Edward Snowdon is causing us another headache about privacy and data protection. Even though he didn’t even narrate disruptive stuff. Those pretending surprise about the NSA investigating our utmost private data (which we share in the internet) have probably ceased to think about the US’s proclaimed intention to reveal and chase all terrorism in the world (by whatever means it takes). Folks – one thing upfront: The Patriot Act isn’t new!
What obviously really hits us here is the fact, that so far nobody really thought that the capabilities and technical resources to do that investigation efficiently are available (i.e. Big Data Analytics is not slideware anymore – trend followers out there: face it!)
And what’s the consequence? A new wave of discussion whether moving data into “the cloud” is really wise? The wisest thing to meet this discussion is to clear up with a few facts.
So, spend a few minutes and think about the following questions, if you will:
Do you send email?
If you’re in a company (or if you are a company), you may claim now that you send your email from an on-premise mailserver. Good. Whom do you send mail? Only to parties on other on-premise mailservers? Encrypted? End-to-end? I don’t want to argue to move your mail server into the cloud; this wouldn’t make a difference for the question discussed. What I’m emphasizing is the fact, that every attachment that is sent unencrypted through an unencrypted channel could be listened to and caught by any party interested. Without any cloud provider being involved. 10 years ago already.
Now, what is the real problem here?
The real problem is that the vast majority of email senders don’t give a shit on which channels their information traverses. In 90% of the cases this isn’t even a problem, as nobody really cares about the 127th slide deck proposing a better life when shared with 10 friends. Even not the NSA. The remaining 10% cause a problem if compromised. No matter if sent through a cloud provider or your server in your own cellar.
Do you use a social network?
No? Then forget about this question!
If yes, whom do you communicate with in it? And what? Personally, I don’t know any relevant social network owned by a provider outside the US (or not co-located within US boundaries). I.e.: you’re trapped if you use it. Except – well — except we’re talking about a company social network hosted behind your employer’s firewall. You might be trapped in another way here, but that’s a different story. Hence, it is applicable to say that sharing information within a social network which could use its (your!) data for analysis or open its data to be transferred and analysed by anybody else means opening trackable information about yourself and what you do.
But what is really the problem here?
It’s again the information you share, the information others share about you and the information others share with you without your permission or control; be it your home address and holiday absence or your latest invention you talked about with your friends over a beer. In other words: The real problem is not the cloud as such but what you share with it and how you (can) control openness and transparency (this could – by the way – be a problem with your company social media tool as well).
Do you exchange documents apart from mailing them around?
A company will for sure have already introduced a mature, secured and company compliant private dropbox service (what if not, is subject to another post; well, actually it’s rather boring to repeat what happens when employees need a dropbox and find dropbox.com blocked). But what if you intend to leverage x-company collaboration? Without blowing mailboxes or having the documents lying around in public unsecured mailservers? Rent a cloud collaboration service supposed to be more secure and reliable than any employees uncontrolled dropbox account. Or get your IT to setup an extranet service to collaborate with your external partners (including a lengthy process to add more collaborators to it).
Is this the real problem here?
In a way, yes. It is the move into x-company collaboration that causes headaches for your IT. You could solve this by simply avoiding any open service supporting such collaboration, in which case you can easily skip cloud (and the collaboration itself, too; congratulations; case closed). Or by accepting the duration for adding collaborators to your extranet. Or by using eMail (see above ;)).
Do you use a mobile phone or tablet PC?
If not, forget this paragraph, too?
If yes, you may probably use apps which go beyond email, facebook or the weather forecast. A photo app e.g.; to share a quick scan of some doc page or some instant messaging tool (whatsapp?). I reckon you do know the vendor of your instant messaging app on your mobile phone and he transparently explained to you where your communication threads are stored and which investigation means he offers international homeland security. And of course these means are in line with your privacy expectations. Are not? Well …
So, what’s the real problem here?
Flexibility. This is what poses the challenges. Fewer people are willing to exchange mobilitiy and work-life flexibility against lock-downs for the benefit of security. Which again essentially results into thinking about what to share, controlling the apps respectively and managing the mobile devices to lock them down or wipe them in case of compromising.
So, face it:
Cloud is not black or white.
Moving data into the cloud isn’t a question of “like” or “dislike”. When servers, networks, the Internet, … evolved from mainframe computers (some time ago), IT bent into a path of openness. Today, something has not become less secure just because of the 3rd Industrial Revolution we are facing.
To claim that moving company data into the hands of a cloud provider means to make it open to anybody is equally stubborn as stating that an email sent from (a) to (b) means to make its content available to the whole internet. It is true for certain ways of transporting that mail. And for these ways it was true already some decades ago. Not only now.
Hence, a mature cloud provider would make its service secure, confidential and (most of all) transparent. With that in mind there’s no real way of stopping the move.
Here’s a nice one about transport security and about it being compromised and how: http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-providers-leave-door-open-for-nsa-surveillance/