Cloud
3/14/2014
04:45 PM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Safe Harbor, Lavabit & The Future Of Cloud Security

For cloud computing to grow, we need a balance between individual privacy and control of data, and the government's ability to fight crime and terrorism. Persistent encryption may be the answer.

The ongoing case of the federal government versus Lavabit was a hot topic of discussion at RSA -- not just regarding the merits of the case, but because it demonstrates how the increasingly stringent safe harbor provisions in the European Union can impact US companies doing business in the cloud.

For those who didn't follow the story, Lavabit, an organization that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information relating to the shuttering of the business, as well as the details leading to the termination of Lavabit.

After court documents were unsealed, it emerged that Levison was resisting a government order to provide Lavabit's encryption key to authorities. The nature of the Lavabit email service was that a single key was shared for encrypting all client email. The government insisted on acquiring the key, so that it could access one client's email account -- ex-National Security Agency contractor Edward Snowden. Lavabit objected to handing over the encryption key, since it would not only decrypt one client's email, but it would also provide access to the company's few hundred thousand customers' data in the clear.

So what does the US government's legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On a simple level, the connection is obvious -- both are reactions to activities by the NSA (and other agencies within and outside of the US) to access vast amounts of cloud data without the data owner's knowledge or consent. However, this issue is much larger than the NSA.

The NSA is doing what it was created to do: collect data, analyze it, and use it to protect US interests. To date, we haven't seen its agents violate the principles they are sworn to uphold. However, the bigger issue is one of privacy -- a fundamental right that is fueling an important debate over whether people are willing to give up privacy in exchange for security.

In the case of the EU and its Safe Harbor provisions, regulators are moving closer to a version that requires the cloud service provider (CSP) to at least notify data owners when their information has been accessed.

Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the future of cloud computing policies. For cloud computing to continue to grow, there needs to be a better balance between end users' requirements for privacy, confidentiality, and direct control of data, and the ability for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted over the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, at the expense of user privacy and confidentiality.

What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions that have governed data transfers for more than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data through the courts. Changes to the Safe Harbor provisions will in all likelihood place a new set of requirements on CSPs (or at least compel them to uphold their own privacy policies better). And they'll have to consult directly with major cloud service providers (most of whom are based in the US) to make that happen.

Regardless of the outcome of both the Lavabit case and the EU's revised set of Safe Harbor provisions, you can be sure that the cloud landscape will be different six months from now -- and it will continue to change into the future. Recent modifications recommended by President Obama on how phone metadata collection is performed almost certainly mean that privacy concerns will play a greater role in national security investigation policies.

On the other hand, Lavabit's legal response to an appeal by the government requesting the defunct service provider's encryption key suggests that it will be a lengthy process within the US to have policies changed, because of the investments the government has made in data mining and capture technologies. Already, we have seen explicit pushback from the intelligence community to the steps outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes well beyond that. Other government agencies accessing data with a subpoena, such as the IRS, may set off more sensitive issues in this privacy vs. security debate.

Sieve theory
The current methodology is based on what some observers are calling the sieve theory: It doesn't matter as much what data goes into the data mining process; the information that is produced from the process justifies the activity. In the course of action, all kinds of enterprise data can get caught up and stored in ways that the data owners never intended -- regardless of legal arguments about Fourth Amendment rights.

So what options are available to enterprises looking to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?

Customers need to proactively take control of their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit is no longer sufficient. To ensure that the data is never decrypted outside their control, businesses must implement encryption "in use." This way, they can apply the proper governance over the data, regardless of where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the needs of law enforcement and anti-terrorism agencies.

If there is a legitimate and lawful reason why an organization should hand over data in response to a request, then businesses should have a seat at the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only way to accomplish this.

We each play a role in protecting information that should be private in this real-life drama. The government's role is to continue to gather and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping up to do their part to protect their environments from internal and external threats. Most importantly, we all have personal responsibility, as well, and we must take action to implement persistent encryption to protect what we believe in.

Elad Yoran is currently CEO and Chairman of Vaultive. His nearly 20 years in the cyber security industry spans experience as an executive, consultant, investor, investment banker and a several-time successful entrepreneur. Elad's entrepreneurial experience includes Riptech, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
3/19/2014 | 2:49:06 PM
How far does privacy extend
I really hope that the Lavabit case forces the writing of acceptable privacy laws that balance the ability for individual citizens who haven't done anything to warrant surveillance to have privacy from government entities, and balancing the overall security of nations as a whole.  Right now the "push everything through and we'll find something" mentality is unjustifiable.  Encryption is absolutely the right tool when it comes to enforcing privacy, however my gut tells me those who leverage these types of services will have a nice red card added to their files and automatically be deemed to have something to hide.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

CVE-2014-3372
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589.

CVE-2014-3373
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550.

CVE-2014-3374
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582.

CVE-2014-3375
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.