In 2012, CenturyLink invited Timothy Chou to keynote their Alliance Expo in Denver and speak about his seven business models for cloud. One of the customer objections he discussed up was security. How, if my data is on someone else's servers, can I be sure that it's really secure?
Chou turned the question around — what is "secure" for a given client? Is it encryption over the wire? Is it encryption on disk? A secure password policy? Proper password storage methodologies? His point was that "security" in the cloud is a nebulous concept that can't properly be answered without understanding clients' security requirements.
In light of the recent exposure of the NSA's PRISM program, the idea that security is just about client requirements and cloud platform capabilities seems downright quaint.
Most of the PRISM discussion so far has focused on the political and social elements of the issue. However, a recent article in the Guardian and another by James Fallows in the Atlantic highlight the longer-term impact on the cloud services industry.
The issue is that even if a cloud provider checks all the security boxes, there is no way to guarantee data secrecy when the government has an all-access pass. Business clients can no longer reasonably expect that their data will be kept confidential.
The hawks in the room will be quick to cite FISA oversight (which is likely a farce) and may even suggest that you have nothing to worry about if you're not doing anything wrong. For all the paranoia that drove the creation of PRISM in the first place this reaction is naive.
The world found out about PRISM from an employee of an NSA contractor hired to help to develop and run the program. This whistleblower was ostensibly disclosing the details in order to publicize what he believed was an unconstitutional governmental overreach.
Who's to say the next guy won't be decidedly more, shall we say, free-market motivated? Perhaps instead of blowing the whistle, the next guy will decide to use PRISM to sell corporate secrets of one company to a competitor. Or to steal personal information to sell to identity thieves. Or to blackmail public figures who get a little carried away with sexting (and seem not to have heard of Snapchat).
Cloud companies had a hard enough time answering the localized security concern. How will their value proposition be affected this development? Will they just count on the incredible apathy and resignation of the American citizenry?