Is the cloud safe for business?

Edward Snowden's revelations about the mass electronic surveillance programme by the US National Security Agency (NSA) have impacted on the adoption of cloud services by businesses in Europe, but not enough to derail the ongoing shift to a new computing paradigm.

This is the consensus of three industry experts – a lawyer, a security specialist and an analyst – who say organisations are willing to take risks because the promised benefits of subscribing to a cloud service provider are too good to ignore.

Law enforcement agencies in modern western democracies have always had the power to collect data from companies in their jurisdiction if a legal case could be made. It’s just the last part that got lost.

"The NSA was given too many statutory powers post-September 11th and they ran amok," says Philip Nolan, partner at legal firm Mason, Hayes & Curran. "They weren't kept in check by judicial authorities in the US as they should have been."

Local cloud providers
The upshot has been good news for indigenous service providers in countries like Germany and the UK, where organisations have been encouraged to use local cloud providers rather than US multinationals.

Apple, Google, Facebook and Microsoft saw the damage it was doing and lobbied President Barack Obama, arguing that failure to protect the rights of the individual was undermining confidence in their businesses.

Although Snowden's leaks threw cloud concerns into sharp focus there are more pressing reasons why prospective cloud customers should be wary, according to Sean Reynolds, chief executive of Irish cyber security firm Rits.

“From the perspective of security – not operations or cost savings – I would come from the position that moving to the cloud is a bad idea,” he says, and provides a litany of things that can go wrong, principally because the cloud service providers will rarely give clients access to the fine detail of their service.

This means you will have no idea who has access to your data – the third party’s third parties – and you may not always be sure that it’s held in the right jurisdiction.

A founding principle of the EU Data protection Act is that data must reside in a list of approved countries.

The US is not one of them, but service providers can sign up to the Safe Harbor framework which gives assurances that the provider will adhere to European laws.

A paper-thin guarantee, according to Reynolds, who cites Zoho, a major US cloud provider, as an example.

Though it’s signed up to Safe Harbor it states that it doesn’t agree to comply with the EU data protection authorities.

Philip Nolan agrees that the system is flawed. "In practice companies get Safe Harbor certification and ignore it because it isn't particularly well enforced by the US Federal Trade Commission. "

He is optimistic, however, that reforms to the Data Protection Act currently under way will address the problem.

"My view is that despite all the criticisms it will survive and be augmented with the US doing more on the enforcement side."

Greater transparency
On the wider issue of greater transparency from cloud providers, Nolan is also optimistic that things will improve, that the pain they are feeling at present will force them to be more open.

“The quality and nature of commitments that cloud providers give will significantly improve in order for them to conduct business. The NSA has cost US tech businesses unquantifiable losses, and it will take them years to rebuild trust but there are immensely sophisticated strong companies and they will do it.”

Though security always features as a top concern for companies considering the cloud, Gartner analyst Jay Heiser thinks it's misplaced.

He believes firms should be more worried about the financial stability of their cloud providers.

Last year cloud storage company Nirvanix went to the wall, taking a lot of client data with it.

“Barrier to entry is so low that it’s inevitable that smaller cloud-service providers are going to be highly financially leveraged which makes them inherently fragile,” he says.

“You have to treat the cloud like a manufacturer would treat its supply chain; you need to regularly monitor the health of your service providers.”

Though there may be other blips along the way, Nolan and Heiser both expect cloud migration to continue at pace.

Reynolds shares this view, believing advances in authentication and encryption will gradually make the cloud more secure.

“The way to go is to encrypt your data before it goes to the cloud and have full control over the keys. Some third parties will encrypt it for you but you may not be able to access it without their involvement and they may charge you for it. They may also make it difficult to move your data.”

Encryption
Another problem is that popular cloud services from Google and Microsoft run in highly integrated environments where encryption doesn't work.

In the case of Office 365, the suite of Microsoft applications available as an online subscription service, files are sent over an encrypted channel but are stored as clear text in the cloud for good practical reasons.

You may want to search documents or make changes on the fly.

“You can encrypt a file copy to the cloud but you won’t be able to use it interactively with Word, for example, because it doesn’t understand the encryption,” said Reynolds.

In the interim, before companies can hold the keys that guarantee them the highest levels of security, it becomes an exercise in risk assessment, with organisations weighing up the dangers – how sensitive is your data and what will it mean to your business if it’s exposed?

Reynolds puts it another way. “Picture yourself standing in front of your board of directors explaining why data has leaked into the public domain. Would you be happy that it’s not a big issue or is it something you would worry about?

“That’s a good question to ask yourself and a good place to start when considering the cloud.”