NSA PRISM: The cloud laughs at the tin foil hat brigade

I hate to break it to you guys, but the government just isn't that into you. Moving your organization's applications and workloads to the cloud from a traditional on-premises model fundamentally changes nothing about the impact of NSA surveillance on the enterprise.
Written by Jason Perlow, Senior Contributing Writer

So the big story in the news is that the conspiracy theorists got it right -- the National Security Agency is, in fact, collecting and performing analysis on massive volumes of data about the electronic communications and digital footprint of everyone in the United States that participates on the Internet.

Image: CBS Interactive/ZDNet

As I wrote earlier, this should not be a surprise to anyone.

The NSA has been involved in widespread electronic surveillance programs since its secret beginnings at the end of the Truman administration in 1952, and has constantly increased its surveillance footprint as the secretive organization moved from more of a SIGINT (Signals Intelligence) role to more of an ELINT (Electronic Intelligence) role since the Internet and various social networks and online services became a more prevalent form of communication than analog and digital telephony, among others.

My colleague and networking columnist Steven J. Vaughn-Nichols jokingly suggests that individual end-users can minimize the impact of the NSA's surveillance programs on their person by among other things, abandoning the use of cloud services.

Be afraid! Ditch the cloud! Anonymize everything! 

I hate to break it to you guys, but the government just isn't that into you. And this recent revelation about PRISM and other wide-ranging NSA electronic surveillance programs, while disturbing, fundamentally changes nothing about an overall shift to cloud-based computing.

ZDNet's Ed Bott discussed a more balanced approach to dealing with the NSA situation by embracing the practice of minimizing one's electronic footprint.

But really, even if everyone were to go about practicing safe web browsing and using high-grade encryption on cloud storage for retaining high-value impact documents and keeping them away from prying eyes, the NSA has resources that can overcome much of the concealment efforts any particular user could attempt to employ if it decides you truly are a target of interest.

Let's forget about the paranoia of individual citizens for just a moment and get to more pressing issues — the concerns of large enterprises in a world where all electronically transmitted information can potentially be reviewed by the government for suspicious activity.

Yes, the notion of having an enterprise's data being intercepted by the NSA and other intelligence agencies is disturbing.

But it's not like this just started happening, it's been going on for at least the better part of a decade if not longer. We have to assume that electronic surveillance of upstream data at large telecoms providing the WAN and extranet connectivity to private datacenters has also been intercepted, through secret programs and through legal mechanisms such as FISA orders.

Moving your organization's applications and workloads to the cloud from a traditional on-premises model fundamentally changes nothing about the impact of NSA surveillance on the enterprise.

This is nothing that you can realistically control, and you need to continue to operate your business as usual.

But most importantly, an enterprise has other pressing concerns which trump anything the tin foil hat crowd, now partially vindicated, can come up with.

And those concerns and drivers are ever-pressing requirements to reduce the on-premises footprint of your company's infrastructure as well as the simultaneous need for your ability to be agile and provision resources on-demand.

And in an age where every little bit of an enterprise's IT infrastructure cost is being heavily scrutinized by the CFO and its horde of bean counters, while simultaneously requiring the capability for self-service and highly automated processes to reduce human overhead in IT management, concerns of being spied on by the National Security Agency should be the least of your problems.

So yes, the NSA situation with PRISM and its other programs which we have to assume that dig deep into our national telecommunications infrastructure is stinky.

But honestly, I would be much more concerned about individual hackers that work with sponsored entities of other governments or those working for criminal organizations having the potential to penetrate your application data than the NSA.

But investing in cloud doesn't necessarily make you more exposed, particularly if you are working with a provider that can give you a virtual private cloud infrastructure with higher SLAs than what is available in public cloud implementations.

Additionally, you want to pick one which can offer you end-to-end high-grade encryption VPNs, via accelerator appliances and software-based solutions from your on-prem systems to your cloud-based apps through your extranet connection.

It should also be noted that by moving line of business applications to the cloud, you can use this as a "Green Field" opportunity to move them to IPv6, which includes support for end-to-end encryption through mechanisms like IPsec which are implemented in the IP stacks directly from the OS vendor.

Current OSes that support IPSec include Microsoft Windows Server 2012 (and earlier), Linux distributions with 2.6.x kernels (such as RHEL 6 and earlier), UNIX operating systems such as AIX, HPUX and Solaris and BSD, as well as Cisco's IOS core router operating system, among others.

IPsec features from supporting vendors may differ, however, so you'll want to look at them closely if you're considering end-to-end encryption between your server resources.

IPv6 is coming anyway, you'll eventually be forced to deal with it at some point and it's far less of a bear to deal with if you migrate the apps to a cloud provider.

This gives you the benefit of being able to remediate what is needed to make them work with IPv6 in an untarnished environment rather than trying to re-engineer the apps to function on (and possibly disrupt) your on-prem infrastructure instead.

So yes, the NSA gives organizations something to think about when it comes to implementing security across the board. But it's not going to stop a tidal wave trend of wide-sweeping reduction of overhead in both on-premises infrastructure as well as human resources, and the need to be agile at the pace that the business demands.

Has the NSA scandal put a black mark on private and public cloud implementations, or will the reality of business drivers make enterprises proceed as usual? Talk Back and Let Me Know.

Editorial standards