One Year Post-Snowden: Shattered Trust Is Hard To Repair
Since Edward Snowden first revealed major cloud companies' cooperation with the NSA's covert surveillance, Microsoft and other vendors have been fighting hard to restore their image through public measures to protect users' privacy. While Redmond readers respect the effort to varying degrees, they're taking their own countermeasures.
More than a year since leaked confidential documents from former National Security Agency (NSA) contractor Edward Snowden surfaced, IT providers are still fighting to regain the trust of their customers. In that time, new revelations about the scope of government surveillance programs, like the one code-named "PRISM," and others continue to unfold almost daily.
While the government has maintained that its mining of metadata from the Web from sources including private e-mail, browser searches and cloud-stored data was necessary to protect against potential terrorist acts, many now mistrust the feds in the wake of the NSA's ongoing surveillance activities. In the meantime, IT organizations have looked for ways to ensure their enterprise data remains private.
It's no wonder that technology research firm Gartner Inc. ranked installing cloud access security brokers in every enterprise as highest priority for IT and information security professionals in its "Top 10 Technologies for Information Security" list. Released in June at the annual Gartner Security & Risk Management Summit, security brokers topped the list and were a key topic at the conference, held in National Harbor, Md.
"Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed," read Gartner's "Top 10 Technologies for Information Security" list. "In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises [a way] to gain visibility and control as its users access cloud resources."
If the Snowden leaks have proven anything, it's that many enterprises aren't willing to blindly trust cloud services providers to keep their data protected from unwanted access. And much of that burden falls to IT security teams -- whether that entails creating new positions such as a cloud access security broker, increasing encryption technology of data leaving the corporation or in evaluating services providers to see who will best protect their data when stored in their datacenters.
Concerned, but Not as Much
When Redmond polled 300 readers last summer ("Shattered Trust," October 2013), right as the NSA surveillance allegations unfolded, 46 percent said they were "very concerned" and 24 percent said they were "somewhat concerned" with the NSA's potential to access enterprise data without their consent. While concern levels are still currently greater than 50 percent, sentiments seemed to cool down a bit in the more than 10 months since Redmond originally conducted the poll. In an updated reader poll conducted in June of this year, 30 percent of 304 polled readers said they're still "very concerned," while 27 percent are "somewhat concerned" about unauthorized access of data by government agencies.
This mistrust is equally distributed to the cloud providers, according to readers, who also expressed concern about using online-based services from companies such as Microsoft, Google Inc. and Yahoo.
"Contributions by vendors to any mass surveillance effort is unacceptable; surveillance should be targeted and subject to judicial review on a case-by-case basis based on probable cause," commented Redmond reader and survey participant Peter L. from Florida. "That said, Microsoft's involvement, and that of Google, Facebook and others, came as no surprise. It speaks to the more fundamental question of the dangers of entrusting any third party with access to unencrypted data or the keys to encrypted data."
Enterprises Take Control of Encryption
Many in IT tend to agree with Peter, especially when it comes to bringing the responsibility for encryption in-house. Last year more than half (51 percent) of readers said they were looking to increase encryption for data being sent to the cloud. In the recent follow-up survey, that number dipped, with only 33 percent of respondents saying they were currently looking to beef up encryption. The decrease could be a good indication that in the wake of the revelations about the NSA's surveillance activities, many enterprises have already taken steps to boost their encryption efforts.
A recent study by the Ponemon Institute and sponsored by Thales that studied the global encryption adoption rate for 2013 appears to back this assumption. The report, "2013 Global Encryption Trends Study," found that among the 4,802 IT pros polled across eight countries, the percentage of companies that have an encryption strategy applied consistently across the entire enterprise was up to 35 percent in 2013 -- an increase from the previous year's high of 22 percent.
Gerry Grealish, CMO at Tysons Corner, Va.-based cloud protection services company Perspecsys, says his company has seen a jump in both interest and adoption of enterprise-grade encryption over the past year, and that more and more companies are taking responsibility for protecting their cloud-based data. "We have seen a rise in interest, driven by enterprise data privacy, compliance and security personnel," says Grealish.
