Will PRISM have a Chilling Effect on Cloud Computing Adoption?


hiding-in-the-shadowsThe Washington Post recently reported on a secret government program to snoop Internet data, named PRISM. How will this revelation impact the cloud computing world and could it put a damper on cloud adoption?

Last week, the Obama administration found itself embroiled in another pair of scandals. First, on Wednesday, The Guardian reported that the NSA has been collecting the call records of millions of Verizon customers (later reports say that AT&T and Sprint Nextel are also involved). On Friday, The Washington Post upped the ante and reported that “the National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.” The result of these revelations has been a deep discussion throughout the traditional media, blogosphere, and other social media about the desired limits of government power to intercept and analyze private communications. Whatever your opinion on the politics and civil liberties issues, one thing is for sure — the revelations about the PRISM program are going to change the way people look at public clouds.

Privacy and Security Concerns

If you spend time perusing any survey about cloud computing, the first thing you’ll notice is that they all have a similar finding: security concerns are one of the top barriers to enterprise cloud adoption (see page 15 in the Everest survey). In the past, I’ve said that this is often more of a perception issue than reality. And that’s still true, but we need to revisit the assumptions a bit in light of the recent revelations about PRISM.

My previous statements were based on the assumption that service providers were generally the “good guys,” working to keep the cloud computing environmentsecure on behalf of customers like you. In contrast, the “bad guys” in this scenario are the third-party hackers of various description, working outside the service provider and trying to penetrate workloads running in the cloud. We assume, for instance, that the service provider has some checks and balances in place to ensure that a single or small group of rogue employees can’t compromise customer data and that best practice security is implemented through the environment and kept current over time to ensure outsiders can’t penetrate the cloud’s overall security. In other words, the service provider takes security seriously and hires professional security personnel to implement a broad, multi-layered security strategy.

Changing Assumptions

But what if that assumption is wrong? What if the service provider is in collusion with another third party that wants access to your private data running in the service provider’s cloud? What if the service provider can’t say no?

We dealt with some of these scenarios previously when people started considering the PATRIOT Act. What if, they said, the US Government comes to my service provider with a warrant and seizes my data or the servers and storage on which my data resides? What recourse do I have? The answer depended very much on your need for privacy and your home jurisdiction, including any privacy laws that might apply to customer data in that jurisdiction.

But the assumption here was always that the government could seize something only with a court order, with due process checks, in the light of day, etc. Thus, unless you were really a criminal, the main issues were limited to whether this would possibly disrupt your business or whether this would expose you to prosecution in your home jurisdiction for putting certain data sets in jeopardy. In other words, the issues were real and deep, but they were fairly straightforward and manageable. You examined the issues soberly, made your choices, and moved on.

We know that the PATRIOT Act had a slight chilling effect on cloud computing adoption. More than one European company has told me over the past few years that they are wary of using AWS (and other US providers) for fear of being caught up with PATRIOT Act issues. For some, the opening of the AWS data center in Ireland helped (whether that was more psychological or legal is another matter). For others, just dealing with a US-based company was a bridge too far.

The World of PRISM

PRISM takes this questioning of assumptions to a whole ‘nuther level. What if the service provider is compelled to collude with a government (foreign or domestic — remember that the UK was involved with PRISM, too) and actively provide some level of data snooping to intelligence services at all times, possibly in real time, without a court order. And the service provider is sworn to secrecy, so they can’t tell you about it or acknowledge in any way that they are doing it? Are you prepared to let governments, at least your own and possibly one in every jurisdiction in which your data would reside, snoop your data in real time? If not, you’d better get started on that private cloud strategy, because security and privacy concerns associated with public cloud just went through the roof.

Given all that, I can’t see any way that PRISM won’t have a chilling effect on public cloud adoption at some level. The only question is to what extent. Remember that in the world of PRISM:

  • All service providers are suspect. While the original Washington Post article said there were only nine participants, what’s to stop that from being expanded? Maybe they only leaked half the list. There’s no way to ask the service providers or test them for whether they are participating in such a program. They’ll simply deny it and you can’t ever have deep access to their code or infrastructure to determine anything yourself (never mind the lack of skilled people to do the test).
  • Any security measures you implement in your guest VM can be undermined. Remember that the service provider is running your guest in a hypervisor. If the service provider gives the government snoops access to the hypervisor or other “cloud control” code, allowing them to do anything they want, then nothing running in that environment is safe. Whereas you might implement security measures inside the guest VM to help secure you against third-party hackers, that won’t work here. The entire VM memory image and instruction stream can be monitored in real time. Encryption can be bypassed; traffic patterns can be monitored; data can be altered at the source. Literally, anything is possible. And because it’s running in a VM, it will be very difficult to determine whether anything is amiss.

What Now?

