The Cloud

NSA Leak Could Cause Cloud Repercussions

Pay careful attention to the nest of contractors and other providers running your Cloud – if you can.
Rob LivingstoneJune 12, 2013

The long arm of the National Security Agency has shaken the apparent inviolability of confidentiality offered to organizations with overseas operations by U.S.-based (or owned) Cloud providers.

Since its popular emergence in the earlier part of the last decade, cloud computing has transformed how we lead our digital lives, has helped break down barriers and has changed the way whole industries do business. The explosive adoption of Cloud computing in all its forms and flavors by consumers, where appeal and utility mostly trumps concerns over privacy, is well known. But for businesses, putting the Cloud under the lens of due diligence is seen as just good business practice. How effective that lens can be when it takes place under the watchful eye of PRISM remains to be seen. (PRISM is a surveillance program used by the NSA to collect emails, documents, photos and other material for agents to review.)

When former CIA contractor Edward Snowden leaked the workings of PRISM to expose the mass harvesting of information from major U.S.-based Information and Communication Technology providers, he managed to simultaneously dent Booz Allen Hamilton’s stocks by 4 percent, potentially threaten national security and cause deep consternation with U.S. allies.

His actions also put a huge question mark on all contracts signed by non-U.S. entities with U.S. Cloud providers.

It all sounds like a real-life Spy vs. Spy story, particularly if you’re a CFO working in an organization whose existence depends on securing core intellectual property and trade secrets, or where information security and privacy is critical to the organization’s reputation, and especially when you add the alleged involvement of China in targeting organizations for commercial gain to the mix.

The covert visibility into your Cloud by government agencies, and others for that matter, has those concerned over privacy, industrial espionage and intellectual property theft seeking definitive answers to the now-obvious question: Cloud vs. Regulators – Who wins? Time will tell how our globally dominant digital landlords such as Google, Microsoft, Facebook, Apple, Amazon and others will respond to the increasing concerns of security, confidentiality and privacy in the presence of an overarching eavesdropping environment created by the NSA.

Enterprise Clouds are complex, sophisticated entities which invariably rely on a daisy-chain of third parties and contractors to help build, run and maintain their Cloud provider’s systems. The organizational and technical complexities are additive, resulting in increased systemic risk. Systemic risk is the least visible and hardest to eliminate, and those risks become real when the providers’ systemic risks become

The question is, how well does your Cloud provider manage the ecosystem of contractors and third parties that are farther down the food chain? This is even more relevant in the globalized workforce, where, paradoxically, Cloud and related technologies have greatly facilitated the outsourcing and offshoring of work to low-cost countries.

At the end of the day, if you have mission critical data and information in the possession of a third party service provider – Cloud or otherwise – the assumption that your provider will be in full control over their environments may be drawn unto doubt. As a CFO, it is prudent to consider your next steps very carefully to ensure that your intellectual property and trade secrets do not become the assets of others.

Rob Livingstone, a former CIO, is the author of Navigating Through the Cloud. He runs an IT advisory practice and is also a Fellow at the University of Technology Sydney (UTS), Australia, where he teaches strategy and innovation in UTS’s flagship MBITM program. Visit Rob at or e-mail him at [email protected].