PRISM casts new light on cloud security concernsPrint publication
Issues of data management and date security continue to be in the spotlight.
Recent media reports have revealed the existence of a computer system called PRISM through which officials at the US National Security Agency can apparently track and store information flowing through server networks located in the US and operated by Google, Facebook, Microsoft and other technology companies.
Many of the operators involved have expressly denied knowledge of PRISM, and claimed that they do not participate in any surveillance programme that involves granting direct access to their systems. However, the revelations seem certain to undermine customer confidence in the relative security of cloud-based data storage solutions, particularly those offered by public cloud service providers based in the US.
Industry surveys undertaken in the light of the recent disclosures have suggested that the majority of potential users of cloud-based systems are now “less likely” to use a US-based public cloud service provider because of PRISM. Analysts at the US-based Information Technology and Innovation Foundation believe PRISM will have an “immediate and lasting impact” on the competitiveness of US firms if foreign businesses conclude that the risks of storing their data with US-based public cloud services outweigh the benefits. They suggest that such concerns could ultimately threaten up to $35 billion in contracts over the next three years.
The view from Europe is much the same. Neelie Kroes, the European Commissioner for Digital Agenda, recently said “if European cloud customers cannot trust the US government then maybe they won’t trust US cloud providers either…..if businesses or governments think they might be spied on, they will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out”.
Is the cloud going private?
The industry view appears to be that while PRISM won’t kill the cloud, it is likely to prompt potential users of cloud storage solutions to seek out alternative, more secure, online services.
At present, the most widely recognised cloud computing model is the public cloud, which involves a provider making resources, such as applications and storage, available to users over the internet, either free or offered on a pay-per-usage model. The main benefits to the user of a public cloud service are twofold. First, it is easy and inexpensive to set up, because hardware, application and bandwidth costs are covered by the provider. Secondly, the service is highly scalable and economical, because under the most common pricing models you will only pay for what you use.
In contrast, a virtual private cloud represents an on-demand configurable pool of shared computing resources allocated within a public cloud. As the name would suggest, a virtual private cloud offers users a certain level of isolation, through allocation of a Private IP subnet and use of encrypted communication channels, resulting in increased security and control.
In the aftermath of PRISM, we can expect providers of cloud-based services to react to growing customer concerns over security by increasing the availability of alternative, more secure, solutions, such as managed cloud, or on-premise private cloud, at the expense of the more established public cloud service model.
Is the Safe Harbour still safe?
In a related development, the European Commission recently confirmed that the existing ‘Safe Harbour’ arrangement between the EU and the US is under review.
Existing EU data protection laws prevent companies from transferring personal data outside of the EEA unless the company can show either that “adequate protections” have been established in respect of the particular transfer, or that the destination country has otherwise been pre-approved by the Commission as having introduced an adequate data protection regime. Although the US is not recognised as having introduced an adequate data protection regime, the Commission and the US Department of Commerce have developed Safe Harbour as a scheme that allows for the transfer of personal data from Europe to the US if the US recipient is (self-)certified under the scheme as having adequate data protections systems in place that meet the minimum required standards, as outlined in the EU Data Protection Directive.
In the light of the PRISM revelations, the European Parliament has called on the Commission to review the Safe Harbour arrangements, following reports that US-based data recipients that are certified under the Safe Harbour scheme were amongst those who were involved in the PRISM programme. The Commission has since confirmed that the arrangements are indeed under review.
However, despite the recent headlines, it is perhaps more appropriate to consider the Commission’s review of Safe Harbour within the context of its wider ongoing review of EU data protection laws. Such review, launched in January 2012, is intended to reform and update the EU’s data protection framework within a new General Data Protection Regulation, which would apply across all 28 EU member states, and replace the existing “fragmented and outdated” regime. So whilst the uncovering of the PRISM programme may not directly bring about the collapse of Safe Harbour, it is likely to have a bearing upon the outcome of the ongoing review.
Walker Morris has a broad range of experience in helping clients to safeguard the security of their data, and advising them in respect of their data transfer arrangements. Data management and security will continue to be a key issue for clients who require secure methods and locations for storing ever-increasing levels of personal data.
Please contact us if you would like to discuss further any of the developments considered above, or any data protection matters more generally.