- Examine the cloud contract – This is often ignored and placed in the hands of the legal and procurement teams who may not fully appreciate the implications of the responsibilities under a cloud contract. For example, just who is responsible for your data should something go wrong ? Use a specialist lawyer who is well versed in cloud-related negotiations to ensure you don’t run afoul of the small print.
- Know where your servers are – Right now U.S.-based services are a prime concern for the enterprise, but it’s already been shown that other countries’ governments are involved in data sharing and data access. But this doesn’t stop you from knowing which countries have the more stringent data protection policies in place with financial penalties for misconduct. The UK and Germany for example have two of the strongest acts in place for this.
- Private, public, on-premise, or hybrid? – We’ve seen that moving everything to the public cloud is a no-no and that the death of on-premise deployments has been greatly exaggerated. The clear choice is to use a hybrid model. Hybrid works because of the combined benefits each bring individually:
- Public for maximum flexibility and efficiency
- Private for maximum control
- On-premise for compliance and privacy
What you choose to automate will be guided by your own data security requirements and ultimately will determine how much of the public cloud you will use, and what you keep private or on-premise.
- Don’t ignore the importance of cloud integration – Integration platforms provided through companies such as Software AG, Informatica and Mulesoft to connect software-as-a-service applications to the enterprise are the lynchpin in powering a hybrid cloud strategy. Don’t treat integration as an afterthought because the security of the connection to these services is as important as the service itself.
There is no denying that the Snowden leaks have had a massive impact on the IT industry in general, and that cloud services are now under enterprise scrutiny, but with strategic and tactical decisions made with intelligence these ripples can be navigated easily.
Theo Priestley is Vice President and Chief Evangelist at Software AG. You can follow him at @ITredux.