The whole point of Learning Tree’s Cloud Security Essentials course is to discuss the questions you must ask a potential cloud provider to see if you could move some of your operation into the public cloud.
Moving to the cloud means losing some control and visibility. You lose physical control with IaaS, much more control with PaaS, and SaaS is the worst of all. This means that the conclusion is often “No” for at least some of your data.
Corporate and government concerns, and possibly legally binding compliance requirements, mean that some data must not move to the cloud. Worries about moving data to the cloud have increased due to the continuing revelations of NSA surveillance including the cooperation and subversion of major cloud providers.
I wrote about this last year. What has happened since then?
I think it should be no surprise that this concern has continued to increase, with associated impact on the bottom line for the major public cloud providers. All of them (prominently Amazon, Google, and Microsoft) are based in the U.S. As everyone paying attention realizes, it doesn’t matter if your data is in a data center that happens to be located outside the U.S. The USA PATRIOT Act requires that those U.S.-based companies turn over all your data when the government asks for it, and that they not tell you anything about that when the National Security Letter forbids all disclosure and discussion, as it inevitably will.
The NSA surveillance and its influence on cloud adoption was a focus of discussion at this year’s RSA conference.
Stanford University scholars report that “blanket mass surveillance undermines the U.S. economy by creating the global perception of an unsafe American business climate. Meanwhile, the technology behind surveillance is evolving well ahead of the law. As a result, privacy and civil liberty concerns are mounting.” The New York Times Business section has observed this economic impact.
Peer 1 Hosting conducted an interesting survey of 300 major businesses in the UK and Canada. Peer 1 found that 25 percent of those businesses overall, and 33 percent of the Canadian ones, said that they plan to move their corporate data outside the U.S. due to security concerns driven by the NSA revelations. Ninety-six percent of those businesses listed security in their top three concerns when choosing a hosting provider.
I have to wonder about that remaining four percent, what three other things bumped security out of their top three?
The survey also reported that 60 percent of IT decision makers responsible for selecting hosting providers said they didn’t feel that they knew as much as they should about data security laws, and 44 percent reported being confused by those laws.
Peer 1 summarizes how they operate in many countries with varying data security laws the same as other cloud providers do: “we will only disclose information when and to the extent that we are required to do so by applicable law.”
What does that mean? Don’t trust cloud providers for data confidentiality. They are excellent at data availability, data integrity, and network performance. But we must do our own confidentiality.