Cloud
11/26/2013
11:06 AM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: First Prism, Now Muscled Out Of Cloud

Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another.

The latest round of stunning revelations of National Security Agency (NSA) surveillance and data mining of cloud-based services and Internet communications has added a new term to our lexicon of government spying. In addition to Prism, we now have Muscular looming over cloud adoption.

The Muscular revelations are eye opening because, according to The Washington Post, they point to a far wider scope and far more indiscriminate data capture than even the Prism revelations suggest. This collection is done by intercepting private links that connect Google and Yahoo datacenters around the world -- and decrypting the traffic that should be protected in transit. Microsoft recently testified to the European Union Parliament that the company does not encrypt its server-to-server data communications. Another reveal is the fact that this program is being operated in conjunction with the United Kingdom's NSA counterpart, the Government Communications Headquarters. This is a broad issue as governments all over the world are accessing private data in ways that are only now being made public.

Inevitably, we find ourselves asking the same set of questions we did when reports of Prism emerged. But now there is an added twist: Is there any way to protect the privacy of cloud data, and, in fact, any point in encrypting data with the range of technical tools and programs at the NSA's disposal? We've learned of cloud service providers being compelled or cajoled to hand over the keys for encryption of data at rest. Does Muscular mean we are seeing the value of encryption of data in transit being undermined?

These new revelations certainly underscore the risk of cloud data landing in places outside enterprise controls. But we should be careful about overstating the implications for encryption technology as a whole.

First of all, the NSA has circumvented the SSL encryption process by tapping the provider's datacenter directly. The implication here is not that SSL is of no intrinsic value, but rather that evaluating (and monitoring) a cloud service provider's security posture is critical. Closing the barn door after the horse has bolted is not a sustainable operating principle. Also, it's important to bear in mind that there are plenty of threats (as well as compliance mandates) where SSL for encryption of data in transit has its uses.

However, the Muscular revelations bring home the fact that SSL serves to encrypt data in transit, but not the data itself.

Hoovering up data
Many of the enterprises we speak to understand that, in terms of current legislation, there is broad leeway for the NSA to Hoover up data -- and that technology will only provide a partial answer. As much as anything, changes in policy, process, and oversight are needed for enterprises to embrace cloud computing without putting their confidentiality, privacy, or compliance at risk.

Without direct knowledge of the NSA's inner workings, no cryptography expert is willing to rule out the notion that the agency has developed encryption-cracking capabilities. However, in order to crack common data encryption standards such as AES-256 bit to yield just a single key, the agency must have made exponential leaps in its abilities and computing capacity.

Instead, Muscular revelations point to the need for businesses to work with cloud service providers that adhere to third-party security frameworks -- and not simply assert, "We got this." This is why the adherence to the Cloud Security Alliance's Cloud Control Matrix should be the first order of business for any enterprise evaluating a cloud service provider.

As Gartner director Heidi Wachs points out in a company blog post, "If we're going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward."

So what remedies are open to enterprises that want to embrace the cloud? According to Wachs:

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

Ultimately, corporate data in the cloud is still exposed to any government's tools or its ability to twist cloud service providers' arms to hand over corporate data. Therefore, we need not only to separate out the need to address these programs through policy debate, but also to define steps that organizations can take directly to retain ownership and control of their data.

Bottom line: Enterprises absolutely must maintain direct ownership and control of their encryption keys and encrypt their data in all three states -- at rest, in transit, and in use. Any business not willing to take these steps should keep its data on the premises.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/27/2013 | 8:10:37 AM
Re: Here! Here!
Thanks for the heads up about Muscular, Elad. Gartner offers some good advice about the importance of strong CSP contracts that include privacy protections and apply increased security control and transparency for data handling. But I wonder how willing CSPs are to engage in these discussions? 
RussellWalker
50%
50%
RussellWalker,
User Rank: Apprentice
11/26/2013 | 1:56:37 PM
Here! Here!
The lazy buyer will make the hacker (legal or not) a happy person.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.