You are probably, at least to some extent, aware of the controversy surrounding the now infamous online surveillance program run by a number of government agencies in the US and abroad. Almost on a weekly basis more information and details about the program are being leaked to the media. The revelations regarding the massive scope and span of the programs have raised concerns among two main groups.

The first group which includes a broad array of tech enthusiasts, human rights organizations and civil liberties advocates are up in arms about what can be considered a gross violation of individuals’ right to privacy on a massive state-sanctioned scale. They have filed petitions, lawsuits and organized protests. Even the US congress has held several hearings and opened inquiries into these programs and the agencies in charge.

The second group, which I would categorize as commercial interests, is those involved in the business of Internet: Big data, cloud, hosting, XaaS, etc. Cloud service providers, based in the US, are dealing with the ethical consequences of an outpouring of leaks regarding their government’s direct and unlimited access to customer data stored in their formerly considered secure data center. This begs the question, will customers, particularly foreign customers with strict regulations regarding privacy and security of data, trust the cloud service provider again? It’s debatable what the impact would be but one particular study claims that US Cloud Computing industry stands to lose as much as $35 billion over the next three years as a direct result of newfound concerns over data and network security.

So what options exist for cloud providers and consumers to alleviate this situation? For the distraught cloud CEO and his company, good PR and a reinforced privacy policy might help. On the technology side, the basic principles of data encryption are still valid. Of the three main components of a data encryption system (data, encryption engine and key manager) leave key management and, if possible, the encryption engine (client side encryption) in your customers’ hands.  This way, customers are protected against potential “rouge administrators” and the business is protected against demands to reveal customer data. After all, you can’t unlock a door you are not holding the keys too. On the flip side, if you happen to be a concerned consumer of cloud services, look for providers who use products and technologies that give you control over encryption keys and allow you to keep them separate from the data and on-premise rather than in the cloud.


Leave a Comment


Garry McCracken

About Garry McCracken /

Garry, a CISSP, has more than 30 years of experience in data communications and information security. He has contributed to the development of WinMagic's full-disk encryption solutions for desktops, laptops, and other mobile devices. When he is not saving the world of data encryption, he takes off his cape to relax and enjoy life at the cottage. Garry writes from a position of technical expertise since we first started SecureSpeak, making him the longest running blogger at WinMagic.
Garry McCracken