NSA PRISM puts "public" cloud in a new light

Can you really trust the public cloud with your data? If you really want to be secure? No.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Like Jason Perlow, I doubt that the NSA is really that into me. It's all those other three-letter acronym (TLAs) organizations, such as the FBI, IRS, and SEC, which might have access to my data that I worry about.

Just because you're paranoid doesn't mean that they're not out to get you. (Credit: CBS Interactive/ZDNet)

Mind you I don't do anything that any of them would care about, but if I were running a major company I'd be worried about government snooping into my business. Perhaps I should also be worried if, say, the cloud storage company I've entrusted my data too-- let's call it MegaUpload--gets into hot-water with the Department of Justice (DoJ, another TLA!) and all my data  is eventually deleted by the Web hosting company. You can't tell me that's not a real worry. 

While David S. Linthicum, senior vice-president of Cloud Technology Partners, pointed out recently that he doesn't see much of a connection between the NSA and cloud computing still "As we migrate to public clouds, the most vocal protesters against this shift also happen to believe the data is at more risk for government monitoring. While you can show them mechanisms and statistics that demonstrate the value of leveraging public clouds, the "NSA scandal" will provide more fuel for the already paranoid of the cloud.

I'm not paranoid, but facts are facts. We don't know exactly how the NSA is watching our domestic communications. Maybe it's by sitting in the Internet's tier one network operating centers (NOCs). Maybe it's by squatting in major tech company data centers.

Yes, yes, I know, I know. The big technology firms have denied that they're turning over information to the NSA, but they're required to deny it by Foreign Intelligence Surveillance Act (FISA) court orders lest they face felony charges.

Let's just take it as a given, if you put information on the public cloud, there's a reasonable possibility that it can be looked at by a government TLA.

But, if you put your infrastructure on a private cloud you dodge this problem. Even a hybrid cloud—where you keep only low-value materials on a public cloud—could still do well by you.

Don't think, by the way, that if you went outside the US for your cloud needs that you'd be perfectly safe. Over in the European Union (EU), many cloud vendors are now proclaiming how much more secure their services are than their American counterparts.

Ah. Hello? You do know what the NSA's real job is right?

No, it's not spying on US citizens. It's spying on non-US-citizens using the telecommunication systems of the rest of the world. You know, places like, oh say, the EU.

Regardless of what the NSA is doing in the US, it's a lead-pipe guarantee that they're trying to collect data in all over the world. And, lest we forget, all those other countries have their own electronic intelligence-gathering organizations as well.

There is no magic safe Internet harbor where your Internet traffic can't be spied on. If your data is on the net, the potential is there for it to be spied on. Deal with it.

Realistically, if someone is really out to dig up your data, you don't want any of it on a public cloud. But, if all you want to do is maximize the safety of your business-critical data while realizing the flexibility and cost benefits of a cloud architecture, a private or hybrid cloud may still be exactly what you need.

If you want more security than that, then keep your data in on-location server rooms or on-campus data centers and keep it all within your intranet. Just remember, however, that when Edward Snowden walked out of an NSA office in Hawaii with sensitive data he didn't send it out on some super encrypted virtual private network (VPN) tunnel or via a TOR proxy. No, he just walked out with it in his pocket on a thumb drive.

You know, maybe there's something to be said for paper records after all!

Related Stories:

Editorial standards