NSA Leak Highlights Cloud Risk

Publicity about a U.S. National Security Agency (NSA) surveillance program is a reminder that a company’s cloud data may be disclosed to government agencies without notice, a risk not shared with on-premises systems. Companies should ensure that this risk has been considered when evaluating hosted or cloud services such as Office 365, Windows Azure, or their competitors. Organizations might also need to review their own data retention and protection policies.

Service Providers Collect and Deliver Data Without Notice

U.S. government surveillance has been highlighted most recently by disclosure of the NSA PRISM program, which appears to collect e-mail, files, chat logs, and other data from online service providers, including Microsoft and its major competitors. The program’s existence was first reported in The Guardian and the Washington Post, and subsequently confirmed by the NSA. The program has raised civil liberties concerns, but it also could lead to publication of captured information through insider leaks, similar to the 2010 publication of U.S. diplomatic cables by the Wikileaks Web site.