Unease With Government Access to Information: Cloud Security Alliance

Less than a third of the respondents to a recent survey said the National Security Agency surveillance program had no impact on usage of U.S.-based cloud providers.

The recent revelations about government access to customer information potentially could have a huge impact on U.S.-based cloud providers, as a majority (56 percent) of non-U.S. residents are now less likely to use them, according to a survey of nearly 500 members of the Cloud Security Alliance (CSA), which was conducted by the not-for-profit organization.

Furthermore, an overwhelming 90 percent of respondents said that companies that have been subpoenaed through provisions of the Patriot Act should be able to publish summary information about the amount of responses they have made. Less than a third (31 percent) said it had no impact on usage of U.S.-based cloud providers, while 10 percent canceled a project to use U.S.-based cloud providers.

Just under half (45 percent) of respondents said the Patriot Act should be modified to tighten the oversight of permitted activities and to provide greater transparency as to how often it is enacted, while 41 percent said the act should be repealed in its entirety and 13 percent said the act is fine the way it is.

When asked how they would rate their country's processes to obtain user information for the purpose of criminal and terrorist investigations, 47 percent of all respondents selected poor, saying there is no transparency in the process and they have no idea how often the government accesses their information. About a third (32 percent) said the process is fair, citing there is some public information about the process and some instances of its usage, but it remains unclear how prevalent these activities are.

"The numerous open-ended comments provided by survey respondents indicate that this is a highly charged issue, which will likely evolve as more information is gained about the facts of government programs," the survey said. "CSA continues to study the respondent comments and will publish insights gained from these comments. CSA will certainly be obligated to provide additional forums for member feedback regarding this issue. Greater discussion of the balance between safety, privacy, government transparency and commercial interests must be obtained."

The CSA also announced a number of milestones in its continued efforts to spearhead global transparency for cloud services. The organization said that more than 30 entries from cloud providers have been made to its Security, Trust and Assurance Registry (STAR). Major cloud players including Amazon Web Services, Box.com, Hewlett-Packard, Microsoft, Ping Identity, Red Hat, Skyhigh Networks, Symantec and Terremark have already submitted entries into the registry.

At the CSA EMEA Congress, to be held in September, the CSA and the British Standards Institution will officially launch the STAR Certification effort, the next step in the CSA STAR program, designed to provide an incremental level of visibility and transparency into the operations of the cloud service provider.