NSA PRISM: Do Cloud Providers, Customers Fear Big Brother?

Written by CJ Arlotta
June 14, 2013

Google, Microsoft, Facebook and others recently confirmed that they've participated in an National Security Agency (NSA) program called PRISM that collects information about how customers use services. How has this disclosure affected companies that are in the business of providing cloud computing services?

Google (GOOG), Microsoft (MSFT), and other giants in the cloud computing space have recently confirmed they've complied with requests to provide the National Security Agency (NSA) with information about their users’ online computer use, leading some to accuse the NSA of overstepping its bounds. But while this data collection program called PRISM has been a hot topic everywhere else, the chatter on this topic in the cloud industry has been little to none.

Talkin' Cloud has reached out to large IT research firms and big name cloud providers throughout the week, and we found almost no one who wanted answer our questions. Is Big Brother putting the cloud industry on edge? How can the industry address growing privacy and security concerns from customers? Do security and privacy go hand in hand?

U.S. cloud providers may be at risk

If providers, particularly U.S. providers, in the cloud industry keep this discussion behind closed doors, how will they expect to survive increasing concerns from customers and partners?

Enderle Group President and Principal Analyst Rob Enderle doesn't see a positive outlook for U.S. cloud providers if this intrusion of privacy continues.

"What this does is put U.S. cloud providers under a cloud making them appear untrustworthy and shifting business to foreign suppliers or on-premise solutions," he said via email. "This kind of thing could kill the U.S. public cloud industry if it continues." So what should cloud service providers do?

Assure your customers that their data is protected

Rackspace (RAX), for one, took a proactive stance on the issues of the day. Rackspace Senior Vice President and General Counsel Alan Schoenbaum told us via email that "Rackspace is adamant about protecting the privacy rights of our customers and we continue to enforce policies to help ensure customer-owned data is secure."

To assure us of this, Schoenbaum provided us with a statement the company made to customers addressing recent privacy concerns with the NSA:

"Rackspace has not participated in any data mining or collection of customer data located within its hosted computing environments for law enforcement or security agencies, including the 'PRISM' or 'BLARNEY' programs. We are prohibited from accessing and disclosing customer data stored on their servers or storage devices in our data centers without a properly issued, lawful request from a court with jurisdiction over both Rackspace and the data sought."

That's a good approach. It's a good idea to explain what is going on to customers. Explain how you will respond if you are asked for access their data, or directly address how you have not done so.

Address security challenges, instead of brushing them off

While security may no longer be a challenge in the mind of those inside of the cloud industry, it's still a major concern for businesses, especially non-technical businesses that may not understand cloud technology.

First, let's begin with the consensus of the worldwide security technology and service market: it is growing.

"Security should always be a top concern for businesses and consumers using technology," Intronis Engineering and Delivery VP Jay Bolgatz told Talkin' Cloud in an email.

But what is a concern for customers is an opportunity for partners. It should encourage them to demonstrate "security measures they have in place to protect their network and their data from being compromised," he added.

Managed services providers (MSPs) in the channel may experience the full effect from of concerns over the NSA's policies intially before cloud providers selling to the channel realize what's going on.

Think about it for a second. MSPs offer a range of services to, for the mostly most part, non-technical customers. Many of these customers do not fully understand cloud and how data is secured, but they sure can read the headlines in newspapers.

MSPs should continue to talk cloud security with customers, instead of sidestepping the issue. If anything, customers are more attuned to the cloud industry than ever before.

Encrypt data before it's too late

Some believe that the scandal at the NSA is a wake up call for organizations with unsecure data.

Storage company Nasuni CEO Andres Rodriguez told us in an email that the cloud is safe, but all sensitive data should be encrypted before it is sent to the cloud. Encryption keys for the data should only be held by the owners of the data.

"If they don’t, they should assume that others will have access to their data," he added.

Here’s this blogger’s perspective: we must take this privacy and security discussion seriously. The cloud industry computing industry as a whole needs to collaborate on ways to assure secure clouds, while protecting the privacy rights of customers, instead of running away from the issue, fearing the NSA or waiting to see what others in the industry are doing.

Since when did leaders in the cloud industry hesitate being the first to give an opinion or dive into new waters? Cloud providers have been known for innovation and reaching for the stars.

Saying nothing was what started this mess in the first place.

What about your company? Have customers asked about the security and privacy policies regarding their information? What has your response been? And what approach should companies like Google and Facebook take?