Monday’s Musings: NSA PRISM Scandal Hurts US Cloud Companies And Hastens The Return Of On-Premises Software

Published on August 12, 2013 by R "Ray" Wang

Non-US Based Organizations And Even Some US Organizations Will Not Tolerate Snooping In A Post PRISM World

Since the Edward Snowden PRISM revelations, Constellation has received a steady stream of inquiries on cloud strategy.   In fact, nervousness runs high among many non-US based companies using services from US based cloud companies across the cloud stack.  In early August 2013, the Information Technology & Innovation Foundation put out its report “How Much Will PRISM Cost the U.S. Cloud Computing Industry” Assuming that 20% of current clients switch to a non US based provider,  the report estimates a loss of $22 to 35B by 2016.

Constellation agrees.  All signs point to an anti-US stance until the security issues is addressed.  The odds on the US government moving fast on this issue are as good as Major League Baseball players or Tour de France Cyclists honoring a performance enhancement drug use ban.  In fact, Constellation is aware of at least 50+ contracts that have been put on hold or cancelled in the past 30 days.  With the EU’s Nellie Kroes already sounding the alarm bells in a way she only can, cloud buyers have taken notice.

The Bottom Line: Clients Should Consider Alternatives To Pure Cloud Models And Encryption Technology

Interesting enough, fifteen years into the cloud revolution, talk has rekindled about building on-premises software in light of this scandal. Unfortunately, the last major on-premises software company to receive funding squandered it all in 2005 and retooled to the cloud. Furthermore, a few entrepreneurs are looking at VC funding to take some key systems back on-premises.

However customers do not have time to wait for new software to arrive in the on-premises deployment option.  In the meantime, a few near term strategies have emerged:

  1. Encrypt everything. Despite public services such as Silent Circle shutting down, organizations can still buy their own encryption technologies.  Secure all transmissions via encrypted email.  Prior to uploading to a cloud service, consider pre file upload encryption technologies.  Many cloud services have explored how to deploy this since the NSA scandal.
  2. Use your VPN. While the virtual private network may slow down your communications, in general, the encrypted tunnel allows for private communications to the server.  Encryption should extend back to the mobile device management systems as well.  Maybe now is the time to take another look at the RIM BES server.  Those Blackberry 10’s could just make a comeback.
  3. Move to private clouds. While public clouds have dominated the news, the shift to private clouds allow for the peace of mind that only ownership brings.  However, ownership means the reincarnation of the data center will carry it’s own set of ownership costs.  The tradeoffs in security may be worth the hassle for some clients.
  4. Identify providers with a non-US data center presence. Many clients have postponed upgrades in light of the scandal.  One fix may be to identify services that have European or Non-US data center jurisdiction.
  5. Reconsider on-premises software. Many CXO’s who have been cloud evangelists, have had to reevaluate their on-premises software footprint.  The non-US CXO’s must abide by their national interests and desire to keep their data away from the spooks in the US.

Clients should continually evaluate the situation as US based cloud providers will not sit still and have been addressing concerns as customers have slowed down their purchasing cycles.  Constellation is researching how the major cloud vendors will address this.  Follow Constellation’s lead Cloud IaaS and PaaS analyst Holger Mueller for the latest developments.

Your POV.

What’s your back up plan? Ready to secure your data from the government?  Add your comments to the blog or reach me via email: R (at) ConstellationR (dot) com or R (at) SoftwareInsider (dot) com.

Related Research And Resources


Reprints can be purchased through Constellation Research, Inc. To request official reprints in PDF format, please contact Sales .


Although we work closely with many mega software vendors, we want you to trust us. For the full disclosure policy, stay tuned for the full client list on the Constellation Research website.

* Not responsible for any factual errors or omissions.  However, happy to correct any errors upon email receipt.

Copyright © 2001 – 2013 R Wang and Insider Associates, LLC All rights reserved.
Contact the Sales team to purchase this report on a a la carte basis or join the Constellation Customer Experience!

  • Ray,

    Global Data Protection policy is being covered at the Privacy Identity Innovation conference, pii2013 in Seattle 9/16-18. I will attend and grip the research.


  • Clive

    Good point. Someone else commented that the data center traffic does bounce into the US so you’ll also want to encrypt all communications.


  • James Staten writes in a Forrester blog post today estimates the true impact of PRISM and other surveillance programs could be as high as $180 billion. A 20-25 percent hit on all US based IT service provider revenues through 2016.

    My POV. SaaS-Cloud CTO’s may start to retool enterprise apps for lightweight HTML5 allowing hosting from Rackspace or Amazon data centers offshore without a laggy user experience to avoid NSA snooping.

  • clive

    Great question to pose. Let’s see if others are placing similar security measures to avoid snooping.


  • Interesting Merck, Intel, Google do not allow engineers to work remotely on Ip at all. IP, bills of material, code, has to be accessesed on-premise and travels interoffice on private not public internet.

    A friend at Thales Security says the only security properly private for smaller corps is hardware key encryption. In one office bills of material / code is run thru an encryption server with a private key (usually credit card size). To read files in the remote office, a matching hard ware key is inserted in the decryption server. Without this attention to security your IP is not secure.

    Finanical transcations, customer lists and general ERP data I dont think needs this level of attention (this info becomes public by its nature). But Im sure SAP and Oracle and Big Pharma pay total attention to IP security.

    Be cool to know if any Cloud ERP vendors are properly tackling encryption (https is not enough to bet the farm on)

  • ray

    you amke a very good point here. i guess the encryption better be working =) thanks for sharing!


  • Even companies with non-US datacenters are a risk because you have no idea where your traffic is routing to. Most internet traffic goes through the US even if the DC is in the EU. #4 is NOT a solution!

  • Encrypting is the only solution. Even if you’re running on-premise software, if you have multiple offices or a workforce that is mobile, data still has to run through an ISP that probably has an NSA tap on it.

    And even then, business is run on email, the most insecure messaging platform out there…

  • Ad hoc access revealed to PRISM databases by NSA contractors means highly engineered IP held in bills of materials are not secure. Why we ever thought it safe to put IP in the cloud and send it across the public internet even with https or over VPN — we were behaving like Icarus. Sr Mgmt has a fiduciary duty to protect business valuation by physically knowing who has access.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts