Cloud in the post-Snowden aftershock
Fri 24 Oct 2014

The Stack interviews Len Padilla, VP of Product Strategy at NTT Communications Europe. He discusses how the Snowden allegations have changed IT decision-making, and why businesses need to embrace a hybrid strategy to effectively migrate to the cloud.
How have cloud providers had to react to the post-Snowden ‘aftershock’?
Many have had to make changes. Many providers have had to become very aware and very sensitive to data sovereignty. Speaking specifically about the Snowden allegations, governmental organisations are the ones who are responsible for snooping peoples’ data, and people feel the only way to address that is to not put their data where those agencies are operating. In some cases that’s possible in others it’s not. For a US organisation that’s going to be a lot more difficult. But we’ve definitely seen from some of our customers here in Europe, our more security sensitive customers, that there is a real reluctance to sign up to any cloud services that are hosted in the US or where data might transit to the US.
How has the PRISM scandal affected businesses’ trust in cloud computing?
The scandal has and hasn’t affected businesses’ trust in cloud. Most organisations that were very security sensitive were probably already conducting business on the internet, on global networks, in the cloud, in a way that assumed that such things could happen anyway.
I think the real eye-opener is for companies who just didn’t foresee this. That might have been smaller organisations that don’t have as strong a security posture, don’t necessarily understand security so well, and don’t understand which things are vulnerable or not. I think it has definitely had an effect overall, it has opened up peoples’ eyes to the fact that what you put out there in the cloud could be vulnerable in a number of different ways, depending on how you approach it and which cloud you are using.
Data sovereignty has emerged as a main priority; do you feel a preoccupation with data sovereignty will hamper the acceleration of cloud?
In the long term, I don’t think so. I think we’ll see two ways to mitigate it; short to medium-term, and long-term. In the short to medium-term, what will happen is we’ll see an increase of the global or regional cloud. People now may be reluctant, for example a German customer may be hesitant to host their services on infrastructure in the US, or in a type of cloud where they don’t have explicit control over where the data resides. That type of customer will be much more interested in either working with a local company with local services, or working with a global company where they have explicit control over where the data is. Those are the kind of things that are going to happen in the short to medium-term, over the next few years.
I think the real long-term solution to all of this is for companies to be using strong encryption everywhere, no matter where the data resides. The question – in which legal jurisdictions does my data reside? – will be rendered moot. It won’t really matter as the data that resides in those places will for all intents and purposes just be digital garbage if you’re not holding the right keys.
What are your thoughts on the proposals, headed up by politicians like Angela Merkel, suggesting a need to separate data networks?
Like most technical things proposed by politicians, they’re well-intentioned but it might be that they don’t necessarily understand the technology. It’s tempting to say I’ll keep my data on a private network that nobody else has access to, but that’s useless because most of the business that companies are transacting is with customers and with partners. You have to really ask yourself what is a private data network? There is almost no such thing as a completely private network, which comes back to the need for encryption. Obviously, if a private data network is kept within a certain legal domain, it may not be liable to other countries’ intelligence agencies but that’s going to be limiting to the companies that are actually using the network. The purpose of a network is to connect people not isolate them. Therefore the notion of a secondary or private network, for transacting business anyway, probably isn’t the best idea. Certainly secure data networks are important and businesses need to offer secure services to customers – not a parallel internet or some sort of a parallel network.
Why do you feel businesses should be opting for a hybrid approach to cloud?
A big reason for companies to move to a hybrid cloud environment is a focus on security. When companies take their IT estate and split it up into different pieces they’re trying to figure out which compute environment is the best and most secure place for it. They have to decide between public cloud, private cloud, on-premises, or even systems that aren’t connected to any network. That decision, in the security sense, is going to come from the sensitivity of the data that is held on those systems.
Many companies are manipulating and dealing in public data and the public data is perfectly suited for public internet and public cloud. The idea of all of that data is for the public to be able to access it.
Then there is sensitive data which might be best suited for a private cloud environment where it’s not sharing infrastructure and networks, but is still stored off-site and served by a service provider, such as NTT’s Enterprise Cloud or other similar environments.
Beyond sensitive data is secret data. This is the kind of data that companies usually keep on systems within their own facilities – data that is so important that they cannot afford to let anybody access.
There’s also critical data which is a company’s intellectual property, their trade secrets – how they build a car, how they develop technology based on a patent etc. Not only is the business going to keep this data on their own premises, but they’re also going to keep it on an isolated network or even on no network at all. Companies need to be able to keep an air gap between public networks and critical data because again if it is leaked it could be damaging to their business.
Are there any obvious disadvantages linked to hybrid cloud?
I can’t really think of any disadvantages, except as I see it, the hybrid cloud isn’t anybody’s real destination. Customers should not think that they’re moving to a hybrid cloud environment and that they’re going to stay there forever. Everybody knows that in the future almost all computing is going to the cloud, or cloud-like services.
The hybrid nature of keeping some things on old legacy systems, some things on mainframe systems, and some things in colocation managed hosting, is a way to get to that full cloud future. Businesses will have to pass through the hybrid cloud to reach a complete cloud infrastructure. So I’d say that the only disadvantage is that just like many companies who have become complacent with old legacy IT, staying with hybrid cloud when they can achieve a full cloud environment is really the only disadvantage that I would see with a hybrid solution.
Therefore the real advantage of hybrid cloud is facilitating that journey. Even though companies know that full cloud is their destination, it’s often hard to get that journey started because making a ‘big bang’ change like that is almost impossible for a company with any significantly complicated IT. A hybrid approach allows them to move things that are able to move, and to get everything into a funnel leading them on their way to the cloud. Different things will take different times to move through that process but hybrid is the thing that really allows them to start that journey.
Read more from NTT on the effects of the Snowden allegations: nsaaftershocks.com