Cloud
11/26/2013
11:06 AM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: First Prism, Now Muscled Out Of Cloud

Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another.

The latest round of stunning revelations of National Security Agency (NSA) surveillance and data mining of cloud-based services and Internet communications has added a new term to our lexicon of government spying. In addition to Prism, we now have Muscular looming over cloud adoption.

The Muscular revelations are eye opening because, according to The Washington Post, they point to a far wider scope and far more indiscriminate data capture than even the Prism revelations suggest. This collection is done by intercepting private links that connect Google and Yahoo datacenters around the world -- and decrypting the traffic that should be protected in transit. Microsoft recently testified to the European Union Parliament that the company does not encrypt its server-to-server data communications. Another reveal is the fact that this program is being operated in conjunction with the United Kingdom's NSA counterpart, the Government Communications Headquarters. This is a broad issue as governments all over the world are accessing private data in ways that are only now being made public.

Inevitably, we find ourselves asking the same set of questions we did when reports of Prism emerged. But now there is an added twist: Is there any way to protect the privacy of cloud data, and, in fact, any point in encrypting data with the range of technical tools and programs at the NSA's disposal? We've learned of cloud service providers being compelled or cajoled to hand over the keys for encryption of data at rest. Does Muscular mean we are seeing the value of encryption of data in transit being undermined?

These new revelations certainly underscore the risk of cloud data landing in places outside enterprise controls. But we should be careful about overstating the implications for encryption technology as a whole.

First of all, the NSA has circumvented the SSL encryption process by tapping the provider's datacenter directly. The implication here is not that SSL is of no intrinsic value, but rather that evaluating (and monitoring) a cloud service provider's security posture is critical. Closing the barn door after the horse has bolted is not a sustainable operating principle. Also, it's important to bear in mind that there are plenty of threats (as well as compliance mandates) where SSL for encryption of data in transit has its uses.

However, the Muscular revelations bring home the fact that SSL serves to encrypt data in transit, but not the data itself.

Hoovering up data
Many of the enterprises we speak to understand that, in terms of current legislation, there is broad leeway for the NSA to Hoover up data -- and that technology will only provide a partial answer. As much as anything, changes in policy, process, and oversight are needed for enterprises to embrace cloud computing without putting their confidentiality, privacy, or compliance at risk.

Without direct knowledge of the NSA's inner workings, no cryptography expert is willing to rule out the notion that the agency has developed encryption-cracking capabilities. However, in order to crack common data encryption standards such as AES-256 bit to yield just a single key, the agency must have made exponential leaps in its abilities and computing capacity.

Instead, Muscular revelations point to the need for businesses to work with cloud service providers that adhere to third-party security frameworks -- and not simply assert, "We got this." This is why the adherence to the Cloud Security Alliance's Cloud Control Matrix should be the first order of business for any enterprise evaluating a cloud service provider.

As Gartner director Heidi Wachs points out in a company blog post, "If we're going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward."

So what remedies are open to enterprises that want to embrace the cloud? According to Wachs:

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

Ultimately, corporate data in the cloud is still exposed to any government's tools or its ability to twist cloud service providers' arms to hand over corporate data. Therefore, we need not only to separate out the need to address these programs through policy debate, but also to define steps that organizations can take directly to retain ownership and control of their data.

Bottom line: Enterprises absolutely must maintain direct ownership and control of their encryption keys and encrypt their data in all three states -- at rest, in transit, and in use. Any business not willing to take these steps should keep its data on the premises.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/27/2013 | 8:10:37 AM
Re: Here! Here!
Thanks for the heads up about Muscular, Elad. Gartner offers some good advice about the importance of strong CSP contracts that include privacy protections and apply increased security control and transparency for data handling. But I wonder how willing CSPs are to engage in these discussions? 
RussellWalker
50%
50%
RussellWalker,
User Rank: Apprentice
11/26/2013 | 1:56:37 PM
Here! Here!
The lazy buyer will make the hacker (legal or not) a happy person.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant