Explosive revelations in the past six months about the U.S. government’s massive cyber-spying activities have spooked individuals, rankled politicians and enraged privacy watchdogs, but top IT executives aren’t panicking—yet.
So far, they are monitoring the issue, getting informed and taking steps to mitigate their risk in various ways. But the alarming reports haven’t prompted them to roll back their decisions to host applications and data in the cloud.
That’s the consensus from about 20 high-ranking IT executives interviewed in North America and Europe about the effect that the U.S. National Security Agency’s snooping practices have had on their cloud computing strategy. The news broke in June, after former NSA contractor Edward Snowden began leaking the earth-shaking secrets to the media.
Many of the IT executives interviewed say that they’re not thrilled with the situation, and that it has made them more careful about cloud computing plans and deployments, prompting them to review agreements with vendors, double-check best practices and tighten security controls.
However, these IT executives haven’t been completely surprised by the revelations. Whether by overt means or through covert operations, it’s well known that governments engage in surveillance of telecommunications and Internet traffic.
”Government surveillance hasn’t changed our opinion about cloud computing. The cloud model is attractive to us, and I was never that naive to think that this type of government monitoring wasn’t going on,” said Kent Fuller, director of enterprise infrastructure services at BCBG MaxAzria Group, a Los Angeles-based women’s fashion designer and seller that uses Microsoft’s Office 365 public cloud suite primarily for employee email.
Stealthy monitoring of computer systems and communications by governments currently doesn’t rank among the top IT security concerns for many IT leaders. “Every CIO will tell you we worry every minute of every day about security, privacy, redundancy, operational continuity, disaster recovery and the like,” said Michael Heim, Whirlpool’s corporate vice president and global CIO. “We’re probably the most paranoid guys on the planet.”
Jacques Marzin, director of Disic, France’s interministerial IT and communications directorate, said the NSA scandal confirmed the known risks associated with the use of public cloud services. “We are of course concerned about any third party access to our data although we have limited usage of public clouds,” he said.
However, having everything behind the firewall also carries risks. CIOs worry about the cost and complexity of running servers on their own premises and the potential loss of competitiveness if rivals are taking advantage of the benefits of cloud computing.
”At the end of the day, the capabilities and economics around the cloud computing model are so compelling that when you artificially try to not take advantage of them you impact your ability to compete, because others will take advantage of them,” Heim said. Whirlpool recently decided to move about 30,000 employees from an on premises IBM Lotus Notes system to the Google Apps public cloud email and collaboration suite.
”We believe we have a very good plan in place to make sure we’re just as compliant and secure, if not more so, than we were before,” Heim said.
There are ways to mitigate risks associated with cloud computing, as well as precautions, safeguards and best practices that can be adopted, IT executives said. For example, companies should examine what prospective cloud vendors offer in terms of data center redundancy, IT and physical security, risk mitigation, operational practices and government and industry certifications. IT executives can also complement cloud vendor offerings in these areas with best practices and security wares on their end, like systems that encrypt data before it’s transmitted to the public cloud servers.
More than government snooping, IT chiefs appear to consider insider threats a more concrete and likely danger, including disgruntled employees or contractors like Snowden who out of malice or in retaliation expose confidential data or damage IT systems.
In fact, Snowden should serve as a reminder to CIOs to take precautions when hiring IT staffers and to put in place monitoring systems to alert them about rogue system administrators, said Alex Gorbachev, board member of the Independent Oracle Users Group and CTO of remote database administration company Pythian Group.
For example, email administrators may have unfettered, unaudited access to all mailboxes, he said. That means they could potentially browse through the CFO’s messages and take a peek at preliminary financial reports. If such information were to leak, it could become a dicey situation for publicly traded companies.
Many database administrators have similar power. “Most organizations don’t have a mechanism to track their activities 100 percent,” Gorbachev said.
IT executives also worry about careless employees who may inadvertently compromise company systems in a variety of ways.
”Personally, I am more concerned about safe data handling practices by our users—flash drives, use of public Internet access, lost or stolen tablets, phones and laptops, passwords on sticky notes—than I am about the security capabilities of cloud service providers and the intrusion of governments or other entities,” Brandon Robinson, network services director at ACES, a power management company in Carmel, Indiana, said via email. ACES uses cloud services for payroll, purchasing, expense reporting and some line-of-business transactional systems.
Another risk that shows up prominently on CIOs’ radar screens are external threats, like malicious hackers and malware.
Government surveillance could become a bigger concern if a large company got burned by it—for example, if a government had surreptitiously collected a considerable amount of confidential data from a company, and a malicious hacker broke into the government’s system and exposed the data. But there hasn’t been a high-profile case of that sort yet.
”If something like that happened, it would change the picture and have a profound impact,” said Jay Heiser, a Gartner analyst. “Otherwise, it’s premature for organizations to forgo the benefits of cloud computing, but it’s also an opportunity to revisit security concerns in general.”
At Needham Bank in Needham, Massachusetts, IT Vice President James Gordon, said the NSA scandal hasn’t horrified enterprise IT leaders because “I don’t think there’s been a relevant connection to how it impacts an organization yet.”
