Data confidentiality is a million-dollar word in today’s age. A data breach that places confidential information in the hands of unauthorized people can result in violation of privacy, loss of trade secrets and intellectual property, as well as a whole lot of other undesirable consequences including identity theft, extortion, currency runs, stock exchange manipulations, and more.
Who Spies on Data?
It is a given that cyber-criminals of all hues lurk around to steal data. Whether any organization or cloud provider gets into their cross-hairs depends largely on whether they regard the data as valuable or whether they have picked up some grouse against the organization.
However, over and above such obvious threats, what if those who are supposed to oversee data integrity themselves violate data confidentiality?
For many years now, the US National Security Agency (NSA) has been reportedly spying on the emails, text, photo/video searches, chat logs, VoIP such as Skype communications, file transfers, social network interactions, and more of Americans. Prism, a stealth program, directly tapped into the servers used by Internet bigwigs such as Apple, Google, Microsoft, Skype, Facebook, YouTube and others, to monitor Americans, regardless of whether they are ordinary law abiding citizens, or marked suspects. The spy-work is with the active collaboration of many IT bigwigs, with companies such as Google admitting to disclosing user data on request by the government. The NSA also worked with telecom providers such as Verizon to monitor phone calls. Worse, the program is growing in intensity by the day.
Prism may have the legal backing in Foreign Intelligence Surveillance Amendment Act 2008 (FISA), which authorizes the government to monitor electronic communications. But the rider is that the spy-work is on only if one of the communicating parties is outside the U.S. The government claims to have stopped terror plots this way, but rights activists allege that the state is misusing the law to blatantly and illegally spy on its own citizens. Critics have also questioned the constitutional validity of Prism, FISA notwithstanding, and the matter is currently in court.
What to Do?
The risk of an unauthorized third-party having access to an organization’s sensitive data is much greater when such data resides in the cloud. The organization would have no control over the servers of the cloud provider, who could pass on the data to the Prism project or any other enterprising third-party efforts.
The way out is a strong contract with the cloud provider. Make sure that the contract binds the cloud provider to not disclosing data to a third-party under any circumstances, with stiff penalties in place. This will ensure that the cloud provider has no grounds to cooperate with any espionage program. What’s more, any disclosure to a third-party would have to be through a legal process, involving a formal request.
The NSA’s clandestine Prism project raises concerns regarding the safety and integrity of data stored in third-party servers. Organizations would need to have a close look at their cloud contracts to ensure that no illegal or unauthorized data disclosures take place.