After PRISM: the cloud is no longer just a cost question

In early June 2013, the Guardian and the Washington Post published material indicating that the US National Security Agency had direct access to the servers of the largest technology companies - Microsoft, Google, Apple, Facebook, and others. The program was called PRISM. The companies responded in different ways, some denying direct access, while the US government confirmed the program's existence in broad terms.

For technical professionals, there was nothing fundamentally new here - the possibility of such mechanisms had been discussed for some time. But for company executives who had been moving working data to the cloud with the motivation of "convenient and cheap," this became a different conversation.

What changed

Up to this point, cloud security questions were mostly technical. Data encryption. Key management. Backups. Access control. Compliance certificates. That was the responsibility of the CTO or security team.

PRISM added a dimension that cannot be resolved with technical tools: jurisdiction. Where are the servers physically located? What laws govern the data on them? Who can access that data, on what basis, without your knowledge and without your consent?

If your data sits on servers in the United States, or with an American company that has a subsidiary in another country - the answer to the last question is determined not by your contract with the provider, but by US legislation, specifically the Foreign Intelligence Surveillance Act. No SLA overrides that.

Why this became political

The PRISM conversation moved beyond technical very quickly. In Europe, parliamentarians began demanding explanations from American partners. Several governments initiated reviews of data processing agreements. Companies storing data about European citizens on American servers found themselves under regulatory pressure.

For business this means that choosing a cloud provider is no longer purely an IT department decision. It is a question that can have legal, reputational, and regulatory consequences. Especially for companies operating in data-regulated industries: finance, healthcare, legal services.

What this means for decision-making

I am not suggesting an immediate exit from the cloud or abandoning American services. The cloud delivers real advantages, and panic is not a useful advisor here.

But the conversation that could previously be held only with technical staff now needs to happen at the leadership level. A few concrete questions worth asking:

• What data are we putting in the cloud, and how sensitive is it from a business standpoint?
• In which jurisdiction are the servers that hold our data physically located?
• Does the contract with the provider say anything about what happens when a government request arrives?
• Will the provider notify us if they receive such a request - and are they legally permitted to do so?
• Do we have an alternative for the most sensitive data?

These questions do not demand immediate action. They demand an answer.

Trust as part of the architecture

Trust in a provider was always part of the decision to move to the cloud. It used to be about reliability and availability. Now it also includes the question of who else the provider can grant access to your data.

That does not make the cloud bad. It makes the conversation more honest. Companies that accept this as a given and ask the right questions now will be in a better position - technically and legally - than those who continue to treat it as only a question of price and convenience.