Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

7/13/2013
12:13 PM
50%
50%

NSA Data Collection Worrisome For Global Firms

Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud

With the past month's revelations of vast data-collection by the National Security Agency and the cooperation of U.S. technology companies with that collection, global firms should focus on encrypting their data in the cloud, security experts say.

While government monitoring may not be at the top of the list of threats that worry companies, the wholesale collection of metadata on phone calls, as well as the relatively easy access to information in online communications, underscores the lack of security that corporate data has in the cloud. In addition, firms that operate globally must consider the privacy consequences posed by U.S. data collection and how to protect that data if it remains on servers in the United States, says Steve Weis, co-founder and chief technology officer for cloud-security firm PrivateCore.

"U.S. companies operating in other countries -- China comes to mind -- would definitely worry about this sort of data collection," Weis says. "In the same way, European companies, which have very strict privacy regulations, will not run any sort of data processing facility in the U.S. that touches personally identifiable information."

The concerns come as more information became public this week about the NSA's broad data collection. On Thursday, the Guardian UK reported that Microsoft had allegedly worked with U.S. intelligence agencies, decrypting messages sent through its business e-mail service, Outlook.com, as well as its consumer-focused services, such as Hotmail.com. In addition, Microsoft allows the NSA to access its SkyDrive cloud storage service as part of the technology company's participation in the PRISM program, the newspaper reported. PRISM is a program designed to expedite intelligence and law-enforcement officials' legal request for data on a specific person or target.

Google, Facebook, and other service providers have also been criticized for their cooperation with the PRISM program. The companies have stressed that they do not allow direct access to user data and only respond to specific, legally obtained court orders.

"We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes," Microsoft said in a statement, adding that it rejects any demands that it believes are not valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks."

While the efficacy of U.S. intelligence and law enforcement monitoring and whether the efforts warrant the trade-off in privacy and civil liberties are an important public debate, for companies the concerns boil down to whether their data is secure from general access and the desire for notification when a legal request for access is received.

"Today, the U.S. government can ask a cloud service provider for access to information, and the U.S. cloud provider has to hand it over the data," says Paige Leidig, senior vice president with cloud encryption provider CipherCloud. "Not only does the customer not know that the information was handed over, but they may be put in the position of breaking the privacy laws in their own country."

Companies, especially those firms that have to abide by non-U.S. privacy laws, should consider end-to-end encryption, Leidig says. By encrypting and managing their own keys, companies can control who has access to the data and must be notified when a government agency requests to see the data. When a cloud provider holds the keys to the security of a company's data, the data can be decrypted and handed over to a government without any notice, or stolen by an insider at the provider.

[There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic. See Hacking The Human Side Of The Insider Threat.]

The impact on business is only starting to be seen. While the NSA collects metadata on phone calls between millions of Americans, it's unclear how they use that information or how often they request customer information from online service providers. Microsoft and Google have requested that they be allowed to publish more data on the number and types of requests.

"There are aspects of this debate that we wish we were able to discuss more freely," Microsoft said in its statement. "That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

Facebook and other firms gained permission in June to publish more information, but only in aggregate. In the last half of 2012, intelligence and law enforcement officials asked for information on between 18,000 and 19,000 Facebook user accounts, the company stated in June.

"With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request -- including criminal and national security-related requests -- in the past six months," said Ted Ullyot, Facebook's general counsel, in the statement. "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive."

Yet other companies contacted for an interview -- even security vendors -- declined to comment over concerns that publicly discussing the issue may impact their business. Such worries stifle debate over the impact on civil liberties as well as the Internet economy, says Bruce Schneier, security futurologist at British Telecom.

"This is why surveillance is so poisonous," he says. "I've had people say that they are afraid to sign a petition, because if they do they fear they will be targeted in some way."

For companies, however, they should treat government monitoring as any other security threat. By encrypting their data in the cloud and not relying on the cloud provider to do it for them, they keep control of who accesses the information. For most companies, that should be business as usual.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
chetgrant
50%
50%
chetgrant,
User Rank: Apprentice
7/17/2013 | 4:41:32 PM
re: NSA Data Collection Worrisome For Global Firms
Crypteron, I agree with what you are saying. These things all help. However, the problem I see is that, encrypted or not, they have your data. If they want it. With enough resources and the will....well, who knows. Is the public cloud really that compelling of an option? Why risk it?
Crypteron
50%
50%
Crypteron,
User Rank: Apprentice
7/16/2013 | 8:10:06 PM
re: NSA Data Collection Worrisome For Global Firms
Snowden's disclosure of PRISM and NSA programs are shaking confidence in the public clouds. But software easily fixes this, strong data encryption can protect your information from unwanted access. We are seeing a huge inflow of customers asking for our cloud security software. Our military grade data encryption, authentication, and
key management to ensure that your cloud data is safe and your company
satisfies compliance requirements. Do you feel safe? Tell us what you think in the comment box below or at our website www.crypteron.com
chetgrant
50%
50%
chetgrant,
User Rank: Apprentice
7/16/2013 | 2:37:48 PM
re: NSA Data Collection Worrisome For Global Firms
IMHO, for most intents and purposes, the Cloud for business is dead. Why risk it?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.