JB
Blaming cloud providers for giving in to the demands of US intelligence is a naive perspective on a more complex issue. European organisations should consider other deployment alternatives, says Jes Breslaw, Director Cloud Solutions, EMEA, Accellion
Every day there are new headlines about PRISM, the data gathering and intelligence programme run by the US National Security Agency. These stories provide ammunition for organisations concerned about the security of their data that is stored via public cloud providers. As widely reported, US intelligence agencies were given direct access to data in cloud-based email, social networks and data archives from a number of major technology providers.
Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple have all been named as organisations that have been feeding information into PRISM. Dropbox was also named as a company that had been scheduled to begin providing data ‘soon.’ Although most companies named shuffled their feet nervously and declined to discuss the issue, Microsoft admitted that it had always complied with lawful requests for data and always will as a responsible US multinational.
In Europe, Deutsche Telekom’s T-systems group and France Telecom with its partner Thales have suggested that nationalistic clouds are needed, which would effectively be “PRISM” proof or have immunity from US legal pressure. This would be an easy bandwagon to jump on-board, but the truth is far more complex.
Lawful interception
There are several sides of this topic to consider before rounding up against Microsoft and the rest of the participants of PRISM. The combination of the US Foreign Intelligence Surveillance Act (FISA) and the US Patriot Act creates what internet privacy group the Electronic Frontier Foundation described as “…one of the most significant threats to civil liberties privacy and democratic traditions in U.S. history.” The Patriot Act in particular was a response to the tragic 9/11 attacks and gives sweeping search and surveillance rights to domestic law enforcement and foreign intelligence agencies. It eliminated checks and balances that previously gave courts the opportunity to ensure that those powers were not abused.
Worse still, if a company receives an order under FISA it is forbidden by law from disclosing having received the order, or disclosing any information about the order. Some companies, such as Yahoo!, have now filed requests with the courts to be able to disclose the nature of the government’s requests to provide more transparency into the kind of data they provide.
However, while the very existence of PRISM has made headlines, it should be noted that cloud services across Europe are also subject to national security and anti-crime laws. These provide the national intelligence agencies and the police access to communication and user data, in many cases, requiring no court order or any form of public oversight.
The UK’s own Regulation of Investigatory Powers Act 2000 allows interception of data and communication on the grounds of national security; for the purposes of detecting crime, preventing disorder, public safety, protecting public health; or in the interests of the economic well-being of the United Kingdom. More draconian measures in Russia and China make PRISM look positively benign. Aside from legal data interception, security researchers across the globe are also pointing at China as a major source of state sponsored cyber espionage for both military and economic benefit.
Dammed if you do
So what is the answer to data security and privacy in an increasingly complex world? For the past few years “cloud only” companies have been telling the industry passionately that the only future is cloud. The top-level message has been if you don't get with the cloud you will fall behind your competition, who will benefit from lower costs and more agility. But the reality I believe is that organisations today want the user experience and subscription model of cloud services, but they want data where they can legally control it, and keep it secure
There is no magic bullet to solve this issue, but flexibility is certainly an extremely valuable commodity. Some organisations may well be happy to place data into a public cloud to gain cost reduction, high flexibility and accessibility benefits. Others may want to keep data on local servers with deep encryption and limited access via highly restrictive VPN solutions
Both options are viable, but what is key is that organisations should be able to mix and match between public, private or hybrid cloud deployments. Technologies such as encryption, two-factor authentication, and SSL should all be available and applicable to all types of deployment scenarios. Many modern data collaboration software solutions are built on cloud computing principles and designed to deliver many of the elements that cloud providers claim on they can achieve
Placing all your data in a single basket will make it more vulnerable. However, suggesting vendors with a UK, French or German hosted cloud are any less susceptible to local law enforcement, national security agencies or state sponsored espionage is naive.
If Germany’s Federal Intelligence Service (BND), the UK’s MI5 or France’s Central Directorate of Interior Intelligence (DCRI) knock on the door and asks for access to your servers to stop an imminent terrorist attack or organised crime gang, it takes a brave service provider to say no. You can assume in certain jurisdictions with less democratic principles that nobody even asks for permission.
Private local Cloud
By deploying a private cloud for a sharing, sync, collaboration and storage, organisations at least have control over the level of security and accessibility. However, a lawful search order in any jurisdiction will still require you to hand over access to your servers. At least with a private cloud, your organisation knows who is accessing the data, and why.
Anybody jumping on the anti-cloud bandwagon as a result of PRISM is naive to think that the issue is new, or will go away. The data privacy commissioner in Germany has written to its Chancellor Frau Merkel to request that she petition the EU to strengthen privacy laws for European citizens. Some suggest that this might impact on the “Safe Harbour” agreement that exists between the US and Europe over data residing in cross border locations. Under the safe harbour agreement, the US could ask a German company to reveal its data if it’s stored in a cloud hosted or even owned by a US company and visa-versa. The spectre of PRISM suggests that the US may not even have to ask.
However, Europe’s national security agencies routinely share data about their own suspect nationals between themselves at US intelligence and these national agencies tend to observe national interests, not EU mandates.
The best-case scenario for any European organisation is to assume that some government agency is interested in gathering its data, and mitigate the risk of that exposure with a sensible collaboration platform and security measures. The cloud is not going away and, with or without PRISM, understanding the benefits and the risk combined while having a flexible set of deployment options is the most measured response. Deploying private cloud, in your local legal jurisdiction, using tools that offer many of the features of the cloud, could offer a lower risk profile and more protection against cyber espionage, hackers or national security agencies.
Sources:
http://gigaom.com/2012/01/17/buckle-up-for-a-new-wave-of-cloud-protectionism/
http://www.ft.com/cms/s/0/dbee868a-f43c-11e2-8459-00144feabdc0.html#axzz2aRTvFxYN
https://www.eff.org/foia/section-215-usa-patriot-act
https://www.gov.uk/surveillance-and-counter-terrorism
About the author
Jes Breslaw is currently Director Cloud Solutions, EMEA at secure mobile file sharing company www.accellion.com. Breslaw held senior European marketing roles for 15 years with technology suppliers and the channel. He began his career promoting IBM hardware, and then spent eight years marketing security solutions for CheckPoint Software and Cisco. More recently he worked in companies that provide cloud SAAS/cloud solutions, first Workshare and now Accellion.