As I wrote in September, there is little doubt that this year’s revelations of NSA surveillance will cause a drop in the revenue of the dominant U.S.-based cloud providers. The Information Technology and Innovation Foundation released an interesting analysis estimating losses of $22 to $35 billion over the next three years, Forbes writers and other observers of the business aspects of information technology have been discussing it. The only real debate seems to be whether the ITIF estimate is low, high, or about right.
Meanwhile, paging Jason Bourne: Swisscom is building a “Swiss Cloud” that could serve as a privacy haven.
Swisscom AG is a major telecommunications and information technology provider in Switzerland. It is a successor to the formerly state-owned PTT, privatized but with the Swiss Confederation owning almost 57% of Swisscom. The government and Swisscom are concerned about protecting data confidentiality in Switzerland’s financial center.
Europe has much stricter privacy protection requirements than the U.S., and Switzerland is especially known for providing discreet banking and other services for its own citizens and foreign customers. The large Swiss banking industry (over US$ 2 trillion) is Swisscom’s largest customer segment, and the Swiss Financial Market Supervisory Authority known as FINMA requires in-country data transfer in some situations.
Andreas König, Swisscom’s head of IT services, says that their plans to build a Swiss Cloud were driven by the usual pro-cloud reasons of lowering cost while increasing flexibility. While the plans had nothing to do with the surveillance revelations, the timing may work out well for non-Swiss customers. As König says, “Data protection and privacy is a long tradition in Switzerland, and that’s why it’s pretty difficult to get to something.”
This doesn’t mean that Switzerland is the Silk Road on-line anything-goes marketplace! König explains, “But if legal requirements are there and we are asked by the judge to obtain or deliver certain information then we would obviously have to comply with it.” But that’s a Swiss judge operating within the Swiss legal system.
To keep data safe outside of your direct control, strong encryption is your only hope. But ciphers can have weaknesses and key spaces are of limited size.
A few months ago I wrote about quantum key distribution, and a little over a year ago I told you about physics based methods for key generation. Done carefully, that combination provides us the only hope of perfect confidentiality.
In Learning Tree’s Cloud Security Essentials course we talk about the difficulty of compliance in the face of sometimes conflicting regulations. The Swiss Cloud may come to provide a nice alternative. I’ll be watching for more on this story.