Cloud adoption shaken by Snowden revelations: Survey
By Edwin Yapp May 2, 2014
- In a post-Snowden world, cloud users become more careful
- Data sovereignty, privacy and security still top-of-mind concerns
THE revelations of large-scale cyber-surveillance last year by the United States and other governments have prompted enterprises around the world to rethink their cloud computing strategies, with many closely scrutinising how they go about adopting the technology despite acknowledging that there are real benefits, a new study has found.
Entitled NSA Aftershocks: How Snowden has changed ICT decision makers’ approach to the cloud, the study commissioned by NTT Communications noted that ICT decision-makers want to guarantee the sovereignty of their data but at the same time reap the benefits of cloud computing.
Conducted by market research firm Vanson Bourne, the survey interviewed 1,000 ICT decision-makers from France, Germany, and Britain (200 respondents each), Hong Kong (100 respondents) and the United States (300 respondents) between February and March 2014.
Sixty percent of respondents were drawn from businesses with 1,000 employees or more, from such sectors as financial services, retail, manufacturing, professional services, ICT, and energy.
The study comes on the back of startling revelations made by Edward Snowden, a former Central Intelligence Agency (CIA) and National Security Agency (NSA) computing contractor, who last year began revealing startling details about what the US and British governments were doing behind closed doors.
This included the massive extent to which the NSA and its British counterpart the Government Communications Headquarters (GCHQ) collected phone and Internet data from citizens. The spying went as far as listening in on German Chancellor Angela Merkel's cellphone.
Meanwhile, the NTT Communications study highlighted a number of significant findings::
- Almost nine in 10 (88%) ICT decision-makers are changing their cloud buying behaviour, with over one in three (38%) amending their procurement conditions for cloud providers;
- Only 5% of respondents believe location does not matter at all when it comes to storing company data;
- More than three in 10 (31%) ICT decision-makers are moving data to locations where the business knows it will be safe;
- Around six in 10 (62%) of those not currently using the cloud feel the Snowden revelations have prevented them from moving their ICT to the cloud;
- ICT decision-makers now prefer buying a cloud service that is located in their own region, especially EU respondents (97%) and US respondents (92%);
- 16% is delaying or cancelling contracts with cloud service providers; and
- More than four-fifths (84%) feel they need more training on data protection laws.
"The content of the study paints a vivid picture of real concern for the sanctity of corporate data in the cloud,” read the executive summary of the report.
“A further key finding is that ICT decision-makers still very much value the cloud as a platform for boosting business agility and technology innovation, so even though there is disquiet, there is also optimism that the industry will address these concerns.
“ICT decision-makers need a way to retain the benefits derived from cloud computing whilst protecting the organisation, and the data it holds, from being compromised in any way.”
The report noted that across the five countries surveyed, almost a third of ICT decision-makers (31%) said they are moving their business data to where they know it will be safe, defined as procuring cloud services from within an organisation’s own continent.
For example, in Britain, France and Germany, 97% said they would prefer to contract with European cloud providers while 92% of US ICT decision-makers held the same view and preferred to keep their services with the United States.
In Hong Kong however, the figure is markedly lower, with only 69% of respondents saying they would prefer to work with Asia Pacific providers. Interestingly, 39% also said they would contract with European providers – perhaps a reflection of the close commercial ties between Hong Kong and Europe (see figure above).
The 'Snowden effect’
Aside from geographical considerations, some significant findings from the study revealed that there is a so-called ‘Snowden effect’ – how enterprises have been affected by the revelations of mass surveillance – that has impacted how ICT-decision makers view technology such as cloud computing.
The first of these effects is that ICT decision-makers are scrutinising cloud providers more closely before signing up, with some 87% agreeing that the Snowden allegations have changed their approach to cloud computing to some extent (click to enlarge figure below).
Two-thirds of respondents (67%) say they have audited their cloud suppliers’ security credentials. In France and Germany, almost 70% had carried out an audit, as had 58% of respondents in Hong Kong. In Britain and the United States, 47% and 83% rspectively had carried out audits.
Thirdly, it was revealed that there is an increase in the collaboration between ICT personnel and lawyers insofar as compliance is concerned.
Nearly three-quarters (72%) of respondents polled noted that they would revisit every cloud and hosting arrangement to ensure data protection, if they had the necessary time and resources.
“The Snowden revelations have also made ICT decision-makers more aware of the need to have detailed knowledge of data protection rules. Eight in 10 (84%) of ICT decision-makers globally believed they need training on data protection laws and security rules in the territories their businesses operate." (See figure below).
The findings that there is indeed a Snowden effect are consistent with what EU’s European Commissioner for Digital Agenda Neelie Kroes said recently at the CeBIT Global Conferences about the impact of the Snowden revelations.
“I’ve said this before – Snowden gave us a useful wake-up call. [So] let's not snooze through it. Let us not just react shocked. Let’s not turn our back on technology. It's time to act, time to protect ourselves, and build on what our economy needs and work together [to address this issue]," she had said.
Despite the findings in the survey, the report suggests that the ICT decision-makers have not altogether abandoned the notion of the cloud as a delivery platform for enterprise ICT as three out of the five countries covered by the study – and 71% of the respondents overall – believed their data would be safer in some form of cloud platform, subject to guarantees over data integrity.
Notwithstanding the Snowden revelations, the report said that it was clear that ICT decision-makers all over the world still subscribe to the idea that the cloud provides the most cost-effective means to scale and deliver increasingly sophisticated ICT services to business users.
“What appears to have changed, though, is the nature of the cloud customer,” the report noted. “ICT decision-makers have been quick to learn from the current crisis and now understand how to scrutinise providers.
“Those suppliers that can live up to the increased demands for data integrity, governance and security will find success in the post-Snowden world."
For those considering cloud computing, it recommends the following best practices in approaching the technology:
- Seek assurances over the physical location of data – the right providers will be able to provide undertakings over sovereignty;
- Ensure your providers allow you to restrict, move, or definitively destroy data;
- Scrutinise cloud providers’ ownership and business structure;
- Examine security credentials and certifications; and
- Talk to the supplier’s customers if you can, particularly those that are subject to compliance regimes similar to your own.
Next Monday: How one major cloud provider views the cloud’s future
The world needs to unite on privacy and trust: EU official