The Information Technology & Innovation Foundation (ITIF) recently published a white paper addressing the question, “how much will PRISM cost the U.S. cloud computing industry?” The answer according to ITIF: a lot. ITIF projects that, over the next three years, the U.S. cloud industry will lose at least $22 to $35 billion as foreign customers find alternatives outside the U.S.
The U.S. cloud industry will likely lose revenue as more companies consider other options as a result of the PRISM revelations, but non-U.S. companies will not be the primary driver behind those losses. Instead, the losses will stem from U.S. companies pursuing alternatives such as internal data centers and private, on-premises clouds.
As I interact with sophisticated non-U.S. companies looking at cloud computing solutions, most of them have already factored the possibility of PRISM into their cloud analysis. Many of those companies have been aware of National Security Letters for years and make cloud decisions based on that alone. A few months ago I spoke about cloud computing to a group that was split 50/50 between US and non-U.S. companies. Nearly all of the non-U.S. attendees said they would not use U.S.-based cloud computing services because they knew the U.S. government could access their data without their knowledge via a National Security Letter, the Patriot Act or other hidden method. At that time no one knew the name “PRISM,” but they understood the US government was probably monitoring cloud-based data and communications. In fact, cloud companies in the EU have been playing on those fears for years.
Although the non-U.S. cloud market took the possibility of PRISM into consideration long ago, U.S.-based cloud users did not. Accordingly, the most significant risk to U.S. cloud companies is that, in light of the PRISM revelations, U.S. companies decide they want to retain control of their own data and not hand it over to a third party who might disclose it through a backroom deal with the U.S. government. Expect private data centers to come back into vogue simply because they give a company control over its data.
I recently completed a large deal where a highly-regulated U.S. company moved its office suite functionality and data to a major cloud provider, and the single factor this client feared most was that the cloud provider might disclose the client’s data to the government without permission. The client wasn’t hiding anything, but they wanted to control the process if the government asked for data. So long as their data resided in their own data center, my client would know about a government request because that request would be delivered to the client as owner of the data center. Once the client’s data moved onto a cloud infrastructure owned by a third party, that third party would receive the request and could respond without the client’s knowledge.
After PRISM the U.S. cloud industry’s biggest challenge isn’t retaining non-U.S. customers, it’s retaining U.S. customers. Expect more U.S. companies to look at building internal data centers and private clouds they control instead of ceding control to a third party. And the more the government snoops, the more difficult it will be for the U.S. cloud industry to thrive.