How Long Will the U.S. Cloud Market be "Snowed In"?
Do recent revelations about US cyber intelligence activities jeopardize our nation’s market leadership in cloud computing? Will enterprises – domestic and foreign alike – now favor foreign vendors, or even avoid the public cloud altogether? A review of the political and technical realities points to trouble for US cloud providers, but only for the short term.
In recent weeks we’ve seen a tangible backlash against the NSA’s PRISM program and those tech companies who cooperate, especially those who “don’t put up a fight.” It is the natural, reflexive reaction to the sudden awareness of a potential intrusion on our privacy, and it includes new scrutiny by individuals and enterprises as to whether they should entrust their data to US cloud vendors, who have already felt some impact on their rates of sales and churn.
As related news reports and editorials come online, they provoke a lot of comments that reflect public sentiment. These comments have expressed concern about the lack of transparency in federal policies and jurisdiction, and even outrage at what many believe to be unconstitutional surveillance.
But in the past week, public comments on news sites have started to incorporate a more balanced look at the situation. There is acknowledgement that US intelligence agencies are doing their jobs when they gather data on potential threats to national security, just as other governments do; that the NSA does not steal IP for economic gain as many other state agencies do, and that despite our deficiencies, the US agencies operate under tighter oversight than foreign agencies. Especially as Congress moves to improve transparency, there is a grudging awareness that US-based clouds may offer the best privacy, relatively.
But is it good enough to be simply less bad? As long as privacy remains a concern, there will be resistance to adoption of any public clouds, and, as the market leaders, US vendors will suffer.
Fortunately, cryptographic technology will ultimately make this issue largely moot for most cloud infrastructure, platforms and applications. To date, cloud vendors have been slow to implement proper cryptographic protocols, since demand has grown so quickly without it. But with the recent focus on privacy, SaaS, PaaS and IaaS providers must get around to implementing what they should have implemented years ago.
Specifically, data in the cloud must be encrypted using keys that are controlled by the customers who own them. So whether you use SalesForce, Box, Google Apps or Workday, you should have the option of encrypting your data both in transit and storage, and although many cloud providers offer encryption today, they typically use one key for everyone, or at best they offer individual keys that are generated and controlled by the vendor.
The recent, notable exception is Amazon, whose CloudHSM service offers AWS customers access to Hardware Security Modules for key protection inside their cloud. It's time for others to follow Amazon's lead, so that customers can comply with their own regulations, data breaches will be far less catastrophic, and intelligence agencies will have to find new ways to snoop.
Until then, interim solutions from a new class of security startup — like CipherCloud, Vaultive, Vormetric, and Navajo (acquired by SalesForce) — enable you to encrypt your data before you send it to the cloud. Unfortunately, cloud providers cannot do much with encrypted data that they cannot decrypt - their applications cannot provide features such as sorting, fuzzy searches, and comparative metrics. CipherCloud and others have had to invent some kludgy workarounds (e.g. adding additional unencrypted index fields) with some but limited success.These solutions will be less compelling when clouds are properly secured.
For IaaS and PaaS vendors, the imperative to hand the keys to the customer is clear, but for SaaS providers, it's trickier, since their apps need to "borrow" the keys. For those customers who cannot tolerate even the smallest risk of exposure to those nation states with formidable cyber capabilities, tradeoffs will have to be made between security and features. There will also be tradeoffs in convenience, since mobile devices will need key management systems or VPNs. The most difficult application to secure would be one that requires sharing among individuals who do not typically have cryptographic keys, which is why Lavabit and Silent Circle just shuttered their secure email services (although I expect Phill Zimmerman will craft a workable solution in time).
Cloud computing still promises compelling benefits, and US vendors have competed well on features and services, benefitting from deep and rapid innovation. But it's time now for them to properly defend their data, and market share, by attending to security. We should expect these cryptographic capabilities to generally come to market in 2015; until then, the forecast for the sector remains Partly Cloudy.