A survey of almost 300 IT security professionals at RSA 2014 shows that trust in cloud security has increased slightly over the last 15 months – but not by very much. By February 2014 the number of professionals who prefer to keep sensitive corporate data within their own network had fallen from 86% (November 2012) to 80%.
But more surprising, the fear of specific government snooping has fallen from 48% (pre-Snowden revelations) to just 30% (post-Snowden). These figures appear to be counterintuitive. While trust in the cloud remains low and has improved only 6 points, trust in the government appears to have improved 18 points.
One possible cause might be that revelations about the extent of NSA snooping might have quantified a pre-existing but nebulous fear. Security professionals have always been aware that the Patriot Act allowed, and was being used, to provide government access to cloud data – but they did not know to what extent or for what purpose.
“The fact that the government is snooping within our IT environments and on our phone calls isn’t a big revelation," explains Calum MacLeod, VP of EMEA for Lieberman Software (the firm that conducted the survey), "and when the NSA scandal broke it should not have come as a big surprise to those who work in the security industry. Government surveillance has been around for a very long time and unless you’re doing something against the law it shouldn’t be a concern."
It is possible, then, that consistent government protestations that the NSA does not engage in commercial espionage may have reassured some professionals; who have then been further reassured by generally improving cloud security. "Security professionals realize that the major cloud service providers offer very comprehensive security," continued MacLeod, "and ultimately their willingness to invest in technology to protect their clients probably offers a more secure environment than off-shoring companies, particularly in India who seem to think that everything can be solved with cheap labor.”
Be that as it may, it remains that almost a third of security professionals distrust the cloud primarily because of government snooping, and who are not reassured by NSA explanations. The implication here is that many companies simply do not believe that the NSA does not engage in commercial espionage, and that they are therefore concerned over the privacy of their commercial secrets.
"Industrial espionage is important to major economies," MacLeod suggested to Infosecurity, "and especially countries like China because it is viewed as a method of levelling the playing field by adopting a strategy that neutralizes the enemy without direct confrontation. In fact," he continued, "if the NSA is not involved in industrial espionage, they’re either extremely naïve or being economical with the truth."
MacLeod suggests that government industrial espionage is a matter of course. "How did the US government become aware of bankers and businesses that were involved in breaking embargoes with Iraq unless somebody was watching?" This constant watch can then become a concern for future business. Consider the possible ramifications over the current troubles in Crimea. Different countries have different laws and attitudes. What are the ramifications, he asks, "for a business that legitimately supplies products to Russia from their own country, and their future ability to continue to do business in the US?"
But he stressed that this concern should be applied to all and any government snooping, and not just the NSA. "It's not simply the NSA," he warned, "and undue focus on NSA snooping simply makes the industrial espionage of other governments easier."
As if to prove his point, Le Monde reported last week that the French intelligence agency has complete and unfettered access to all of telecommunications giant Orange's customer metadata. The DGSE and agents with military clearance have been working with Orange, formerly known as France Telecom, "for at least 30 years", said Le Monde. "According to GCHQ [via a document from the Snowden files], the DGSE and the French incumbent work together to improve the national interception networks communication skills and work together to break the encryption of data flowing through the network. France Telecom is a major player in the surveillance system in France."