Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2014
04:45 PM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Safe Harbor, Lavabit & The Future Of Cloud Security

For cloud computing to grow, we need a balance between individual privacy and control of data, and the government's ability to fight crime and terrorism. Persistent encryption may be the answer.

The ongoing case of the federal government versus Lavabit was a hot topic of discussion at RSA -- not just regarding the merits of the case, but because it demonstrates how the increasingly stringent safe harbor provisions in the European Union can impact US companies doing business in the cloud.

For those who didn't follow the story, Lavabit, an organization that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information relating to the shuttering of the business, as well as the details leading to the termination of Lavabit.

After court documents were unsealed, it emerged that Levison was resisting a government order to provide Lavabit's encryption key to authorities. The nature of the Lavabit email service was that a single key was shared for encrypting all client email. The government insisted on acquiring the key, so that it could access one client's email account -- ex-National Security Agency contractor Edward Snowden. Lavabit objected to handing over the encryption key, since it would not only decrypt one client's email, but it would also provide access to the company's few hundred thousand customers' data in the clear.

So what does the US government's legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On a simple level, the connection is obvious -- both are reactions to activities by the NSA (and other agencies within and outside of the US) to access vast amounts of cloud data without the data owner's knowledge or consent. However, this issue is much larger than the NSA.

The NSA is doing what it was created to do: collect data, analyze it, and use it to protect US interests. To date, we haven't seen its agents violate the principles they are sworn to uphold. However, the bigger issue is one of privacy -- a fundamental right that is fueling an important debate over whether people are willing to give up privacy in exchange for security.

In the case of the EU and its Safe Harbor provisions, regulators are moving closer to a version that requires the cloud service provider (CSP) to at least notify data owners when their information has been accessed.

Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the future of cloud computing policies. For cloud computing to continue to grow, there needs to be a better balance between end users' requirements for privacy, confidentiality, and direct control of data, and the ability for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted over the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, at the expense of user privacy and confidentiality.

What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions that have governed data transfers for more than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data through the courts. Changes to the Safe Harbor provisions will in all likelihood place a new set of requirements on CSPs (or at least compel them to uphold their own privacy policies better). And they'll have to consult directly with major cloud service providers (most of whom are based in the US) to make that happen.

Regardless of the outcome of both the Lavabit case and the EU's revised set of Safe Harbor provisions, you can be sure that the cloud landscape will be different six months from now -- and it will continue to change into the future. Recent modifications recommended by President Obama on how phone metadata collection is performed almost certainly mean that privacy concerns will play a greater role in national security investigation policies.

On the other hand, Lavabit's legal response to an appeal by the government requesting the defunct service provider's encryption key suggests that it will be a lengthy process within the US to have policies changed, because of the investments the government has made in data mining and capture technologies. Already, we have seen explicit pushback from the intelligence community to the steps outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes well beyond that. Other government agencies accessing data with a subpoena, such as the IRS, may set off more sensitive issues in this privacy vs. security debate.

Sieve theory
The current methodology is based on what some observers are calling the sieve theory: It doesn't matter as much what data goes into the data mining process; the information that is produced from the process justifies the activity. In the course of action, all kinds of enterprise data can get caught up and stored in ways that the data owners never intended -- regardless of legal arguments about Fourth Amendment rights.

So what options are available to enterprises looking to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?

Customers need to proactively take control of their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit is no longer sufficient. To ensure that the data is never decrypted outside their control, businesses must implement encryption "in use." This way, they can apply the proper governance over the data, regardless of where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the needs of law enforcement and anti-terrorism agencies.

If there is a legitimate and lawful reason why an organization should hand over data in response to a request, then businesses should have a seat at the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only way to accomplish this.

We each play a role in protecting information that should be private in this real-life drama. The government's role is to continue to gather and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping up to do their part to protect their environments from internal and external threats. Most importantly, we all have personal responsibility, as well, and we must take action to implement persistent encryption to protect what we believe in.

Elad Yoran is currently CEO and Chairman of Vaultive. His nearly 20 years in the cyber security industry spans experience as an executive, consultant, investor, investment banker and a several-time successful entrepreneur. Elad's entrepreneurial experience includes Riptech, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
3/19/2014 | 2:49:06 PM
How far does privacy extend
I really hope that the Lavabit case forces the writing of acceptable privacy laws that balance the ability for individual citizens who haven't done anything to warrant surveillance to have privacy from government entities, and balancing the overall security of nations as a whole.  Right now the "push everything through and we'll find something" mentality is unjustifiable.  Encryption is absolutely the right tool when it comes to enforcing privacy, however my gut tells me those who leverage these types of services will have a nice red card added to their files and automatically be deemed to have something to hide.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29430
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
CVE-2021-29431
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
CVE-2021-29432
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.
CVE-2021-29447
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has be...
CVE-2021-30245
PUBLISHED: 2021-04-15
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is always best practice to ...