The Washington Post recently reported on a secret government program to snoop Internet data, named PRISM. How will this revelation impact the cloud computing world and could it put a damper on cloud adoption?
Last week, the Obama administration found itself embroiled in another pair of scandals. First, on Wednesday, The Guardian reported that the NSA has been collecting the call records of millions of Verizon customers (later reports say that AT&T and Sprint Nextel are also involved). On Friday, The Washington Post upped the ante and reported that “the National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.” The result of these revelations has been a deep discussion throughout the traditional media, blogosphere, and other social media about the desired limits of government power to intercept and analyze private communications. Whatever your opinion on the politics and civil liberties issues, one thing is for sure — the revelations about the PRISM program are going to change the way people look at public clouds.
Privacy and Security Concerns
If you spend time perusing any survey about cloud computing, the first thing you’ll notice is that they all have a similar finding: security concerns are one of the top barriers to enterprise cloud adoption (see page 15 in the Everest survey). In the past, I’ve said that this is often more of a perception issue than reality. And that’s still true, but we need to revisit the assumptions a bit in light of the recent revelations about PRISM.
My previous statements were based on the assumption that service providers were generally the “good guys,” working to keep the cloud computing environmentsecure on behalf of customers like you. In contrast, the “bad guys” in this scenario are the third-party hackers of various description, working outside the service provider and trying to penetrate workloads running in the cloud. We assume, for instance, that the service provider has some checks and balances in place to ensure that a single or small group of rogue employees can’t compromise customer data and that best practice security is implemented through the environment and kept current over time to ensure outsiders can’t penetrate the cloud’s overall security. In other words, the service provider takes security seriously and hires professional security personnel to implement a broad, multi-layered security strategy.
But what if that assumption is wrong? What if the service provider is in collusion with another third party that wants access to your private data running in the service provider’s cloud? What if the service provider can’t say no?
We dealt with some of these scenarios previously when people started considering the PATRIOT Act. What if, they said, the US Government comes to my service provider with a warrant and seizes my data or the servers and storage on which my data resides? What recourse do I have? The answer depended very much on your need for privacy and your home jurisdiction, including any privacy laws that might apply to customer data in that jurisdiction.
But the assumption here was always that the government could seize something only with a court order, with due process checks, in the light of day, etc. Thus, unless you were really a criminal, the main issues were limited to whether this would possibly disrupt your business or whether this would expose you to prosecution in your home jurisdiction for putting certain data sets in jeopardy. In other words, the issues were real and deep, but they were fairly straightforward and manageable. You examined the issues soberly, made your choices, and moved on.
We know that the PATRIOT Act had a slight chilling effect on cloud computing adoption. More than one European company has told me over the past few years that they are wary of using AWS (and other US providers) for fear of being caught up with PATRIOT Act issues. For some, the opening of the AWS data center in Ireland helped (whether that was more psychological or legal is another matter). For others, just dealing with a US-based company was a bridge too far.
The World of PRISM
PRISM takes this questioning of assumptions to a whole ‘nuther level. What if the service provider is compelled to collude with a government (foreign or domestic — remember that the UK was involved with PRISM, too) and actively provide some level of data snooping to intelligence services at all times, possibly in real time, without a court order. And the service provider is sworn to secrecy, so they can’t tell you about it or acknowledge in any way that they are doing it? Are you prepared to let governments, at least your own and possibly one in every jurisdiction in which your data would reside, snoop your data in real time? If not, you’d better get started on that private cloud strategy, because security and privacy concerns associated with public cloud just went through the roof.
Given all that, I can’t see any way that PRISM won’t have a chilling effect on public cloud adoption at some level. The only question is to what extent. Remember that in the world of PRISM:
- All service providers are suspect. While the original Washington Post article said there were only nine participants, what’s to stop that from being expanded? Maybe they only leaked half the list. There’s no way to ask the service providers or test them for whether they are participating in such a program. They’ll simply deny it and you can’t ever have deep access to their code or infrastructure to determine anything yourself (never mind the lack of skilled people to do the test).
- Any security measures you implement in your guest VM can be undermined. Remember that the service provider is running your guest in a hypervisor. If the service provider gives the government snoops access to the hypervisor or other “cloud control” code, allowing them to do anything they want, then nothing running in that environment is safe. Whereas you might implement security measures inside the guest VM to help secure you against third-party hackers, that won’t work here. The entire VM memory image and instruction stream can be monitored in real time. Encryption can be bypassed; traffic patterns can be monitored; data can be altered at the source. Literally, anything is possible. And because it’s running in a VM, it will be very difficult to determine whether anything is amiss.
In short, public cloud computing is about trust — you’re handing your data and code to a public cloud service provider and expecting them to help protect those assets. But the PRISM revelation just undermined that trust. From here, the questions are:
- What can you do about it? The issues are complex and this really deserves a whole post of its own, but let’s just say that you can reduce your exposure to PRISM and PRISM-like snooping if you keep most of your data out of public clouds. Am I suggesting you do this? No, not at all. But if you want to be as safe as possible, that’s the best option. And many of you are doing that already (e.g., the folks in Europe avoiding AWS out of fear of court-ordered access).
- Will the perception of public clouds ever recover? I think it’s impossible to answer this question, as it’s really a question about government intrusion and not about public cloud service providers. I would bet that the government first approached the nine companies listed in the Washington Post article (Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple) with the idea for PRISM, not the other way around. If left to their own devices, I’m fairly certainly the service providers wouldn’t have done this themselves. Make no mistake, these companies are invading your privacy in a multitude of other ways, and doing intense amounts of data mining to determine your browsing habits, but most of the time they’re fairly up front about that. In contrast, PRISM was secret.
- Were other companies involved? The article mentions nine, most of which are basic consumer-level Internet services, offering things like free communications services and video uploading that terrorists would find helpful. Notably absent are services like AWS, Rackspace, Terremark, Savvis, Salesforce.com, Netsuite, Intuit, etc. But it’s easy to envision scenarios when looking into your company contacts or money flows would be interesting to the government.
What’s next? I have no idea. The government needs to make its move.