It has been several years since cloud services became a viable and cost-effective means of managing our information and IT infrastructure.

There have been numerous articles and books written about the technicalities of how organisations can make best use of the cloud and of the security issues that arise.

David Sutton FBCS CITP, co-author of Information Security Management Principles says that we should turn our attention back to focus on the ‘what’ and the ‘where’, rather than on the ‘how’.

Certainly, using the cloud does (or at least should) solve two key business problems:

  • A quantifiable reduction in costs. Organisations using the cloud require less IT infrastructure on their own premises; they don’t have to spend money on staff to look after these increasingly complex systems and they don’t feel the need to upgrade them whenever new hardware, operating systems or application software appear.
  • A reduction in security worries. The cloud provider takes care of securing the organisation’s outsourced infrastructure and the information - well, in theory at least.

Whilst the first benefi t is undoubtedly true, can we be sure about the second? Recently, there has been much discussion in the media about interception of personal information including emails, fixed and mobile phone call records, text messages, instant messages, Facebook and Twitter accounts... the list seems endless.

Media reporting about the PRISM programme has highlighted the active participation of Apple, Facebook, Google and Microsoft; therefore why should our own organisation’s information being stored in the cloud be any different?

Even if the agreement with the cloud supplier satisfies the organisation’s legal and regulatory department and complies with data protection legislation, how sure can we really be about who has the ability to read our information, and what is more, what could we do about it even if we knew?

Organisations like the NSA and GCHQ are actually doing what they are supposed to do - keeping us safe - so we should not be surprised to hear that interception takes place; after all, that is what the Regulation of Investigatory Powers Act (RIPA) 2000 was designed to control. What should really concern us is what information are we losing control of.

In May 2013, the Cabinet Office mandated that ‘Purchases through the cloud should be the first option considered by public sector buyers of IT products and services’, and use of the G-Cloud will provide cost savings to the taxpayer as a result.

This is potentially both good news and bad. As taxpayers, we should be delighted that the government is trying to spend our money in a more effective way. However, since government often stores vital sensitive personal information about us, does placing it in the cloud put it (and us) at greater risk?

The interception of traffic through network routers and switches is not technically demanding - the challenge comes in the decision as to what to intercept, and this is where the skills of the security service analysts come into their own.

Semantic and heuristic analysis of data streams provides a first cut of data to be saved, and further analysis yields a result - either negative, in which case the information is discarded since the costs of indefinite storage would be astronomic; or positive, in which case it is retained for possible further exploitation. Regardless of this, should we be concerned? I believe that we should. Data protection legislation aside, organisations have a fiduciary responsibility to protect their sensitive information.

There have recently been questions as to whether the Chinese government has the capability of political and commercial espionage through data interception from the high-end routers and switches that are used widely in the networks of national and international communications service providers.

Whether or not this were true, why would any other national government not exert the same influence over similar equipment manufacturers within their own jurisdiction? When an organisation’s information passes through the jurisdiction of any government, it takes little more than an executive order to allow them to intercept it, and quite possibly to impound it if they wish.

For many organisations, information underpins their very existence. Take pharmaceutical companies for instance - if the composition of their latest cancer-curing drug, which has taken many years and hundreds of millions of pounds to develop is suddenly copied, their business is very definitely placed at risk. The same applies to any organisation that has invested time and money in research and development.

Let’s consider for a moment what happens to our information when we send it out into the cloud. It leaves our network and then what? We simply don’t know. We don’t know what network equipment carries our information, where is it stored or how it gets there.

Given that our information is now totally outside our control and that the possibility of its interception is limitless, should we really abandon our ability to control it? Shouldn’t we therefore consider what information is stored where, rather than simply trusting the cloud supplier to secure our most vital assets?

Many organisations use more than one cloud service, and keeping track of what is stored with which supplier is becoming an increasing challenge. Subscription-based software is now available to consolidate all of an individual’s or organisation’s cloud credentials, sign-in to each, and display all the cloud services in a single, consistent view.

Great - information management has just become much easier. However, now all the keys to the kingdom are in one place, and all the security agencies have to do is ‘persuade’ the consolidation service suppliers to hand over the keys and off you go.

Certainly in these days of economic downturn, the pressure is on finance directors to save money wherever they can, and the organisation’s IT infrastructure is certainly a very good place to begin; but the potential savings from using the cloud should be always be balanced against the potential losses - financial and non-financial - that might arise if interception orders are served on cloud service suppliers.

Maybe it’s time to take a step back and look at clouds from both sides now.