“The key question is not whether the unmasking of Operation PRISM will influence businesses’ decisions as to where to store their data. The more important decisions involve how they monitor and secure their data, regardless of where it lives.”
- David Gibson, Varonis VP
Responding to comments from a Forrester analyst predicting that the cloud computing and IT service provider industry fallout from the NSA PRISM revelations could be as high as $180 billion, Varonis Systems says companies need to understand the clear need to defend their data from prying eyes - regardless of whose eyes are involved and where the data lives.
According to David Gibson, Vice President of the data governance software specialist Varonis, Forrester Principal Analyst’s James Staten’s predictions that US cloud service providers could lose 20% of their potential non-US revenues highlights the fact that the data security regulatory environment is a lot stronger in Europe, where corporates are wary of cloud computing services for simple data security and integrity reasons.
“And those reasons are powerful ones. Most corporate IT security managers are fully aware that their data is a valuable commodity to cybercriminals and industrial espionage agents, which is why we have observed them favouring the stronger rules on data retention, consumer access, and cloud provider obligations seen in the EU,” Gibson said.
“The good news is that the Operation PRISM revelations will raise the awareness of data governance and security in the business world generally, and so increase companies’ understanding that their data is at risk if they do not monitor and manage who has access to it, regardless of where it resides,” he added.
The key question, insists Gibson, is not whether the Operation PRISM saga will influence businesses’ decisions as to where to store their data, but more one of how they monitor and secure their data.
Granted, some non-critical and non-personally identifiable information can be safely stored in the cloud, he says, but it is important that IT professionals understand that it is also possible to allow carefully controlled remote access to selected corporate data – using a local cloud-like facility – that offers all the advantages of the cloud without any of the downside on the security front.
Against this backdrop, he says, Staten’s comments – namely that EU rules require data about EU citizens be stored and retained in the European Union – are all the more powerful, as Varonis’ experience suggests that not all corporates ask the right governance questions before storing some of their data in the cloud.
“I think Staten’s comments – that it is naïve and dangerous to think the NSA's actions are unique – are quite relevant. But it is equally naïve and dangerous for any company not to think that the darker side – including cybercriminals – are not also monitoring data flows and storage systems,” he said.
“It is also important to understand that it is relatively easy for personally identifiable information to hide in easily accessible data. This was one of the drivers behind the launch of our DatAnywhere solution in June of last year - which creates an overlay application that effectively runs a secure local cloud environment on a corporate IT resource,” he added.
“The idea behind the software is to emulate a private cloud environment, but running locally, and `creating’ the data interface dynamically, in a similar manner to the way in which many SQL-linked databases interface internally to a Web site and so on out to the Internet. Not even the most well-intentioned – and well-equipped - government can easily gain access to data assets when they is stored in this manner.”