Why PRISM's potential impact on cloud industry is under-valued and over-rated

Why PRISM's potential impact on cloud industry is under-valued and over-rated

Summary: Forrester estimates the US cloud computing industry could lose up to $180 billion by 2016 thanks to the NSA's PRISM project - but only if you believe that concerns about government spying trump the business benefits of going cloud.


Earlier this month The Information Technology & Innovation Foundation (ITIF) published a prediction that the U.S. cloud computing industry stands to lose up to $35 billion by 2016, thanks to the National Security Agency (NSA) PRISM project, leaked to the media in June.

We think this estimate is too low, and that the true potential cost could be as high as $180 billion -- or a 25 percent hit to overall IT service provider revenues in that same timeframe. That is, if you believe the assumption that government spying is more a concern than the business benefits of going cloud.

Having read through the thoughtful analysis by Daniel Castro at ITIF, we commend him and this think tank on their reasoning and cost estimates. However the analysis really limited the impact to the actions of non-US corporations.

The high-end figure assumes US-based cloud computing providers would lose 20 percent of the potential revenues available from the foreign market. However we believe there are two additional impacts that would further be felt from this revelation:

1. US customers would also bypass US cloud providers for their international and overseas business - costing these cloud providers up to 20 percent of this business as well.

2. Non-US cloud providers will lose as much as 20 percent of their available overseas and domestic opportunities due to other governments taking similar actions.

Bring your own encryption. If you hold the keys, the governments can't get to your data by going through your service provider. 

Let's examine these two cases in a bit more detail:

You don't have to be a French company, for example, to be worried about the US government snooping in the data about your French clients. That's a worry any company, regardless of country of origin, should be concerned about.

Yes, if you are a US corporation you are subject to the US Patriot Act, but in this case the US government would have to subpoena you directly rather than going behind your back to your US-based service provider.

European Union rules require data about EU citizens be stored and retained in the EU. US corporations are subject to this rule just as EU companies, so seeking an EU-based cloud provider or non-cloud IT provider would be a prudent tactic for a US business as well. Outside the EU there are similar regulations, such as in Australia and Canada, that would warrant like behavior.

While this loss of revenue would be significantly smaller than direct foreign investment, the total could still add another $10 billion to the overall losses for this market. Not to mention the added expense to US companies who would have to work with multiple service providers around the world with different procedures, regulations and security standards. What fun.

The second impact is coming, make no mistake about it, and will be far more costly. It's naive and dangerous to think that the NSA's actions are unique. Nearly every developed nation on the planet has a similar intelligence arm which isn't as forthcoming about its procedures for requesting and gaining access to service provider (and ultimately corporate) data.

As stated in the ITIF report, German intelligence has the G10 act which lets them monitor telecommunications traffic without a court order. Forrester analyst Andrew Rose, in his blog, talked about a similar "legal" surveillance report from India.

Forrester maintains a privacy and data protection heat map of the globe that highlights which countries have clear rules (Caution) and those who don't (Alert) for government surveillance, data residency and other security rules of merit. While the US may be a place for caution, there are many other countries who should be looked at far more fearfully.

Short term, a greater understanding of this surveillance picture could have a chilling effect on all hosting and outsourcing services (not just cloud computing) in many countries. If it is to be believed, as ITIF estimates, that half the cloud market will be fulfilled by non-US providers, then assuming this factor has just as much impact as the PRISM leak will have on US providers, then non-US cloud providers would take a hit of another $35 billion by 2016.

Add in the rest of the hosting and outsourcing market, which, according to Forrester estimates is three times the size of the cloud market in this timeframe, and you now have a net $100 billion loss for non-US based service providers.

Add it all up and you have a net loss for the service provider space of about $180 billion by 2016 which would be roughly a 25 percent decline in the overall IT services market by that final year, using Forrester market estimates. All from the unveiling of a single kangaroo-court action called PRISM.  

Scary picture but probably unrealistic. 

Prior to today's media-hyped paranoia about government surveillance, corporate IT spending has been trending toward outsourcing for many years. Few corporations have no data in the cloud let alone no data with a hosting company, colocation provider or outsourcing firm. Think your firm is the exception? Do a quick travel and expense audit against Evernote, DropBox or similar services. Swear on a Bible that none of your employees have company data sucked up into iCloud. Sign a legal tender that none of your partners are storing your data or data about your company in the cloud or with a service provider. Oh well. 

The fact of the matter is that the IT services market is a part of our portfolios because it provides capabilities we value either against IT or business metrics. And it's highly likely these values are worth more to you than the potential risk you think your company faces due to government surveillance. And if your company is a prime target for government surveillance, you are probably being watched from within your own firewalls right now. 

So should you take the actions that would support the forecasted losses ITIF estimates? Should you take the actions that would fulfill the greater estimates I provided above? It's unlikely you will and in many cases it would be too costly or complex to do so at all.

