The Guardian reported on 7 June that ‘secret files’ show the US National Security Agency (NSA) has been mining data from Google, Facebook and Apple servers. While many of us may have suspected as much, does it pose risks for UK firms using US cloud services?
As the Independent pointed out in January, information stored by British internet users on major cloud computing services – such as Google Drive – can be spied upon routinely without the user's knowledge by US authorities under the Foreign Intelligence Surveillance Act.
The Guardian claims that the NSA access, enabled by US legislation, allows officials to collect material including search history, the content of emails, file transfers and live chats.
Although this may be news to the Guardian and Independent, savvy firms have known about the risks for years.
Where can I keep my cloud data safe?
The US Patriot Act makes it clear that it doesn't even matter which actual country your data is hosted in. If a cloud provider is registered in the US, it could be forced to hand over your data.
The Electronic Frontier Foundation publishes a handy guide to which companies help protect your data from the government, but it’s likely the NSA has the ability to circumvent this anyway.
But let’s not be too hard on the US. This is an area the UK is struggling with right now, as the current draft Communications Bill suggests MI5 should have the same ability as the NSA.
Protecting data in the cloud
Good reasons remain for migrating business computing into the cloud, and there are steps you can take to make sure sensitive information is encrypted, protected and recoverable.
In specific markets with regulatory issues – such as the legal sector – that means making sure the data is not held by US firms, but for most businesses choosing cloud services, it simply means understanding the risk you’re willing to carry, and then managing that risk.
Google’s terms, for example, essentially say it can do anything with the data it collects and processes on your behalf.
That’s not to say there’s a sinister plot to abuse your information (although it does mean Google does not need to inform you if there is a breach – which is probably the main reason for many of the clauses).
On the subject of which – what about the risk of data leakage?
Take the right precautions and you’ll prevent not only your cloud provider, but apparently now also the NSA (or MI5), from accidentally distributing your sensitive commercial information to all and sundry.
Data or information?
The important point is to understand the difference between data and information – if managed properly, encrypted information turns into meaningless data and can then be cloud hosted.
On Google Drive, for example, there are a plethora of tools that will encrypt the files on the endpoint before uploading them.
The real problem is exiting a cloud provider
The difficulty arises if you want to migrate between service providers. Unless you go through an appropriate due diligence phase before signing up, and ensure that you have an exit plan/strategy from day one, you’ll find that safe exit is the issue.
It’s not that easy to find examples of cloud services that give an absolute assurance that your data can be transferred and wiped when your contract is terminated.
Even if you migrate back into a traditional in-house data centre and your data was unencrypted, the NSA will be able to merrily trawl its way through your company’s previous records for as long as it likes.
Fortunately, as cloud matures, this issue is at least being tackled from a technology point of view. For example, Google has a dedicated engineering team – the Data Liberation Front – working on making it easier.
Understand your risks
With cloud services, risk management is the name of the game, and preparation is the key.
Businesses and individuals should assess the risks they’re willing to take – at what price – and apply a traditional ‘Avoid, Reduce, Share or Retain' methodology.
Using cloud is a risk-benefit driven decision, not a one-size fits all blanket.
