Cloud
11/26/2013
11:06 AM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NSA Surveillance: First Prism, Now Muscled Out Of Cloud

Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another.

The latest round of stunning revelations of National Security Agency (NSA) surveillance and data mining of cloud-based services and Internet communications has added a new term to our lexicon of government spying. In addition to Prism, we now have Muscular looming over cloud adoption.

The Muscular revelations are eye opening because, according to The Washington Post, they point to a far wider scope and far more indiscriminate data capture than even the Prism revelations suggest. This collection is done by intercepting private links that connect Google and Yahoo datacenters around the world -- and decrypting the traffic that should be protected in transit. Microsoft recently testified to the European Union Parliament that the company does not encrypt its server-to-server data communications. Another reveal is the fact that this program is being operated in conjunction with the United Kingdom's NSA counterpart, the Government Communications Headquarters. This is a broad issue as governments all over the world are accessing private data in ways that are only now being made public.

Inevitably, we find ourselves asking the same set of questions we did when reports of Prism emerged. But now there is an added twist: Is there any way to protect the privacy of cloud data, and, in fact, any point in encrypting data with the range of technical tools and programs at the NSA's disposal? We've learned of cloud service providers being compelled or cajoled to hand over the keys for encryption of data at rest. Does Muscular mean we are seeing the value of encryption of data in transit being undermined?

These new revelations certainly underscore the risk of cloud data landing in places outside enterprise controls. But we should be careful about overstating the implications for encryption technology as a whole.

First of all, the NSA has circumvented the SSL encryption process by tapping the provider's datacenter directly. The implication here is not that SSL is of no intrinsic value, but rather that evaluating (and monitoring) a cloud service provider's security posture is critical. Closing the barn door after the horse has bolted is not a sustainable operating principle. Also, it's important to bear in mind that there are plenty of threats (as well as compliance mandates) where SSL for encryption of data in transit has its uses.

However, the Muscular revelations bring home the fact that SSL serves to encrypt data in transit, but not the data itself.

Hoovering up data
Many of the enterprises we speak to understand that, in terms of current legislation, there is broad leeway for the NSA to Hoover up data -- and that technology will only provide a partial answer. As much as anything, changes in policy, process, and oversight are needed for enterprises to embrace cloud computing without putting their confidentiality, privacy, or compliance at risk.

Without direct knowledge of the NSA's inner workings, no cryptography expert is willing to rule out the notion that the agency has developed encryption-cracking capabilities. However, in order to crack common data encryption standards such as AES-256 bit to yield just a single key, the agency must have made exponential leaps in its abilities and computing capacity.

Instead, Muscular revelations point to the need for businesses to work with cloud service providers that adhere to third-party security frameworks -- and not simply assert, "We got this." This is why the adherence to the Cloud Security Alliance's Cloud Control Matrix should be the first order of business for any enterprise evaluating a cloud service provider.

As Gartner director Heidi Wachs points out in a company blog post, "If we're going to address the privacy issues associated with cloud computing, then we need to start by accepting the current state of play and figure out how to enhance and strengthen it moving forward."

So what remedies are open to enterprises that want to embrace the cloud? According to Wachs:

We can protect data privacy better through contracts with enhanced privacy protections, applying increased security controls, and increasing transparency with regards to data handling. We need to have open, frank negotiations with cloud service providers to clearly establish where data is being stored, how it is being protected, who is accessing it, how it is being used for marketing purposes or resold to third parties, and how it is being destroyed.

Ultimately, corporate data in the cloud is still exposed to any government's tools or its ability to twist cloud service providers' arms to hand over corporate data. Therefore, we need not only to separate out the need to address these programs through policy debate, but also to define steps that organizations can take directly to retain ownership and control of their data.

Bottom line: Enterprises absolutely must maintain direct ownership and control of their encryption keys and encrypt their data in all three states -- at rest, in transit, and in use. Any business not willing to take these steps should keep its data on the premises.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RussellWalker
50%
50%
RussellWalker,
User Rank: Apprentice
11/26/2013 | 1:56:37 PM
Here! Here!
The lazy buyer will make the hacker (legal or not) a happy person.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/27/2013 | 8:10:37 AM
Re: Here! Here!
Thanks for the heads up about Muscular, Elad. Gartner offers some good advice about the importance of strong CSP contracts that include privacy protections and apply increased security control and transparency for data handling. But I wonder how willing CSPs are to engage in these discussions? 
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.