Recent Edward Snowden revelations made companies aware that communications such as cloud technology could be subject to government surveillance. This is breeding paranoia, leading many European firms to demand that their data storage is removed from the US. Much concern centres around personal information, such as health and credit card details.
These fears are supported by a recent report, which concludes that rising levels of government surveillance is leading firms away from cloud computing. According to the report, the presence of automated hacking tools means that even a small number of improperly secured resources are certain to give hackers free reign on the network – and access to customers private data – within minutes of an incursion.
There does not seem to be a fix-all solution - although some experts suggest the type of cloud used makes a difference: after all, a private cloud is likely to be more secure than a public one. On top of this, EU countries including Germany are considering following the example of the French and adopting national clouds in the struggle to ensure data is protected.
Even with such measures in place, resisting government surveillance is futile, experts told SC Magazine UK. Whether private, national or public clouds are used, data will still be available to government spies - and criminals - if they really want it.
Most cloud service providers are US-based, which is leading some to roll out European-wide data centres, says Alvaro Hoyos, director, risk and compliance at OneLogin. However, he adds, because of the NSA revelations, there will always be a stigma - even if servers are not located in the US.
Therefore it is wise to assume that if you are using communications technology, the government will intercept it, Mike Small, ISACA member and analyst at Kuppinger Cole tells SC Magazine UK.
He advises firms to take a risk-based approach. “You have to understand what you are putting at risk and to do that, you need to understand your data,” he says.
If you approach it in this way, cloud can be hugely beneficial to most firms, says Jamal Elmellas, technical director at Auriga Consulting: “Cloud providers can offer a plethora of expertise. However, adopting the technology requires due diligence and governance. You need to read the small print.”
Its therefore important to ask the right questions. According Elmellas, firms should ask if data is going to be available to local authorities; and, will it be at risk in certain parts of the world?
Other risk factors associated with cloud include decreased visibility and control. Adding to this, many firms new to the technology do not understand the division of responsibility between themselves and the provider.
“Providers may not allow customers to instrument their own cloud usage to the extent they would like, and they may not be able to provide logging and monitoring directly to those customers,” Wendy Nather, analyst at 451 Research explains, adding that while the largest providers, such as Amazon, are working to increase both control and visibility options, “the smaller ones havent worked this out yet”.