NSA Revelations Raise New Questions About Security in the Public Cloud

Written by Zeeshan Naseh

Every day, new information emerges that shows ever-broader electronic eavesdropping by the U.S. government on its own citizens and those of other countries.

The activities are even starting to raise the attention of the courts. And with every revelation of domestic and foreign spying by the likes of the National Security Agency, it gets harder for companies to feel safe storing and moving sensitive data in a public cloud.

The news broke in June 2013, with revelations that the NSA, through an initiative called PRISM, was accessing private communications of people who had used popular Internet services from nine companies, including Microsoft, Yahoo, Google and Facebook.

While many details have yet to come to light, PRISM essentially gives the government access to emails and stored data on certain foreign targets operating outside the United States.

NSA Reach Is Broad and Deep

To see how broad the PRISM effort’s reach is, consider that Verizon Business Solutions in April 2013 reportedly received an order to turn over information on every call that each of its customers had made. PRISM alone might be unsettling enough for companies concerned about keeping confidential information safe. But there’s more.

The day before Halloween, news surfaced that the NSA had secretly “broken into the main communications links” connecting Yahoo and Google data centers worldwide. Along with its British counterpart, the Government Communications Headquarters, the NSA is (through a program called MUSCULAR) “copying data flows across fiber-optic cables that carry information among the data centers” of Yahoo and Google, according to the Washington Post. Both Yahoo and Google told the Post they had not given the government access to their systems.

Relatively few people or companies likely have either data or communications that the government would find of interest. But at least for now, that may not matter. The NSA could well wind up scooping up your private information, anyway, if you store or move it via a large public cloud.

With Public Cloud, You Are Subject to Losing Control of Your Data

Naturally, the NSA could theoretically “break in” and spy on any cloud set-up. But media revelations of its eavesdropping efforts to date have largely suggested that the agency’s efforts are focused on offerings of public clouds like Google, rather than on the private clouds of individual companies.

As we’ve previously pointed out, one of the biggest issues with using a public cloud provider is that your business must essentially trust the vendor to keep the virtual gates under lock and key. If things go wrong, you may lose control over your data.

That’s not the case with the private cloud. You keep your hand on everything, including what goes where and when. That way, as one observer has noted, if the NSA comes knocking, you at least will know who got the information, when and why.

For many large businesses, especially those in regulated industries, security and maintaining customers’ privacy is a top priority. Compromising either can bring both regulatory consequences and loss of brand value.

Moreover, with the emerging new breed of self-service cloud management platforms, building a private cloud, or clouds, has never been easier – and at a fraction of the cost.

In this new era, there’s no reason to leave sensitive information to the whims of a public cloud provider. The private cloud is now well within reach.