Can the cloud be secure?
Jes Breslaw, director, cloud solutions EMEA, Accellion
Although most of the named companies declined to discuss the issue, Microsoft admitted that it had always complied with lawful requests for data and always will as a responsible US multinational.
Meanwhile in Europe, Deutsche Telekom's T-Systems and France Telecom with its partner Thales have suggested national clouds are needed, which would effectively be ‘PRISM-proof' or be immune to US legal pressure. This would be an easy bandwagon to jump on, but the truth is far more complex.
There are several sides of this topic to consider before rounding up against Microsoft and the rest of the participants of PRISM. While US companies are bound to comply by the Foreign Intelligence Surveillance Act and the Patriot Act, cloud services in Europe are also subject to national security and anti-crime laws that, in many cases, require no court order or public oversight. The UK's own Regulation of Investigatory Powers Act 2000 allows interception of data and communication on grounds such as the protection of national security.
And more draconian measures in Russia and China make PRISM look positively benign. Aside from legal
data interception, security researchers across the globe are pointing at China as a major source of state-sponsored cyber espionage.
So what is the answer? For the past few years ‘cloud-only' companies have claimed that if you don't get with the cloud, you will fall behind your competition, who will benefit from lower costs and greater agility. But I believe that while organisations want the user experience and subscription model of cloud services, they also want data where they can legally control it and keep it secure.
There is no magic bullet to solve this issue, but flexibility is certainly an extremely valuable commodity. Some organisations may well be happy to place data into a public cloud to gain cost reduction, high flexibility and accessibility benefits. Others may want to keep data on local servers with deep encryption and limited access via restrictive VPN solutions.
Both options are viable, but organisations should be able to mix and match between public, private or hybrid cloud deployments. Encryption, two-factor authentication and SSL should all be available to all types of deployment. Many data-collaboration software solutions are now designed to deliver many of the elements that cloud providers claim only they can achieve.
Placing all your data in a single basket will make it more vulnerable. However, suggesting vendors with a UK-, French- or German-hosted cloud are any less susceptible to local law enforcement, national security agencies or state-sponsored espionage is naive.
If Germany's Federal Intelligence Service, the UK's MI5 or France's Central Directorate of Interior Intelligence knock on the door and ask for access to servers to stop a terrorist attack or organised crime gang, it takes a brave service provider to say no. You can assume that in certain jurisdictions with fewer democratic principles, nobody even asks for permission.
By deploying a private cloud for sharing, syncing, collaboration and storage, organisations at least have control over the level of security and accessibility. However, a lawful search order in any jurisdiction will still require you to hand over access to your servers. At least with a private cloud, your organisation knows who is accessing the data, and why.
The cloud is not going away and, with or without PRISM, understanding the benefits and the risk, combined with a flexible set of deployment options, is the most measured and secure response.