Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

12:13 PM

NSA Data Collection Worrisome For Global Firms

Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud

With the past month's revelations of vast data-collection by the National Security Agency and the cooperation of U.S. technology companies with that collection, global firms should focus on encrypting their data in the cloud, security experts say.

While government monitoring may not be at the top of the list of threats that worry companies, the wholesale collection of metadata on phone calls, as well as the relatively easy access to information in online communications, underscores the lack of security that corporate data has in the cloud. In addition, firms that operate globally must consider the privacy consequences posed by U.S. data collection and how to protect that data if it remains on servers in the United States, says Steve Weis, co-founder and chief technology officer for cloud-security firm PrivateCore.

"U.S. companies operating in other countries -- China comes to mind -- would definitely worry about this sort of data collection," Weis says. "In the same way, European companies, which have very strict privacy regulations, will not run any sort of data processing facility in the U.S. that touches personally identifiable information."

The concerns come as more information became public this week about the NSA's broad data collection. On Thursday, the Guardian UK reported that Microsoft had allegedly worked with U.S. intelligence agencies, decrypting messages sent through its business e-mail service, Outlook.com, as well as its consumer-focused services, such as Hotmail.com. In addition, Microsoft allows the NSA to access its SkyDrive cloud storage service as part of the technology company's participation in the PRISM program, the newspaper reported. PRISM is a program designed to expedite intelligence and law-enforcement officials' legal request for data on a specific person or target.

Google, Facebook, and other service providers have also been criticized for their cooperation with the PRISM program. The companies have stressed that they do not allow direct access to user data and only respond to specific, legally obtained court orders.

"We take our commitments to our customers and to compliance with applicable law very seriously, so we provide customer data only in response to legal processes," Microsoft said in a statement, adding that it rejects any demands that it believes are not valid. "We only ever comply with orders about specific accounts or identifiers, and we would not respond to the kind of blanket orders discussed in the press over the past few weeks."

While the efficacy of U.S. intelligence and law enforcement monitoring and whether the efforts warrant the trade-off in privacy and civil liberties are an important public debate, for companies the concerns boil down to whether their data is secure from general access and the desire for notification when a legal request for access is received.

"Today, the U.S. government can ask a cloud service provider for access to information, and the U.S. cloud provider has to hand it over the data," says Paige Leidig, senior vice president with cloud encryption provider CipherCloud. "Not only does the customer not know that the information was handed over, but they may be put in the position of breaking the privacy laws in their own country."

Companies, especially those firms that have to abide by non-U.S. privacy laws, should consider end-to-end encryption, Leidig says. By encrypting and managing their own keys, companies can control who has access to the data and must be notified when a government agency requests to see the data. When a cloud provider holds the keys to the security of a company's data, the data can be decrypted and handed over to a government without any notice, or stolen by an insider at the provider.

[There's no way to stop a determined insider from leaking or stealing what he knows if he can get his hands on it, but there are ways to track users as humans, rather than by just their use of company equipment or their network traffic. See Hacking The Human Side Of The Insider Threat.]

The impact on business is only starting to be seen. While the NSA collects metadata on phone calls between millions of Americans, it's unclear how they use that information or how often they request customer information from online service providers. Microsoft and Google have requested that they be allowed to publish more data on the number and types of requests.

"There are aspects of this debate that we wish we were able to discuss more freely," Microsoft said in its statement. "That's why we've argued for additional transparency that would help everyone understand and debate these important issues."

Facebook and other firms gained permission in June to publish more information, but only in aggregate. In the last half of 2012, intelligence and law enforcement officials asked for information on between 18,000 and 19,000 Facebook user accounts, the company stated in June.

"With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request -- including criminal and national security-related requests -- in the past six months," said Ted Ullyot, Facebook's general counsel, in the statement. "We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive."

Yet other companies contacted for an interview -- even security vendors -- declined to comment over concerns that publicly discussing the issue may impact their business. Such worries stifle debate over the impact on civil liberties as well as the Internet economy, says Bruce Schneier, security futurologist at British Telecom.

"This is why surveillance is so poisonous," he says. "I've had people say that they are afraid to sign a petition, because if they do they fear they will be targeted in some way."

For companies, however, they should treat government monitoring as any other security threat. By encrypting their data in the cloud and not relying on the cloud provider to do it for them, they keep control of who accesses the information. For most companies, that should be business as usual.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/17/2013 | 4:41:32 PM
re: NSA Data Collection Worrisome For Global Firms
Crypteron, I agree with what you are saying. These things all help. However, the problem I see is that, encrypted or not, they have your data. If they want it. With enough resources and the will....well, who knows. Is the public cloud really that compelling of an option? Why risk it?
User Rank: Apprentice
7/16/2013 | 8:10:06 PM
re: NSA Data Collection Worrisome For Global Firms
Snowden's disclosure of PRISM and NSA programs are shaking confidence in the public clouds. But software easily fixes this, strong data encryption can protect your information from unwanted access. We are seeing a huge inflow of customers asking for our cloud security software. Our military grade data encryption, authentication, and
key management to ensure that your cloud data is safe and your company
satisfies compliance requirements. Do you feel safe? Tell us what you think in the comment box below or at our website www.crypteron.com
User Rank: Apprentice
7/16/2013 | 2:37:48 PM
re: NSA Data Collection Worrisome For Global Firms
IMHO, for most intents and purposes, the Cloud for business is dead. Why risk it?
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-06
The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
PUBLISHED: 2021-05-06
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
PUBLISHED: 2021-05-06
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
PUBLISHED: 2021-05-06
Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
PUBLISHED: 2021-05-06
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...