Revelations of US and UK internet surveillance by whistleblower Edward Snowden (pictured) have changed attitudes towards cloud computing, a study claims.
The research report by Vanson Bourne highlights nine “after-shocks” that are leading organisations to rethink how they use cloud computing.
Almost 90% of respondents to a survey commissioned by security consultancy NTT Communications said they were changing their cloud-buying behaviour as a result of Snowden’s revelations.
The survey polled 1,000 information communication technology (ICT) decision makers in the UK, US, France, Germany and Hong Kong.
Around six in ten of those not currently using cloud said the revelations have prevented them moving information communication technology into the cloud.
A total of 38% said they have changed their procurement conditions for cloud providers, with 31% moving data to locations where the business knows it will be safe and just 5% saying location did not matter.
ICT decision-makers now prefer buying a cloud service that is located in their own region, especially EU respondents (97%) and US respondents (92%), the study revealed.
Just over half said they are carrying out greater due diligence on cloud providers than ever before, with 16% delaying or cancelling contracts with cloud service providers.
More than four fifths feel they need more training on data protection laws and 82% agree with proposals to separate data networks.
Len Padilla, vice-president product strategy at NTT Communications in Europe, said allegations of internet surveillance have hardened ICT decision-makers’ attitudes towards cloud computing.
“This includes modifying procurement policies, scrutinising potential suppliers and taking a heightened interest in where their data is stored,” he said.
More on cloud security
However, Padilla said that despite the global security threat, business executives need to remember that cloud platforms help firms become more agile.
“They also foster technology innovation, even in the most risk-averse organisations,” he said.
According to Padilla, ICT decision-makers are working hard to find ways to retain those benefits and protect the organisation against being compromised in any way.
“There is optimism that the industry can solve these issues through restricting data movement and encryption of data,” he said.
But, John Howie, chief operating officer of the Cloud Security Alliance said the reality is that just about every government in the world has an intelligence capability.
“They are all doing largely the same thing to protect their country and its citizens,” he told Computer Weekly.
Howie said the documents leaked by Snowden show that the US, UK, Germany and others have shared this type of information.
“While in France there is legislation on the books that permits the government to monitor its citizens’ use of the internet, ostensibly to protect intellectual property,” he said.
He also points out that the European Union has its data retention directive, which requires all metadata about phone calls, email messages and web traffic be recorded and stored for a minimum of six months and a maximum of two years.
“Many European states are doing exactly the same thing as the US and UK, but this has been lost in the debate.
“There is a lot of attention on and scrutiny of US cloud service providers, but a European cloud provider would be obligated to follow the laws of any country in Europe where they operate.
“This includes the UK, France, Germany and others, which are perfectly capable of going to a cloud provider and demanding to access customer data,” he said.
Howie said organisations simply need to understand that lawful access to their data by a government is entirely possible and legal in terms of most national laws.
He said if goverments want access to data, they will find a way, even if it is stored on premise in a datacentre.
Therefore, Howie believes there is no point in organisations avoiding cloud services in general and US cloud providers in particular just because of the Snowden revelations.
“Just because a cloud provider is European, does not mean it is not in cahoots with the country where it has its headquarters,” he said.
“At the same time, if a European cloud provider has any footprint in the US, it is still subject to US law and would have to comply with any data access requests,” added Howie.
Despite this reality, he said the fact remains that cloud service providers are “much better” at managing the security and privacy of data and they do resist extreme requests for access to data worldwide.
Finally, Howie points out that, from the transparency reports published by a growing number of cloud service providers, it is clear the data requested by governments relates to a fraction of the data managed by them.
“A lot of the noise in Europe is being made by politicians trying to make a name for themselves or trying to drum up business for European cloud providers, who can no more guarantee that data will not be accessed by governments than any other cloud providers,” he said.