In short, public cloud computing is about trust — you’re handing your data and code to a public cloud service provider and expecting them to help protect those assets. But the PRISM revelation just undermined that trust. From here, the questions are:

  • What can you do about it? The issues are complex and this really deserves a whole post of its own, but let’s just say that you can reduce your exposure to PRISM and PRISM-like snooping if you keep most of your data out of public clouds. Am I suggesting you do this? No, not at all. But if you want to be as safe as possible, that’s the best option. And many of you are doing that already (e.g., the folks in Europe avoiding AWS out of fear of court-ordered access).
  • Will the perception of public clouds ever recover? I think it’s impossible to answer this question, as it’s really a question about government intrusion and not about public cloud service providers. I would bet that the government first approached the nine companies listed in the Washington Post article (Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple) with the idea for PRISM, not the other way around. If left to their own devices, I’m fairly certainly the service providers wouldn’t have done this themselves. Make no mistake, these companies are invading your privacy in a multitude of other ways, and doing intense amounts of data mining to determine your browsing habits, but most of the time they’re fairly up front about that. In contrast, PRISM was secret.
  • Were other companies involved? The article mentions nine, most of which are basic consumer-level Internet services, offering things like free communications services and video uploading that terrorists would find helpful. Notably absent are services like AWS, Rackspace, Terremark, Savvis, Salesforce.com, Netsuite, Intuit, etc. But it’s easy to envision scenarios when looking into your company contacts or money flows would be interesting to the government.

What’s next? I have no idea. The government needs to make its move.

Comments

  1. NSA snooping around (doing their job rather than sleeping at the desk) is a good thing. We as tax payers are spending billions of dollars on homeland security, and yet many are concerned when they do their job. It is very similar to cops on the street. You do want them to police your neighborhood. Similarly, you do want the NSA, the FBI, the CIA to do what they are supposed to. And freedom always comes with a price in terms of civil liberty. Air travelers have to go through TSA check points every day. They scan into your luggage and give you a pat down. I would say the PRISM program is less intrusive.
    As for public disclosure of snooping by the government, one cannot expect the government or any law enforcement agency to announce that they are going to be doing that; because then criminals will change their behavior.
    On the data privacy issue, every contract has a clause that the service provider will protect the data, but will reveal it to any law enforcement agency if required by law or court order to do so. As such, everyone of us should expect that all of what we do is available to the government if they choose to look at it. If the courts give permission for the agency to have access to it, the service providers do not have any option other than to comply. This does not make them the “bad guy”.

    As for public versus private cloud, it does not matter where the data resides. If the government asks for the data and has a court order, even data that resides on a private cloud needs to be provided. Of course, having data in different countries “may” enable corporations to avoid being hauled to court by the US government. But it is the same as secret banking that exist today. Yet, the US government has been able to exert pressure on Swiss banks to divulge the names of account holders. So the question of data privacy does not exist. It is the same with all governments around the world. If they think their country is at danger, the government in charge has an obligation to do everything to protect its citizens. As such, it do not see how PRISM program should or will impact the design to go private or public cloud. The question is rather, where should your data reside if you do not want the US government to have access to it. I would say, there are very few countries in the world where this “may” be possible. But then, do you really want your data to reside in these countries?

    • Dave Roberts says:

      Thanks for the comment.

      I’m going to mostly ignore the “snooping around is a good thing,” and “This does not make them the ‘bad guy,’” parts because I think it goes more into the politics an civil liberties discussion. The only thing I’d point out is that there is a big difference between a policeman who drives through your neighborhood every so often to make sure everything is OK and one who hides in your closet and takes pictures of you in your own house. I think we’d all agree that the former is helpful and welcome and the latter is creepy and unpleasant. The debate turns on whether you think PRISM is an example of the first or the second.

      Now, regarding where data is placed, I think it does matter a great deal. If you’re concerned with privacy you’ll want to place it only in a location you control or with a trusted service provider. While it’s true that government can compel a service provider to divulge information, there’s a big difference between that and a constant state of snooping. Further, I don’t think this is purely a USA-centric problem. While PRISM might have exposed collusion between the USA and US tech companies, there is nothing that stops foreign governments from doing the same thing. Remember, for instance, that the UK was also involved with PRISM. Would anyone claim that France or Germany won’t do the same thing, if they aren’t already?

  2. Looking at one point DS mentioned, the Swiss banks divulging the names of their clients. You see, to be able to survive in this world, you have to improvise. Improvisation usually leaves marks, marks that can be found by having a very good IT system which is capable of… ehem… checking the bank’s data in the service provider’s server. I think you understand where I’m getting (blackmail it a part of it).

    As a European citizen I was outraged when I heard US Government’s statement that the surveillance is done mostly outside USA (i guess they didn’t want people that were in close proximity to turn immediately against them).

    I believe the impact of PRISM on cloud computing and cloud computing service providers will be devastating.

Speak Your Mind

*