Risk
8/11/2011
11:36 AM
50%
50%

Encrypt Early, Encrypt Often

You can't rely on cloud providers for data security.

Slideshow: Cloud Security Pros And Cons
Slideshow: Cloud Security Pros And Cons
(click image for larger view and for full slideshow)
This column was written by the editor-in-chief of Dr. Dobbs.

A theme that appears anytime the cloud is discussed in the context of IT is security. The general direction of this concern is the prevention of unauthorized access to cloud-hosted data and apps. If the topic is pursued, rather than just acknowledged as an issue, it generally forks into two main threads: preventing access by outside parties (hackers, crackers, protesters, and the like) and preventing access by inside parties, such as unauthorized employees.

Both issues are problems and in both cases the cloud platform vendors offer an assurance that is, at first blush, comforting. Namely, that providers deliver better security of the hosted data than most data centers can provide. The primary reason for this is that they have many full-time, dedicated resources watching security, monitoring threats, and enforcing access control. Moreover, the staff members know what to do in the event of a violation. It is true that this pool of expertise--especially at large cloud providers--is likely to significantly exceed the capabilities of most small-to-medium IT organizations and even some of the larger IT shops. And the few reports of any break-ins at cloud providers tend to support the view of good security.

What is not clear from the cloud providers' contention, however, is that there is a third possible source of access, which the providers will not protect against: Access by the provider itself either on its own initiative or at the request of government agencies. Let's look at these.

Cloud providers vary widely with respect to the access they grant themselves to your data. However, none forswears all access. Many of the companies, such as Dropbox, use encryption, but have a backdoor to decrypt anything they've encrypted. (To quote, "Dropbox cooperates with United States law enforcement when it receives valid legal process, which may require Dropbox to provide the contents of your private Dropbox. In these cases, Dropbox will remove Dropbox's encryption from the files before providing them to law enforcement.")

A reaction I see frequently to this common policy is, "If I'm doing nothing wrong, I shouldn't mind the scrutiny." This view is, of course, intensely naive. Even if you have done nothing wrong, the government agencies examining your files have no contractual obligation to you to keep them safe, nor even to get rid of all their copies once they've determined you're not guilty or that they pulled the wrong party's data. In other words, by a simple bureaucratic error of accessing the wrong account, government agencies can disseminate your information more or less freely.

Some hosts, such as Box.Net, do not even encrypt your data unless you purchase a plan that specifically includes encryption. Right now, that's only their most expensive plan, despite the company's advertisements that seem to imply all data is encrypted--it is not.

Earlier this week, Microsoft announced that foreign customers were not immune from similar provisions. Namely, that the U.S. Patriot Act forces it to provide access to any data hosted anywhere by a U.S. company--even if that data resides outside the United States.

This is a major concern. Two parties--the government and the cloud provider--have access to the data, even if it's encrypted. In the former case, the access is unfettered. The cloud provider will not defend your data on your behalf, but will turn over whatever is asked for by government request (no posted policy I've seen requires a subpoena). In the latter case, the access is nearly as unfettered. The provider is free to change the terms of their privacy policies at any time and your only choice is to remove your data--a possibly enormous cost if your infrastructure depends on the cloud application.

Read the rest of this article on Dr. Dobbs.

At the 2011 InformationWeek 500 Conference, C-level executives from leading global companies will gather to discuss how their organizations are turbo-charging business execution and growth--how their accelerated enterprises manage cash more effectively, invest more wisely, delight customers more consistently, manage risk more profitably. The conference will feature a range of keynote, panel, and workshop sessions. St. Regis Monarch Beach, Calif., Sept. 11-13. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6123
Published: 2014-12-28
IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to obtain sensitive credential information by reading installation logs.

CVE-2014-6160
Published: 2014-12-28
IBM WebSphere Service Registry and Repository (WSRR) 8.5 before 8.5.0.1, when Chrome and WebSEAL are used, does not properly process ServiceRegistryDashboard logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.