Quitting the cloud over PRISM

Australian companies and government organisations often cite security and data sovereignty issues as the reason for not making use of cloud services.

This fear has been exacerbated by allegations of wholesale NSA surveillance, both of services provided by Microsoft, Google, Yahoo and others, and all data traffic entering the United States.

To highlight these concerns, in a poll run by iTnews, 61 percent of respondents indicated they would “quit any cloud services in light of PRISM”.

European cloud services companies have been quick to capitalise on concerns raised by US spying, emphasising the advantages of using non-US cloud services as an alternative.

Security expert Mikko Hypponen has even suggested it is better to be surveilled by your own government than the US, and to a certain extent he may be right.

The response by local cloud service providers in Australia has been somewhat more muted, with little evidence they are rushing to capitalise on the uncertainty created by the PRISM scandal. 

OzHub, a local coalition advocating an Australian cloud, has called for the need to “keep sensitive and personal data onshore in Australia”. 

In reality, the situation concerning access of corporate data by the US secret services belonging to foreign firms is more a case of speculation than fact.

US legislation has in the past been used in a small number of cases to access data of foreign companies as well as data of individuals for reasons outside of the pursuit of terrorism.

The US Patriot Act has been used to justify a broad range of actions including the pursuit of drug trafficking, accessing financial information and pursuing copyright infringement in addition to its intended purpose of gathering general information relating to terrorist threats.

In response to concerns about the reach of the Patriot Act and the ability of the US government to access data held on servers belonging to an American company, US cloud providers have established data centres in a number of other countries.

Although perhaps partially allaying concerns about access, in practice, it is unlikely that this would protect those services from access under the Patriot Act.

Whether the threat of US surveillance of corporate data proves a real issue for companies will depend on their particular industry. In the UK at least, the benefits of the public cloud for the Houses of Parliament have outweighed any potential risks.

Any security-related incident tends to heighten general awareness of security issues, which then leads to an increased interest in ensuring that effective security measures have been followed for both individual users and corporate systems.

This in turn leads to a rise in activity for companies and technologies that offer some protection against unwanted snooping. At the individual internet user level, a recent report suggests that downloads of the browser extension DoNotTrackMe have increased by 54 percent, use of search alternative DuckDuckGo has seen a traffic increase of 55 percent, and use of proxy services likewise has increased.

Companies are also likely to seek changes to the levels of security and encryption utilised in their computing generally, but especially in their use of cloud services.

Cloud providers like Amazon Web Services do offer the option of running virtual private clouds (VPC) supporting hardware security module (HSM) appliances. The keys for these encryption devices are accessible only by the clients and so theoretically would protect companies against unauthorised snooping of data.

Local providers like Macquarie Telecom and Telstra also provide special features for security but if they are offering software as a service facilities of US-based software, they run into the same issues with access of information through those services.

As revelations continue about the level of cyber spying that various governments are engaged in, it will be difficult to assess the whole risk profile for any given company. It is clear that if a government wants access to data, there are several means by which it can obtain this, irrespective of whether this data is in the cloud or not.

In all cases, protecting data with strong encryption is a good first step in making it harder for them to do so without just cause.