Just when the hoopla of PRISM was beginning to subside, news of the NSA’s alleged program code-named “Muscular” breaks and executives at US-based cloud providers are reeling.
The Information Technology and Innovation Foundation (ITIF) estimates that PRISM will cost American cloud companies $22 billion to $35 billion over the next three years as businesses will move their business to foreign cloud providers. If that isn’t shocking enough, Forrester analyst James Staten noted that the ITIF estimates are too low and predicted the impact will be as high as $180 billion or a 25 percent hit to overall IT service provider revenues in that same timeframe. These estimates were shared before the Muscular program was brought to the public eye. It’s sure to get worse.
Muscular, if you don’t know, refers to the alleged NSA program disclosed in documents leaked by Edward Snowden. It taps into the main communications links that connect Yahoo and Google data centers around the world and sends this data back to NSA headquarters in Fort Meade. This includes content such as text, audio and video as well as “metadata” of who sent or received e-mails and when the emails were sent or received. It’s been reported that the NSA obtained 181 million records in one month alone. If it can be done to Google and Yahoo, it can be done to any cloud provider, too.
When the US government subpoenas customer data from a cloud provider, that cloud provider is prevented from letting the customer know that it has handed over its data to the government. The Muscular program is acquiring this data from outside the US, essentially eliminating the need to subpoena in the first place – a very convenient legal loophole. Now that we know about these two invasive programs, you have to wonder what other programs are out there that have not yet been exposed?
Is it time for companies to abandon the cloud? A recent study by IDG Research reported that three-fifths of companies believe that cloud file sharing has compromised their data security. Respondents also reported that 61% of all files would always need to be stored locally due to low confidence in the security of cloud-only storage methods.
While the cloud may seem to be more of a concern than ever before, companies don’t need to shy away altogether. They need to assess what goes to the cloud by using a simple data classification model, similar to traffic light colors: red, yellow, and green. Green data is the type of data that can freely move to the cloud since there won’t be an issue if this data is leaked or compromised. These files might include content such as sales collateral, presentations and other “safe” data. On the other hand, red data cannot move to the cloud due to security or privacy issues. Examples of this data might include financials, intellectual property, or M&A documents. Yellow data is somewhere in between and needs to be reviewed before touching the cloud.
Moving forward, PRISM and Muscular are bringing the cloud back into alignment similar to the dot-com bust in the early 2000s. Following the high-flying 90s, the market eventually realigned to reflect the reality of sustainable business models. Disclosure of these secret programs is now forcing a similar realignment for the cloud by reasserting the need for security and privacy when it comes to data.
It’s important to note that not all cloud companies expose your sensitive information. By separating the cloud service (the application that is running in the cloud) from where the data is stored (in the cloud or behind the firewall), the business benefits of the cloud and SaaS can be realized without running into privacy or security issues.
PRISM and Muscular are actually good for the cloud in the long run since they force companies to rationalize what data should be in the cloud and what data absolutely cannot go to the cloud. This way, the NSA or other prying eyes won’t be able to access your company’s secrets.