One year later: Lessons learned from the Snowden-NSA scandal

A year ago this June, things were uncertain for U.S.-based cloud service providers after revelations of the National Security Agency’s surveillance of customer data intercepted from U.S. tech companies. The U.S. tech industry was on the defensive amid concerns that customers would shift their hosted data and services to providers in other parts of the world. U.S. businesses ostensibly stood to lose up to $35 billion over three years as a result, according to a dire prediction by the Information Technology and Innovation Foundation (ITIF). Forrester put the losses as high as $180 billion.

Despite the world-is-ending cries, we all soon found that the sky has not fallen and the industry is strong. Enterprise spending on cloud computing is projected to surpass $174 billion, up 20 percent from last year, and reach $235 billion by 2017, according to IHS Technology.

The prospect of NSA’s PRISM, the clandestine mass electronic surveillance data mining of Internet and phone traffic, didn’t sink the cloud industry. But it did bring to the forefront issues related to security and compliance that enterprises and vendors need to address. It also hastened a shift that was already happening long before the scary headlines hit. We didn’t see a drop off in customers seeking our cloud computing software and services, but we did notice an uptick in enterprises favoring local cloud providers, and asking to ensure and enforce the geographic location of their data. Multinational companies are very concerned with complying with data location laws and cloud providers must be able to support geofencing and geolocation of data. Enterprise-grade cloud providers can no longer move data around without client awareness and approval.

Security and performance, however, should be more of a priority for businesses than where the service provider is located. The U.S. gets a bad rap, but it’s certainly not the only country in which the government has authority to get content from providers. In fact, data can be provided voluntarily without the need for legal process, customer notification or court orders in a number of European countries.

A $2 billion enterprise and global manufacturer uses our cloud service that primarily runs on our Virginia data center, with disaster recovery services at another center in San Francisco. The company has more than 40 facilities around the world. For the manufacturer, it isn’t about where the data is located but instead about the security, reliability, and performance of its cloud service.

One of the most important lessons to come out of the NSA scandal is that businesses need to ask the right questions about the security, performance and compliance of their cloud computing environment. In addition to making the best business decisions possible, companies have to deal with attacks coming from all corners of the world and even from inside their own companies. But where to begin?

Here are the top five questions every chief executive should ask the chief information officer about their cloud provider:

• Does the provider follow information security best practices, including multi-factor authentication, strong data encryption for the entire lifecycle, and hardened operating systems, as well as the results of routine audits?
• Is the provider compliant with industry-specific compliance frameworks like FedRAMP, ISO27000, PCI, FISMA, and HIPAA? Demand the full reports, not just the cover sheets.
• Does the service-level agreement say the company will be compensated for the data losses in the event that happens?
• Are there host resources, networking, data backup and other redundancies as well as tested disaster recovery plans to mitigate the risks of data loss?
• The billing model should be consumption-based, but are there any large upfront costs? If so, that’s unusual.

The NSA scandal wasn’t a bump in the road. On the contrary, it served to strengthen the cloud computing industry by forcing providers to step up their game and reminding businesses to carefully scrutinize their providers. The industry is stronger than ever.

Simon Aspinall is president of the service provider business at enterprise cloud software and service provider Virtustream.