Channels ▼
RSS

Global Developer

Through A PRISM Darkly


The U.S. government's admission this week that it has been engaged in large-scale collection of data on private citizens' activities was a revelation that brought considerable response from all points on the political spectrum. As there are already plenty of commentators extemporizing on the political and social implications of the news, let me focus on the technological implications, which I expect will be significant.

The first and most profound effect will be a serious reconsideration of the wisdom of putting data into the public cloud. The previous argument for migrating data and apps to the cloud was that cloud hosts, such as Amazon, Google, and Microsoft, are much better at defending their systems from hackers than most corporate IT departments are. This view is supported by the contention that those companies can afford to hire hundreds of security professionals to provide the necessary protection, vigilance, and intelligent response — while most IT organizations can hire perhaps a few dozen, with no real ability to scale response in times of attack.

This argument, taken by itself, is still valid. However, it can no longer be taken by itself. A new dimension has appeared; namely, that the government can more or less at will see the contents of communications and data held on servers at cloud hosts. The important factor is that the government can gain this access without ever notifying the target company that its data has been copied to government servers.

However, a company that hosts its data behind its own firewall stands a better chance of being subpoenaed for access to the data. The subpoena gives the company the ability to review the request, contest any errors, or seek to limit its scope.  

Private clouds are an inherently partial solution, however. Some IT operations must be outsourced. For example, very few companies host their own websites in internal datacenters. Websites are almost always hosted by specialist companies that can provide the full infrastructure and the large pipes. Likewise, financial transactions, especially in consumer industries, are invariably handled by third parties whose records can be subpoenaed as if transaction data belonged to the processor rather than the vendor. And so on.

If companies in greater numbers insist on private clouds because of the controversy, they will likely add universal encryption as a standard business practice. Such encryption — which is costly, burdensome, and affects the performance of all transactions — will become necessary not just because of the issues raised by government access, but as a defense to increasingly potent commercial and sovereign cyber attacks.

While five years ago, attacks against companies were mostly a scourge brought on by script kiddies and criminal gangs, the new waves of attacks are much more serious. State-sponsored cyber attacks from China, North Korea, and Iraq now have the goal of disabling businesses, rather than simply stealing trade secrets or customer data.

Earlier this year, for example, operations at several South Korean banks were frozen for several days by just such an attack, which was traced to the country's northern neighbor. Earlier, the Saudi-Arabian national oil firm Aramco suffered a disruption in operations caused by Iranian cyber warriors.

When you speak with security experts, they are concerned that corporations are still slow in preparing for such attacks. They see a pervasive sense of denial at many companies or, even more incredibly, a conviction that current security measures are sufficient. The release of the details on the government eavesdropping might well disabuse IT organizations of both notions. The threat is not so much getting caught up in a terrorism investigation, but rather that if the government gathers proprietary data or trade secrets in the course of an unrelated investigation, it has no obligation to the data owner to protect the data or accord it any special protection now or in the future.

— Andrew Binstock
Editor in Chief
alb@drdobbs.com
Twitter: platypusguy


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video