NSA spying poisons the cloud market: survey

NSA spying poisons the cloud market: survey

Summary: A PriceWaterhouseCoopers survey revealed that 54 percent of German companies find the cloud risky after learning of NSA spying. An earlier study by PwC found that 84 percent of CEOs were confident about cyber security. If they only knew the truth.

SHARE:
confidential-espionage-spy

The German survey — reported on by GigaOm — should be a wakeup call for Amazon and other cloud service providers. Expect to see other European and Asian countries reflect a similar disenchantment.

In the earlier survey, PwC was gentle in debunking the CEOs' confidence. They asked questions to further define security leaders, as opposed to the delusional, on the following criteria:

  • Have an overall information security policy

  • Employ a chief information security officer or equivalent that reports to top leadership

  • Have measured and review the effectiveness of their security measures within the past year

  • Understand exactly what type of security events have occurred in the past year

After applying these criteria, PwC found that only 17 percent of all survey respondents are ahead of the game.

Another interesting wrinkle: the companies that identify themselves as front runners spend almost as much as firms who, by their own admission, are the least prepared to run an effective security program. Maybe those security programs aren't cost-effective.

The Storage Bits take
This week's Great Debate asked if companies should take NSA spying into account in their cloud buying. In arguing yes, I made the point that cloud service providers owe their customers the best possible security — including against NSA spying — because even NSA analysts can be corrupted.

Now it is clear, if unsurprising, that cloud service providers must also take security much more seriously than they have in the past. The US won't always be the world's largest IT market and even now its global market share is shrinking. American companies need to up their game to remain leaders.

Comments welcome, of course. How does your company rate on the PwC criteria? How complacent is senior management?

Topics: Storage: Fear, Loss, and Innovation in 2014, Cloud, Security, Storage, Enterprise 2.0

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • The law

    Part of the problem in Europe, and Germany in particular, is that privacy and the sharing of personally identifiable information is very strictly controlled.

    Technically, if you use a cloud service for CRM, Email, contacts, calendar etc. then the data cannot be stored outside the EU. A semi-blind eye has been turned to cloud services until now. BUT the cloud provider cannot hand that information over to a third party (E.g. US Gov. or NSA) without first obtaining the written permission of each identifiable person in the data, unless they have a valid search warrant issued in the EU. If the cloud provider hand over the data to a third party without obtaining the written permission first, then the owner of the data (i.e. the user of the cloud service) is liable to prosecution under European law.

    As the Patriot Act and the NSA's behaviour has made a mockery of judicial procedure, essentially any cloud service with a point of presence in the USA cannot be trusted with data originating in the EU. If the services are used, then the companies (and individuals, this also applies for things like GMail, iCloud and Outlook.com) have to take a calculated risk, whether the risk of being prosecuted for the provider disobeying the law in the land of data origin is less than the benefits the service brings.

    That is the problem with Cloud at the moment. The users of the service have to follow the letter of the law in the land where they are (data origin), whilst the Cloud provider has to follow the law in every country it does business in, ignoring the origin of the data - even if the Cloud provider doesn't replicate the data outside of the region of origin (i.e. it stays inside the EU), if the US Govt. comes knocking at the US office's door with a FISC letter, they have to hand over the data, even if it is outside the jurisdiction of the US Government.
    wright_is
    • Law?

      Like NSA cares!
      Foreseen
      • GovReply 1a

        Tha law is what we say the law is!
        NSAagent666
    • The EU is only a temporary setback to Amerifascism

      If the people in charge of our SECRET government (which is non-partisan but appeals to the conservative voting base more than the liberal base) find Europe's laws to be too annoying, it is possible that economic sanctions against the EU will pressure them to change their laws, and if that fails, well, there are some American voters who might approve of invading Europe and rebuilding it the way THEY like it (after all, if the US was able to invade France when its shores were being defended by Germans, could it be any more difficult when it is defended by French soldiers? is the way then think). Orwell, in the novel "1984," predicted three totalitarian empires: Eurasia (probably the Iron Curtain countries that were under Stalin in his day), Eastasia (possibly a Chinese Communist or Japanese empire), and Oceania, a fascist empire run by the U.S. in which nominally independent Britain with its IngSoc regime is reduced to being called Airstrip One, reflecting the Amerifascist attitude about what Britain is good for.

