Practicing Safe SaaS: The New Reality of Information Technology
Once a catchy PR buzzword, the cloud has become a very real and vital element of the modern technology landscape. But as with every technological step forward, the cloud has brought with it some unintended side effects. In the case of enterprise cloud technology, those side effects include concerns over loss of control and security risks.That’s especially true since revelations were made earlier this year about mass data surveillance programs, such as the National Security Agency’s PRISM project. If you host your company’s data in a public cloud, such as Amazon Web Services or Microsoft Azure, what assurances do you have that government agencies aren’t monitoring — or may subpoena — your data?
Cloud providers have stated unequivocally that they do not give direct access to the NSA, FBI, or other organizations — but it’s also widely known that the these agencies have broad access to many data sources once considered private. What’s more, the government agencies have the legal capability, via National Security Letters, to request information along with a gag order that prevents the subpoenaed company from talking about the request at all. During the last six months of 2012, Facebook said it had received as many as 10,000 requests from local, state, and federal agencies, which impacted as many as 19,000 of its 1.1 billion accounts worldwide. Over the same period, Microsoft received between 6,000 and 7,000 criminal and security warrants, subpoenas and orders affecting as many as 32,000 customer accounts. As a result, a public denial might not even mean anything.In short, security is now a critical issue for any IT manager contemplating using cloud technologies. Not surprisingly, IT pros are very suspicious of the cloud.A recent IDG report titled “Cloud Computing: Key Trends and Future Effects,” three out of five companies believe cloud file-sharing has compromised their data security. As a result, an average of 61 percent of companies’ files are still stored locally — due to IT managers’ low confidence in the security of cloud-only storage.Privacy concerns of companies brought about by PRISM is having a trickle down effect to cloud companies. The Information Technology and Innovation Foundation (ITIF) has estimated that PRISM will cost U.S. companies relying on cloud technology between $22 billion and $35 billion over the next three years. Forrester analyst James Staten says that the ITIF is too low and estimates the impact could be as high as $180 billion or a 25 percent hit to overall IT service provider revenues in that same timeframe.Yet PRISM could also present a business opportunity to cloud providers who are in a position to offer more-secure alternatives. For example, Egnyte, an enterprise file-sharing provider based in Mountain View, Calif., is seeking to address the rising vulnerabilities inherent with data transferred via the cloud. Its “PRISM Prevention Program” has a cheeky name, but the name underscores a real issue: How to protect your company’s most vital data.Industry analysts recommend that IT pros categorize data under their care according to the sensitivity of each file, using a green, yellow, and red system to signify files of low, medium, and high sensitivity. While green files can be safely shared with anyone, red files should never pass outside the company. This underscores the need for easy data and file sharing without placing business-critical data in the cloud, which will eliminate issues of data breaches or government agencies accessing those files.In order to implement such a solution, companies can still use a cloud or SaaS provider, as long as that provider enables the customer to control how their data is accessed and shared. Green files can be stored on public cloud service providers with little concern that they might wind up in an NSA data center some day — if they do, it’s no big deal. Yellow files require a higher degree of caution, with European Union data staying in EU datacenters and not being stored on U.S. soil. Red files require the highest level of protection, and could be encrypted, stored locally, or stored in well-secured private clouds managed entirely by the company. The SaaS application should be able to work across all these data access paths.With cloud storage aggressively fighting to become the standard, protecting your enterprise’s valuable and confidential files should be a precaution, not a band-aid once files have been inevitably compromised.*This post was written by VentureBeat staff and originally appeared in VentureBeat.