Channeling the Cloud

Microsoft's Cloud Partners Face Hard Questions After PRISM Scandal

The recent revelations about the depth of the NSA's surveillance program are dragging old questions about cloud privacy back to the forefront.

• By Jeffrey Schwartz
• September 17, 2013

Many systems integrators and solution providers were dragged to the cloud kicking and screaming, while forward-thinking channel partners looked to gain an early advantage by adopting public infrastructure services. Either way, embracing the cloud and the new economic model that comes with it has meant taking on an important responsibility: ensuring the security, availability and privacy of your customers' data.

Fulfilling that responsibility is now front-and-center, thanks to this summer's revelations by Edward Snowden, who raised the curtain on various classified surveillance activities by the U.S. National Security Agency (NSA), such as the PRISM data-collection program. Whether you represent a cloud provider or resell services from one, you might find yourself fielding all sorts of questions you can't answer.

Microsoft, which has gone out of its way to demonstrate its commitment to data privacy, has had to answer charges by Snowden that Redmond was complicit in providing direct "backdoor" feeds from its services including Outlook.com (formerly Hotmail), SkyDrive and Skype. Microsoft also helped bypass encryption, Snowden charged.

Microsoft General Counsel Brad Smith pointedly refuted Snowden's claims. "Microsoft does not provide any government with direct and unfettered access to our customer's data," Smith said in a statement published by the company. "Microsoft only pulls and then provides the specific data mandated by the relevant legal demand."

Microsoft and key services providers -- including Apple, Google, Facebook and Yahoo! -- feel their hands are tied because the U.S. government won't let them be more specific about the volume of requests they receive. Microsoft, for its part, has sought legal permission to remedy that.

Yet most of the surveillance emphasized is of consumer cloud services. What Microsoft channel partners really need to know is to what extent governments are compelling data from services such as Windows Azure and Office 365, including Exchange, SharePoint and Lync Online.

Peter McGoff, general counsel of the popular cloud storage provider Box, believes the bulk of the surveillance taking place is among individuals, not enterprises. "We're very much focused on the enterprise," McGoff said, during a panel discussion on the topic hosted via webcast by the Cloud Security Alliance (CSA) last month. "We haven't been the target of these types of requests like some of the other folks that maybe were consumer- or individual-account focused."

That's not going to be enough to sit well with enterprises that want more assurances. Microsoft and other key providers are calling on the U.S. government to let them be more transparent. President Obama's proposal last month to improve transparency by appointing a civil liberties advocate and reforming the Patriot Act to change how metadata is collected were welcome first steps. But the plan lacked specifics, and political opposition from both parties suggests those waiting for such transparency will have to wait a while.

Related:

• PRISM and Microsoft: What We Know So Far
• Report: Calculating PRISM's Carnage
• Report: Microsoft Helped NSA Monitor SkyDrive, Skype and Outlook Users