We have just passed the first anniversary of what can quite accurately be described as not only a pivotal moment in the development of cloud security, but *the* pivotal moment.
It was on the 5 June 2013 that The Guardian first broke the Edward Snowden whistle-blowing scoop which revealed the US government had been snooping on our data. During the seven days that followed, the newspaper drip-fed us more and more information from disclosing the existence of the PRISM database being used by the NSA to monitor and extract data from email and other online services, through to claims that US intelligence services had been hacking global networks for years. This week represented the moment when the future of the cloud was saved beyond any shadow of a doubt.
Of course, a year ago it really didn't look like any such thing; quite the opposite in fact. Forrester even went as far as suggesting it would cost American CSPs as much as $180b (£107b) in lost business as organisations the world over fled from the cloud, or at least abandoned those clouds which hung over the North American skyscape.I even joined in the doom and gloom spreading, at least as far as US cloud businesses were concerned, with reports of niche market 'geofenced' CSPs keen to take up the perceived security slack. Yet within nine months I was eating humble pie and revealing that trust in the cloud was on the up. So what happened, and what have we actually learned in the last year?
The 'what happened' bit is easy to explain: a catalyst happened. Snowden and his accounts of what was going on acted as confirmation of what many of us thought, but had no evidence of to back it up.
Think about it; before Snowden you probably suspected that 'the government' was capable of snooping on your data but post-Snowden you know that not only was this true but that they were actually hoovering up all sorts of information. The revelations have led to a far better understanding of what data security in the cloud should mean, and forced the hand of the cloud industry to move towards ensuring that's what the market gets. The cloud is now more secure than it has ever been, and truth be told, more secure than many enterprises have ever been.
What we have learned in the last year is that the questions we ask, and the answers we receive, are the oil which keep the wheels of data security in the cloud turning. The number one question being: is there an audit trail I can follow? The second one follows on from that: can you make it a contractual requirement that everything, from the initial audit to ongoing routine auditing, is transparent? But does it matter if you are still using US-based cloud services post-Snowden? Probably - although that everyone is carrying on as before.
For me this is something of a cause for concern given that, for all the rhetoric, nothing has really changed and nothing is really likely to change from a governmental position as far as the right to snoop is concerned. If you are not worried about where your data resides, and who has access to it, then you should be. The question that you should be asking is 'where does my data reside in transit and at rest?' and you need to further ensure that you fully understand what the answer means in real world terms with regard to access rights for law enforcement agencies.
The answers must provide reassurance that you will not be in breach of regulatory compliance requirements at one end of the ethical scale and in breach of your customers' trust at the other.
Given that the US has never been considered a safe place to store data because otherwise the EU Safe Harbor agreement would not have been required, the key words you should be using when talking to your CSP about data sovereignty issues should be 'geolocation' and 'geofencing'. You may be surprised, although you shouldn't be if you accept my Snowden-as-a-catalyst-for-change argument, that those US-based CSPs will probably have the answers you are looking for and will be able to geofence your data should you so require.
And that, right there, is the important bit: as long as you make sure that you are asking the right questions and making the right choices based upon the answers you receive, this is not an anniversary that should be treated with great sadness but rather a birthday to be celebrated: the more secure and more transparent cloud is one year old ...