”Until they have a material loss or one of their peers has an accidental information disclosure, it won’t hit home,” Gordon said.
The level of concern about leaks due to government spying also hinges on the type, size and industry of a company. “I’m not aware of any instances of this happening to a mid-size wholesale company like us,” said Hal Greene, vice president of IS at Composites One, a distributor of plastic and glass products in North America that uses Google Apps.
But Paul Grewal, CEO of Sage Human Capital in San Bruno, California, an executive search and recruitment firm, worries about a nightmare scenario in which government snooping on his company’s data could result in a leak. “We are definitely concerned. It creates a liability,” he said.
A leak could be extremely harmful to the candidates seeking jobs, their current employers and the companies that are hiring. “Our data is extremely confidential,” he said.
The company would find itself potentially liable for breaching confidentiality agreements with clients, and it would also see a major trust breakdown.
Sage Human Capital deployed a business intelligence tool from Jaspersoft on the Amazon EC2 cloud service about six months ago to give clients a granular analytics view of how a search is going. “The reason we went to the cloud was ease of implementation and deployment,” Grewal said, adding he doesn’t plan on rolling back that decision.
He’s confident Amazon will provide top-notch encryption and security, but he’s also aware that “NSA has a heavy hand and can make offers people can’t refuse.”
Analysts say CIOs need to weigh risks and rewards and adhere to best practices, whether the government is snooping on their systems or not.
”The answer to whether the risks outweigh the benefits will be different for different companies and CIOs,” said Scott Strawn, an IDC analyst.
”Our advice to organizations is to recognize the sensitivity of their data, and if it’s highly sensitive, they should take very careful precautions about where they put it, and place heroic levels of protection around it,” Gartner’s Heiser said.
For starters, companies need to decide which applications and data can be put in a public cloud service, which can go in a private cloud service and which should remain behind the on premises firewall.
”You must be observant and think about data integrity before putting sensitive, mission-critical information in the cloud,” said Lars-Göran Eklöf, CIO at construction company Lindab in Sweden.
”We only use cloud services on a limited basis, and the information stored in the cloud, including sales statistics, doesn’t have a very high security classification,” Eklöf said.
Criteria that CIOs can use to calculate appropriate levels of security include how critical data is, and what the applicable laws and regulations for privacy and data security in their country and for their industry are.
IRB Services, an Ontario, Canada-based company which conducts independent reviews of clinical research involving humans, choose a software-as-a-service product from Intralinks for secure collaboration on review files because Intralinks can house the data outside of the U.S.
IRB Services customers in Europe have for some time not wanted their data stored in the U.S., according to Simon Corman, the company’s director of business operations. Before the NSA scandal, “we were just getting that question from compliance groups. Now we’re getting it more from an operational level,” he said.
IRB customers have always been concerned about the privacy of their data but the NSA controversy has “absolutely amplified the issue,” Corman said.
It’s also essential for companies to have clear, detailed usage guidelines for employee use of IT systems and handling of data. Companies should use stringent criteria for choosing their cloud computing vendors, examining their track record, security policies, data protection technology and service-level agreements.
In particular, CIOs should watch out for opportunistic and hyperbolic claims from vendors claiming to have technology that can completely shield data from government snooping.
”Vendors have absolutely no ability to make those claims,” IDC’s Strawn said. “They can’t execute on them. The NSA has a lot of power to do what they do. You can’t do much about it.”
If an agency like the NSA wants to monitor a particular system, it will, and if it can’t, it will get a court order to get the access it needs.
Also, just because data, systems and applications are hosted on premises doesn’t mean that government snoops can’t get to them. In fact, it’s likely harder for government spies to break into data centers run by Google, Microsoft, IBM, Salesforce.com and Amazon than to tap into the average enterprise network.
”I’m more comfortable with Microsoft’s security for our email than with handling that internally,” BCBG MaxAzria’s Fuller said. “We’re a fashion company, not a tech company. We need to focus our resources on producing great dresses people want to buy.”
Still, the NSA scandal worries cloud computing vendors, as they sense concern from current and prospective customers. “It’s not having a material impact. But it’s certainly causing people to stop and then rethink decisions, and that is, I think, reflected in our results,” said Rob Lloyd, Cisco Systems’ president of development and sales, during the company’s most recent quarterly earnings call.
The level of security offered by cloud vendors is mixed; from vendors that are new and inexperienced, to others that are outstanding and provide a better and safer environment than many organizations could afford themselves, according to Jos Creese, head of information, corporate resources, IT services at the Hampshire County Council in the UK.
”We need to be prudent as to who we select in cloud providers,” said Brian D. Kelley, CIO at Portage County government in Ravenna, Ohio.
Portage County is dipping its toes in cloud computing, and the NSA revelations made him and his team more aware of the cloud risks. “In IT, we’ve always had control of our systems and data, and with the new cloud model, we’re now relinquishing that control,” Kelley said.
”We certainly need to engage ourselves much more to know where our data is, how it is accessed and who can access it, and what to do when the cloud bursts,” he said.
(IDG News Service reporters Stephen Lawson in Miami, Chris Kanaracus in Boston, Joab Jackson in New York and Mikael Ricknas in London contributed to this article.)