NSA, PRISM and public-cloud data: how safe is it?

risk-ahead

It came to light this week that the National Security Administration (NSA) has had access to user data in public-cloud applications such as Facebook, Google, Apple and six other applications as well as a host of phone companies.

It appears that a secret NSA program called PRISM has been scanning search histories, emails, files and even live chats. Previously it was classified as Top Secret but as a result of this expose, NSA has now downgraded PRISM. The leaked 41-slide PowerPoint presentation, which was apparently part of a training program for intelligence operatives, suggests that data is being collected directly from the servers of major US service providers. Google, Apple, Yahoo and Facebook flatly deny this.

US Senator Lindsay Graham tells Americans that they have nothing to fear if they’re not talking to terrorists. Doesn’t that sound just a little bit too much like Joseph McCarthy?

This issue has once again raised the question of whether personal data in public clouds is in fact in the public domain. Some believe that this is the cost of security. Others believe it is a cost too high.

Although this alone is far from an indictment of public-cloud applications it certainly serves as a proverbial “warning shot across the virtual bow.” Let’s call it Caveat user.

But paranoia is not the answer. There’s no need to shut down your computer and move to a cabin in Montana, a maple farm in northern Quebec, or a hunting lodge in the Yukon. The truth is that we’re going to continue to use these applications. But maybe now, we will be just a little more mindful of the risk of misinterpretation of the data and pictures we post on these sites.

Employers face a bigger challenge than individuals. They have a fiduciary responsibility to protect their organization’s data for in it lies valuable intellectual property. Employers are also stewards of their employee’s privacy and as such they have a responsibility to protect them against unauthorized use of their personal information.

It would be an overreaction for an enterprise to abruptly abandon its cloud strategy simply because of this nefarious NSA activity (raise your hand if this really caught you by surprise). But it should at very least give us cause for some additional thought.

Many organizations are building their transformation plans on private and hybrid clouds, often starting with just one or two workloads. Private clouds can even be more secure than a customer’s own data centre. And, hybrid cloud solutions provide options for keeping some aspects of a workload onsite while other portions are run from a private cloud.

After all, when you need to learn to swim, you don’t jump off a cruise ship into the ocean. Instead, you find a private backyard swimming pool and rather than dive into the deep end, you step cautiously into the shallow end and start there. And of course, never swim alone.



Leave a Reply

Your email address will not be published. Required fields are marked *