Cloudy with a Chance of Espionage

cloudyespionageIt was the best of times, it was the worst of times…  2013 was like that for the cloud.  As the increasingly intimidating list of United States domestic spying allegations continues to mount, cases of second thoughts in Cloud City are rising.  The seemingly unstoppable revolution toward global data accessibility is now facing the same obstacle that has hampered ownership and non-digital interchange since forever:  national borders.  With the Sarlacc’s share of cloud providers in the very same country plagued with the most disturbing revelations about the illusion of data security, there’s a bit of a problem.  Not surprisingly, the Lando’s of information enterprises are decrying that was never a condition of our agreement.  So far, the response has been more or less expected.  Perhaps you think you’re being treated unfairly?

For SMB, the financial implications of the cloud are so compelling that they can’t possibly rationalize getting off the wagon, even if NSA agents started to bring in bounty hunters, trash their droids, and freeze various people in carbonite.  For the sake of national security, of course.  Larger enterprises however, aiming to protect a larger legacy of IP, are not quite so convinced.  I’ve touched on this topic before in Cloudy with a Chance of Security, where both hybrid and fully private clouds offer additional, yet significantly costlier options.  Make the target client an enterprise in Europe, and careful thinkers are likely wondering if it’s time to start raging like a Wookie.

Jos Voskuil, accomplished PLM blogger and consultant, made the point rather succinctly in a recent LinkedIn discussion:

“The absolute focus on cloud worries me a little as a European. Perhaps not in the US, but here in Europe there are significant concerns about IP theft or data loss combined with liability of the cloud provider.  As most cloud providers are US based, it seems hard to get a 100 percent guarantee your data is not touched by others.  US laws related to homeland security allow every US intervention possible.  So “ancient Europe” is holding back on cloud solutions.”

He’s definitely not alone in his concerns, though many would argue that a 100% guarantee of any sort of security is a hypothetical ideal, and never a reality.  This deal is getting worse all the time!

A  Global Post article certainly adds Ewoks to the fire:

“Brazil has announced its intention to route all regional internet traffic locally and set up a secure national email service. EU officials have called for a “European data cloud” that would store data exclusively on the continent.  In July, 10 percent of respondents outside the US said that they had cancelled a project with a US-based cloud computing provider since the NSA program came to light, in a survey conducted by the Cloud Security Alliance, a trade group.”

A contributing factor is that The Cloud isn’t quite so lofty and disconnected as the name suggests.  In fact, according to recent Gartner Reports, Amazon Web Services (AWS) is far and away the market leader.  No one else currently comes close.  So really, we probably should call it The Amazon.  Or perhaps The Bezos.  Guess who else uses The Amazon?  Well, the CIA for one.  Naturally, the trend is to seek alternatives to The Amazon by seeding clouds over more amenable national borders.

As much as security and government surveillance presents a mounting concern for the established cloud providers, the situation seems to be providing an unprecedented opportunity for cloud providers outside US borders.  Or is it?  From the same Global Post article:

“A 2012 market research report noted that most European countries have anti-terror legislation or other laws in place that give governments access to users’ data, even in countries with strict privacy regulations.  In most cases, the authors noted, the government had the power to access data stored outside the country’s borders.”

I suspect at least a couple of countries in the EU are guilty of the same intervention as seen in the US; they just don’t happen to have their own equivalent of Edward Snowden, yet.  So the point may be a moot, though disturbing one.  Despite all the obvious drama, expect enterprise to continue to flock towards The Amazon.  Some might argue that true IT security has always been an illusion, and that at the end of the day the practicality and bottom line of the everyday business will dictate moving on.  Think of it this way: how many of you have ditched your Google accounts?  That’s what I thought.

  • Ross Bernheim

    Several points.
    First, no one cares about your data like you do. Do you expect that cloud based service to care as much about your data as you do? Are there penalties, and I mean significant ones, to motivate them to care for your data? Have you checked out their infrastructure and both physical and data security procedures?

    Second, all security is temporary. I spent a few years in the military and it was stressed that encryption comes in various levels of security. None are permanent. They only provide temporary security. The better the encryption, the longer it may be secure. Is your data encrypted end to end and proper security procedures in place? Even the NSA has had a few problems of late, are you that much better?

    Third, the world is not benign.
    Between ‘acts of God’ and human error, expect problems even without the existence of unfriendlies of all sorts. It is expensive as well as unsettling to prepare for even the foreseeable disasters. But you need to do a cost/benefit analysis to do your due diligence.

    Unfriendlies includes both those who wish you ill and those who are careless with your data. Even the short list is long.

    A bit of paranoia is actually a good thing when it comes to protecting your data.

    • A good point, Ross. Of those that do use cloud providers exclusively, how many truly vet their provider? Considering most are driving directly to the Amazon, are many simply trusting in that brand success?

  • I think one important factor to consider is the economics. The cost structure of cloud computing is so compelling that it tends to override other security related concerns – at least a lot of the time. (I find it interesting that Europe is “holding back”…)

    More broadly, I think we just witnessed the apex of governmental behavior in this area. The politics are lining up against this continuing and I think the NSA will be reined in somewhat. I.e. the pendulum has swung as far as it can go and is about to start heading back the other way.

    • I agree economics will drive the cloud forward. I too hope the apex in governmental behavior has been reached, but their may yet be trouble ahead. Thinking along the lines of unfavorable change or activities buried in the EULA’s of the cloud providers. Might their be a second reckoning related to corporate misbehavior?

      • Yes, good point. But I think most of the EULA problems are just corporate lawyers justifying their own existence. I don’t think they (usually) represent a corporate agenda.

        Ultimately, it would be nice to move to a model where we are able to keep our own data on our own server (maybe in our home) but be able to get cloud providers to operate on it when we want. This is of course crazy hard but does a good job of modeling private information as property.

  • {cough}ITAR{cough}

    • So very true. That’s why we can’t have nice things in A&D.

  • The news of the past few months reminds me of an old joke.

    Q: Why is there no such thing as a paranoid?

    A: Because it’s all true, man. IT’S ALL TRUE!

    That’s okay, I’ll see myself out.

  • Pingback: CAD Cloudfusion (Part 1) | E(E)()

  • Pingback: Cloudy with a Chance of Metering? | E(E)()