The Demise of the Cloud

Facebook CEO Mark Zuckerberg complained last week that trust in social networks and Internet companies has dived ever since cyber snooping and spying activities by the US National Security Agency began to make global headlines earlier this year.

It is no surprise. In fact, as fugitive former NSA operative Edward Snowden pointed out, the encryption system adopted by the International Organization for Standardization and its163 member countries were actually written by the NSA, convincing proof that online platforms being used by Internet companies and the commercial world, including banks, could in fact be easily compromised by the NSA.

In other words, the NSA designed their own secret back door into the global encryption system for their convenience. So until the encryption system has been overhauled and taken away from NSA's control, no server and no cloud service provider is secure enough to be entrusted with any confidential data.

So why then are blindly trusting companies still moving ever more data into the cloud and onto servers, where online access to highly confidential information related to clients, customers, employees, deals, business plans and performances, etc., is available to the US snoops?

The disturbing fact is that these data are left exposed online no matter how secure the corporate echelons like to think they are, and boast about their system protocols and compliances. Apart from risking hackers hitting the right keys, the data are also conveniently laid out for the NSA to sniff through as the recent revelations have shown.

It's data migration and data penetration en masse. Period.

It is mind-boggling how slow the corporate world is in coping with such vulnerabilities, considering the advance of technology, the prevalence of mighty gadgets and the cold reality of cyber espionage in this post-Snowden era. The fact that the largest and most globally oriented organizations like banks, listed companies and multinational corporations are the usual culprits of such ignorance is even more disturbing.

Cloud computing has been touted as the future of corporate computing. It uses the Internet and central remote servers to store applications and maintain data - it involves a whole range of infrastructure, software, data or applications residing in the cloud, i.e. servers, and accessed via the Internet. Of the three major components in cloud computing - application, storage and connectivity -- the latter two are under serious threat.

The cloud computing market grew 19.6 percent to US$109 billion worldwide last year, according to Gartner Inc. The US had the dominant players with Google, Amazon and Microsoft accounting for 85 percent of the market. But thanks to the NSA Prism program, more people have begun to question the wisdom of dumping their data onto US cloud service providers. That would only benefit non-US cloud service providers, one may argue. Not so fast.

The US cloud computing industry could lose as much as US$35 billion over the next three years as the NSA revelations frighten customers away, according to a recent study by the US think thank Information Technology and Innovation Foundation. But the US loss is not a gain for non-US providers, nor is it a solution given the encryption issue and the fact that the rest of the world uses the US protocol.

Despite the risk, 71 percent of bank executives say they plan to invest more in cloud computing, four times more than the previous year, as cloud service providers have supposedly made their offerings more secure and reliable, according to a recent study by PricewaterhouseCoopers.

I wonder what it would take for them to understand the reality. A major earth-shattering catastrophic hacking on a global bank? It would be a wee bit too late.

To be fair, these institutions set up their systems ages ago for various reasons, be it for legacy, security, convenience or regulatory compliance. It is difficult to break from such practices after spending hundreds of millions of dollars on the systems. Take, for example, how the executive of a global bank boasted to me about the bank's emphasis on privacy, believing that everything can and should be loaded onto servers to be accessed online on the basis that it is a given that their system is secure. What if the system was really hacked, I asked. The brief and rehearsed reply: the IT blokes and vendors are to blame.

He blatantly missed the point. The more critical issue is prudent risk management and not a blame game when all hell breaks loose. In a worst-case scenario, it is the highly critical and confidential information of third parties that is at stake. If it is a fact that if established organizations like NASA, the US Federal Reserve and Facebook can get hacked, nobody and no institution is safe.

And all these executives care about is to follow rigidly established in-house procedures and protocols for the sake, ironically, of privacy.

I recall once meeting a vendor promoting an online platform for all parties involved in preparing IPOs. The platform facilitates the discussion of market-sensitive matters and sharing of related documents in an enclosed and secured virtual room. This won't work anymore. Regulators should watch out for a whole new meaning of insider trading.

(Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. Blog: http://vansonsoo.com)