The Perspecsys focus, which, according to its company slogan, aims to make the public cloud private, accomplishes this with products such as its AppProtex Cloud Data Protection Gateway. Instead of sending enterprise data into the cloud as a whole, AppProtex Cloud Data Protection Gateway keeps sensitive data protected behind an enterprise's firewall and only sends tokens or encrypted values to the cloud for storage. "Sensitive data never leaves the organization's control in any format, so information a cybercriminal or an unauthorized party obtains is either tokenized or encrypted, rendering it meaningless," explains Grealish.
Microsoft Battles for Privacy
While enterprises have many choices when it comes to third-party encrypting tools and services, trusting your data to a cloud provider means having faith that, whether it be from government surveillance or an outside data breach, the companies storing your data are doing all they can to keep it away from unwanted eyes.
Last year, when Redmond ran the initial reader survey, trust in Microsoft cloud-based services wasn't too high, with 55 percent of users saying the NSA revelations had them questioning using Office 365, 43 percent questioning using Microsoft Azure and 54 percent contemplating staying away from Microsoft OneDrive (called SkyDrive when the survey was conducted).
Since then, it looks like some of Microsoft's online services have regained a bit of their shine. Readers concerned about using the Office 365 service decreased to 35 percent this summer. Similar drops in concern also occurred for Azure (26 percent) and OneDrive (32 percent). The change in attitudes could be largely attributed to Microsoft's own efforts to keep customer data safe.
When the PRISM program was first revealed in leaked NSA slides, they alleged that Microsoft worked with the government agency by providing backdoor access to its services, including Outlook.com, Skype and OneDrive.
Microsoft was quick to release a statement on the matter, saying it doesn't allow unfettered access to data stored in its datacenters to anyone and that it only hands over customer data if compelled by a court order. "We have clear principles which guide the response across our entire company to government demands for customer information for both law enforcement and national security issues," read a public statement released by Microsoft.
The company has also backed up its words over the past year on two fronts: in the court and in the delivery of its own services. Microsoft has stepped up its efforts in recent months to challenge law enforcement data requests. In June the company filed an appeal over a U.S. search warrant for information stored in overseas datacenters, saying the warrant violates international laws due to the physical location of the servers in Dublin, Ireland. It's also been granted access to publicly disclose how many U.S. Foreign Intelligence Surveillance Act (FISA) requests it receives in bulk numbers, only. While the information provided is vague and non-specific, it's just one of many efforts the company has for bringing more transparency to law enforcement requests it receives.
Microsoft Regains Some Trust
However, while customer support appears to be on the rise for Microsoft cloud services, according to our survey, Microsoft's legal battles and a call for more transparency only has helped to regain some trust in the company for 40 percent of readers, with 60 percent saying it had little to do with changing their impressions.
One survey respondent said that Microsoft's legal actions could ultimately do little to exclude data it doesn't want to share. "The law being what the law currently is, I'm not certain that companies such as Microsoft really have a choice whether or not they will comply with government requests for information," said the respondent, who requested anonymity. "But that's why the law concerning what the government may request and under what circumstances it may do so, needs to change."
What has helped to sway the negative backlash toward Microsoft's cloud services has been its increased efforts in providing new and enhanced encryption technology in its services, which includes the release of Office 365 Message Encryption in February, Transport Layer Security (TLS) on Outlook.com for both incoming and outgoing messages, and Perfect Forward Secrecy (PFS) for its cloud storage service OneDrive.
This seemed to fare better with readers, as 55 percent said they had gained some level of trust in Microsoft's cloud offerings due in part to its increased privacy and security technology features. However, with almost half still not convinced, Microsoft, much like other services providers, has quite a ways to go to fully regain consumer confidence -- and in a post-Snowden world, that may be a tough bar to clear.