Can CXOs protect customer data from spying eyes?

Not a week seems to go by without another revelation about the NSA, and other national security agencies, accessing companies’ data. But whether you are reassured that national security is being maintained or less enthusiastic, as Noam Chomsky was in a panel discussion at MIT last week [1], can a CXO do anything to protect customer data from prying eyes? Chris Gabriel takes a look.

According to The Information Technology & Innovation Foundation, the US cloud computing industry could stand to lose up to $35 billion by 2016 due to the NSA PRISM project, a clandestine mass electronic surveillance and data mining programme which, according to leaked reports by NSA contractor Edward Snowden, is the “number one source of raw intelligence used for NSA analytic reports”. Forrester analyst James Staten considered that the real cost could amount to $180 billion or 25% of overall service provider revenues in the same timeframe.[2]

Scary numbers, particularly if you are a stateside cloud services provider, but the implications spread further than the shores of the US.  On the one hand, non-US providers are happily marketing their services as beyond the reach of the US government and the NSA, although according to commentary in a recent CIO.com article[3], this might well be dubious from a legal and technical point of view. Nevertheless non-US based cloud providers will consider it an advantage.

On the other hand the issue has revitalised previously rejected EU plans to prohibit sharing of data with the NSA, placing providers on the horns of a dilemma; violate EU law prohibiting transfers, or violate US law compelling the production of data.

Some US companies may open EU subsidiaries and data centres, and according to the New York Times, “German executives and some politicians are beginning to talk of segmenting the internet”[4] to avoid sending data unnecessarily across the Atlantic - effectively creating, in the words of Bloomberg correspondent Hans Nichols, a “German internet”.[5]

So how to protect data from unwanted intrusions?  At one end of the scale technology giants such as Google and Microsoft are introducing enhanced data encryption. Yahoo and Facebook are moving towards 2048-bit encryption keys which, according to the National Institute of Standards and Technology, will not be breakable using known computing power until at least 2030.[6]  At the other end of the scale, the colourful John McAfee announced in September a $100 device that would protect consumers, at least, from NSA surveillance.[7]

But back to the CXO.  Effectively, this all boils down to following the advice highlighted by my colleague Ian Ross in his article about data sovereignty.  Specifically, make sure your cloud contracts are robust with regards to ‘managing sensitive data, storage location, access by other entities, breach notification obligation, disaster recovery, monitoring and termination.’

Good house keeping can help too - for example Vodafone detected infiltration during a regular review of log data.  Equally there is a great deal of merit in ensuring that machines and networks storing sensitive data are physically isolated from the internet, and allowing very little connection with the internet during their initial configuration.  This method know as an ‘air-gap’ can be very effective in preventing the creation of ‘government backdoors’.

So CXOs can go some way to protecting themselves from unwittingly sharing customer data with security services and, in turn, reassuring customers that their data is as safe as practicably possible.

But of course the security forces’ role will always be to know, not to be known – so it is very hard to be sure, at least until the facts leak out.