      Many Americans are working to convince a larger proportion of other Americans that there IS a threat of American totalarianism disguised as Christian theocracy.
      jallan32
    • While I do not agree with the spying. Do not fool yourself into thinking..

      It's only the US. You know that China and Russia are. Here you can see England is. Who's to say who else is.

      http://www.zdnet.com/blog/london/uks-patriot-act-web-monitoring-law-could-face-european-veto/3833
      Johnpford
  • Eurocentric View

    You wrote: "essentially any cloud service with a point of presence in the USA cannot be trusted with data originating in the EU."

    A larger reading is: "essentially any cloud service with a point of presence in the USA cannot be trusted with data."
    Bill4
    • Unfortunately

      that is the case at the moment, because the way the US ride rough shod over the law, with the Patriot Act and the FISA/FISC, anybody in Europe who puts their trust in a cloud service with a presence in America is literally opening themselves up to prosecution inside the EU.

      If you are not using the cloud to store personally identifiable information (i.e. no emails, no contacts, no calendar information, only documents with no references to people), then you might be okay, but that doesn't leave much that you can put in the cloud... Oh, and finance data has even tighter rules.

      A lot of us like cloud services, but in the current climate, they are too dangerous for businesses to take seriously in many cases, or they have to look for local cloud services that don't have any presence in the USA.
      wright_is
  • Security on the Internet?

    No matter what anyone says, there is none.
    Foreseen
  • The problem with taking other people's word about your security...

    is that your security is only as good as the chain of people's words, from the guy wielding the soldering iron in the server-room to the supervisor to the manager to the CEO to the sales rep to you. A break in anyone's word at any point in this chain leaves your data tied naked to a post in the middle of a busy intersection, for everyone to gawk at.

    The simple fact is, the more data is moved around, the more vulnerable it is to being peeked at and poked at. If you want security, don't store your data in an amorphous cloud.
    D. W. Bierbaum
  • Hey! Cloudies!

    I told you so.
    Dr_Zinj
  • Yet more unintended consequences

    and none of the intended. #governmentprograms
    Jacob VanWagoner
  • Reality check

    The NSA is looking for terrorists within America, which means that every single American citizen is a terrorist suspect. That's who the NSA is spying on. Americans. Any European spying being done is almost certainly an oversight.
    akaltman@...
    • Really?

      The NSA was initially created to spy on foreign governments during The Cold War. This mission expanded over the years to include terrorists, narco-terrorists and now even us, it's own citizens.
      MajorlyCool
      • I think you're confusing the NSA and the CIA.

        The NSA has always spied on foreign and civilian sources. Or more accurately - its job is to collect communications from all sources and mine it for information.

        I draw a distinction between the NSA and the CIA in that the CIA has actual agents who go into the field while the NSA does not. The other distinction is that the CIA is legally bound to spy outbound only - on foreign nationals, the FBI is inbound only, they handle civilian surveillance and the NSA just watches all communications.
        TheWerewolf
    • Not so...

      ...the U.S. government definitely thinks there are terrorists in Europe who might well attack us or our allies. And the NSA has a fishing license in Europe; FISA court permission is only required in the States.
      John L. Ries
  • GovCom 556

    "... even NSA analysts can be corrupted"

    Really? "Robin"
    Let's seeeeee .....
    hmmmm no audits by the IRS in the last 15 years?
    ......
    One is scheduled now .....

    Have a nice day!
    NSAagent666
  • Wakeup call for Europe and Asia?

    Should be a wakeup call for the USA also.

    Security is only one of the negative issues with the cloud.

    Live by the cloud, die by the cloud.

    Doc
    Doc.Savage
  • Bad for business

    Ironic. Doing business in the modern corporatocracy sense is bad for business. It's laughable.
    at0m1k
  • laws are just for the lowest-level persons (the majority of us)

    laws are just for the lowest-level persons (the majority of us) that can be controlled.

    If you are a NSA or other government agency, law does not apply. And if critical, they change the law.
    aviamquepasa
    • sheesh

      lets say your kid was kidnapped, but the NSA needed your approval to make eves dropping legal? So they could open "lets say" a encrypted e-mail that gave information pertaining to the whereabouts of your kid< that would prompt a exercise in saving your kid from being killed. Would you then change your opinion? I think you know the answer to that one.
      Dave Hargraves