Instead, you should heed the advice from Forrester's Data Security and Privacy Playbook. And when using cloud computing services embrace the Uneven Handshake of cloud security by recognizing that you can take actions yourself to protect your data from prying eyes when using these services. A quick tip: bring your own encryption. If you hold the keys, the governments can't get to your data by going through your service provider. That's the core premise behind the Megacloud storage service and there are ready solutions you can use today including Perspecsys and SafeNet ProtectV

We also agree with ITIF's recommendation that the US government needs to act quickly to set the record straight about what information it does and does not (already) have access to. We would add that the US needs to reset the judicial-NSA relationship back to a more objective stance similar to what the founding fathers had in mind. But, as stated above, this isn't a US-only problem.

The leading governments of the world need to set aside time at the next G20 Summit to draft clear international surveillance transparency rules that will take any potential chill off the burgeoning cloud computing market. We as a planet, not just one nation at a time, need to balance security and economic interests. The US certainly could take individual actions that role model this notion and makes amends for the transgressions revealed through this leak. But other developed nations have the opportunity to step up as well and set a strong example that isn't trying to stand on a shaky foundation.

But it is unlikely any government will step up to this issue as governments place a much high priority on defense than they do economic development. Want them to act? Don't wait for it. Protect yourself to the degree necessary and focus on achieving your business objectives.

James Staten is a Vice President and Principal Analyst at Forrester Research serving Infrastructure and Operations Professionals. You can follow him on Twitter @Staten7.

Topic: Cloud

James Staten

About James Staten

James Staten is a Vice President and Principal Analyst at Forrester Research, serving Infrastructure and Operations professionals.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Thanks to the National Security Agency (NSA) PRISM project?

    No, U.S. citizens elect their government and get the government that they deserve. As for U.S. corporations, they've for decades now been the U.S. "citizens" that matter through their large campaign contributions and have essentially run the U.S. government from behind their black velvet curtain. Ordinary U.S. citizens have been relegated to mere consumers.

    I must admit some pleasure in seeing the U.S. tech industry, U.S. corporate "citizens", suffering from this.

    Perhaps it's time for Google, Apple, Microsoft, Yahoo!, Facebook, etc. to join with ordinary U.S. citizens and deal with the root cause of the problem through the repeal of the USA Patriot Act. They've got the cash to send busloads of U.S. citizens to Washington, D.C., for mass demonstrations. They can give ordinary U.S. citizens signs to carry at the demonstrations with their corporate logos on one side and a blank side on the other for a handwritten message by the person carrying the sign. The CEOs of these same tech companies can be on hand in Washington, D.C., to address the mass demonstrators, the press and the public to further help get the message out.
    Rabid Howler Monkey
    • RE.....

      I completely agree. The PRISM project is going to put all cloud services in jeopardy, what if you have business secrets and confidential information for your company on the private cloud and the NSA just literally goes in there and steals it. How is a corporation supposed to run that way if they're proprietary secrets can just easily be stolen?

      I do kind of hope this does give the tech industry a good kick in the butt, because the tech industry is costing the consumer more money then the basics of food, gas, health care, heating and cooling. If you added your cellphone to your home phone / tv / internet service, does that cost your money money a month then your Oil / Gas / Electric bill? Good chance it probably does
      • Without reading the article.....

        You have opportunities to encrypt your data at various levels that will offer you protection even on a place as scary as the cloud. The problem is that we don't know which vendors to trust anymore. What we are realizing is that even if we push files out to the cloud, they should be files that we encrypt before they get on the web and that only we have the keys for. The more encrypted the message, the more difficult they are to obtain. One of my favorite encrypted messages on alt.bin.anonymous was "You just wasted a lot of time just to decrypt this message, didn't you?"
        • RE: without


          That's the issue, microsoft was giving out the decryptor keys for secured email services that they use so the NSA could spy on the emails, that makes me never because microsoft probably gave out the decryptor keys for files as well. The question is that, like you said, which companies can you trust now?

          Yes i understand that you can encrypt your files on the net, but it's just a matter of time for someone who in your cloud account to decrypt the file
  • Because it's just Metadata

    I love Big Brother.
  • One door closes, another door opens

    I don't understand this. The ITIF report says "the reality is that most developed countries have mutual legal assistance treaties (MLATs) which allow them to access data from third parties whether or not the data is stored domestically."

    This tells me that no data is secure nowhere no how. So why would US cloud providers suffer such losses? It doesn't make sense unless the assumption is they don't know how to fight back with the facts.

    I think the real threat to cloud providers across the globe is coming from the rise of private cloud providers like Cloudlocker (www.cloudlocker.it), at least on the consumer side. I think it's new products like this plug n play device that pose the biggest threat to the old-line public cloud services, which have always suffered from fatal flaws in privacy and security. The private, personal clouds like the Cloudlocker eliminate these flaws, and that's why I see them taking over this space, soon to be followed by enterprise-level versions of private clouds, once good ol Yankee ingenuity kicks in. One door closes, another door opens.
    • RE: One door closes....

      Well the difference is those countries need to get a warrant to start snooping around your data. FISA allows the NSA to do it without a warrant for people in this country and other countries.