Wednesday, 26 June 2013

Cyber-security is a two edged sword.

One of the great (not eligible for REF 2014) impact stories I have is the small specialist company producing a VOIP service specialised for "blue light" services that provides interoperability between all those different commuications systems they use. This SME came to talk to us in Horizon and we rapidly got into how they deployed their service - the relevant "ah ha!" moment from the CEO was when we explained that Cloud is not about the technology, but what it enables - it is about translating previously what was capital expense into operational expense - Cloud needs to be understood by the CFO. In particular this company was concerned about bidding for large contracts as they did not know how to access they much capital even if they won the contract.

I explained the Cloud was simple to experiment with - here's the URL and get your credit card out - it'll take your IT man 15mins from a standing start to get a server up and running on which you can deploy. That was 1500 on day 1; day 2, 1100 I get the phone call "Mac we're up and running, thanks; this just changed our business". I love those days.

I think this is the story for many of us who have been working on Cloud technologies for a while, but recent work sponsored by Microsoft  indicates:
 'more than half (52%) of the companies that do not currently use the cloud said that data security concerns were "an inhibitor to adoption".'. 
Likewise, concerns about data visibility and compliance.

I leave to my colleagues who are much more knowledgable than me around privacy law and human rights to make that case, but recent events are not really going to cause SMEs to entrust their critical business functions to the Cloud. On the week that the Home Office launched a cyber-security awareness programme, I fear PRISM have had more impact on concerns around cyber-security than the £4m the Home Office have put aside for it, and not in a good way.

I was finally compelled to write something based on the tweet from @jaggeree pointing me at the article flagging how using encryption would cause your traffic to be especially suspicious:
When encryption is encountered, however, the gloves can come off, with analysts being allowed to retain "communications that are enciphered or reasonably believed to contain secret meaning" for any period of time. 
Yup - commercial confidentiality is about maintaining secrets. Having worked for Intel (Grove era moto "Only the paranoid survive"), I was drilled in the importance of commercial confidentiality.

I've usually said of TOR that using it from your home is akin to standing in the town square shouting "I want to be anonymous", but if agencies are systematically retaining all VPN traffic as possibly "containing secret meaning", I can't see any of this helping the cause of migration of SMEs to the cloud.

What to do? Well some smart service provider might try and address at least some concerns for UK SMEs by provide UK based services that at least mean you only need to be concerned about one agency looking at your data, and you might hope they have the economic wellbeing of the UK at heart. (Other countries are available - r/UK/yourcountry/.)

Cyber-security is a two edged sword; bad guys can use the technologies that are vital if we are expand the digital economy. We do need to work to achieve a sensible balance.