If you are both a news and a cloud junky as I am, there has never been a more interesting -- or distracting -- time to hit refresh on your favorite online news site. The recent statements by whistle-blower Edward Snowden about the scope of surveillance and data capture by the National Security Agency were surprising -- and highly concerning -- to many.
As the media dove into this story, things got even scarier. The Washington Post uncovered documents about PRISM, a highly classified program where the FBI and the NSA supposedly tapped into servers at Internet companies and cloud service providers (CSP) for the purposes of counterterrorism. I'm certain there were some sleepless nights for executives (and PR people) as Facebook, Google, Microsoft and other cloud providers struggled to respond to the implication that they were complicit in letting the feds into their networks.
There is a significant distinction between what the cloud companies are saying, and what the PRISM documents imply. The providers have disclosed that they receive thousands of requests from the government to provide client data (and comply with these requests in somewhat staggering numbers). In contrast, the PRISM documents indicate that the government is using technology to capture whatever data they want directly from these companies' servers. Perhaps, the government wants to provide CSPs with some plausible deniability, but it's interesting to note that each of the CSP's public statements about PRISM is very carefully worded. Not a single company flat out denies the surveillance -- they only state that they are making their best efforts to preserve customer data privacy. I expect the truth is somewhere in the middle.
Will PRISM kill the cloud?
So, the next logical question for those of us who regularly leverage the cloud for business or personal use: will 'PRISM kill the cloud' as Jonny Evans, a fellow Computerworld blogger, has said. I'd argue that while it may make companies think twice about moving mission critical applications to the cloud for a period of time, the siren call of Infrastructure as a Service (IaaS) will continue to lure business to the cloud. It just means we need to pay even more attention to data privacy and security.
So what can companies do to retain data privacy in the cloud?
Find a distant cloud?
If it seems logical to think that if the US has control over US-based CSPs, then you could consider a CSP with data centers outside US borders, thus escaping surveillance.
It's not that simple. The FISA Amendment Act of 2008 (also called the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, or FISAAA, for short), added even more teeth than the Patriot Act to the government's ability to seek data to support counter-terrorist activity. FISAAA technically only applies to data/people that are located outside the US (which you certainly have if you're a multi-national corporation.) FISAAA explicitly expands surveillance authority beyond telecom companies to include data held by cloud service providers (CSPs). Notably, it removes previous constraints about 'continuous surveillance', making it possible for the government to install technology that scans and collects data directly from the CSPs' systems. Sound familiar?
The world is definitely getting smaller, and though you may try to run, it may be better to hide.
The importance of encryption
I've said it before. I'll say it again. If you have data you don't want other people to read, encrypt it, and make sure that you control the keys.
Encryption in the cloud is more challenging, as you don't typically have control over the infrastructure. Further, if the government is capturing data from within a CSP's network, then it matters significantly where you deploy your encryption. If you're encrypting across the wire, but data is in the clear once it arrives at the CSP, that doesn't give you any protection.
If you are running virtual machines in the cloud (IaaS), you can use technology that encrypts data from within the OS of each virtual machine, ensuring that data is protected as it traverses the hypervisor and continues on to storage. This can reduce access to data in a significant number of cases.
Virtualized environments have distinct differences from their physical server brethren. For instance, if you suspend a VM, a file is created that can contain sensitive data, depending on what was running when it was stopped. In a physical server, this is the data that would have been in memory. In a VM, it's now searchable and accessible, unless you encrypt it.
By doing this, you can at least be sure that if your CSP happens to turn your data over -- either intentionally or inadvertently (say, for instance, your data was stored on a disk or other storage media as a company that was being investigated) -- YOU get to make the decision about whether to give the government access to your data ... and for the moment, you can breathe.