Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/14/2014
04:45 PM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Safe Harbor, Lavabit & The Future Of Cloud Security

For cloud computing to grow, we need a balance between individual privacy and control of data, and the government's ability to fight crime and terrorism. Persistent encryption may be the answer.

The ongoing case of the federal government versus Lavabit was a hot topic of discussion at RSA -- not just regarding the merits of the case, but because it demonstrates how the increasingly stringent safe harbor provisions in the European Union can impact US companies doing business in the cloud.

For those who didn't follow the story, Lavabit, an organization that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information relating to the shuttering of the business, as well as the details leading to the termination of Lavabit.

After court documents were unsealed, it emerged that Levison was resisting a government order to provide Lavabit's encryption key to authorities. The nature of the Lavabit email service was that a single key was shared for encrypting all client email. The government insisted on acquiring the key, so that it could access one client's email account -- ex-National Security Agency contractor Edward Snowden. Lavabit objected to handing over the encryption key, since it would not only decrypt one client's email, but it would also provide access to the company's few hundred thousand customers' data in the clear.

So what does the US government's legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On a simple level, the connection is obvious -- both are reactions to activities by the NSA (and other agencies within and outside of the US) to access vast amounts of cloud data without the data owner's knowledge or consent. However, this issue is much larger than the NSA.

The NSA is doing what it was created to do: collect data, analyze it, and use it to protect US interests. To date, we haven't seen its agents violate the principles they are sworn to uphold. However, the bigger issue is one of privacy -- a fundamental right that is fueling an important debate over whether people are willing to give up privacy in exchange for security.

In the case of the EU and its Safe Harbor provisions, regulators are moving closer to a version that requires the cloud service provider (CSP) to at least notify data owners when their information has been accessed.

Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the future of cloud computing policies. For cloud computing to continue to grow, there needs to be a better balance between end users' requirements for privacy, confidentiality, and direct control of data, and the ability for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted over the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, at the expense of user privacy and confidentiality.

What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions that have governed data transfers for more than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data through the courts. Changes to the Safe Harbor provisions will in all likelihood place a new set of requirements on CSPs (or at least compel them to uphold their own privacy policies better). And they'll have to consult directly with major cloud service providers (most of whom are based in the US) to make that happen.

Regardless of the outcome of both the Lavabit case and the EU's revised set of Safe Harbor provisions, you can be sure that the cloud landscape will be different six months from now -- and it will continue to change into the future. Recent modifications recommended by President Obama on how phone metadata collection is performed almost certainly mean that privacy concerns will play a greater role in national security investigation policies.

On the other hand, Lavabit's legal response to an appeal by the government requesting the defunct service provider's encryption key suggests that it will be a lengthy process within the US to have policies changed, because of the investments the government has made in data mining and capture technologies. Already, we have seen explicit pushback from the intelligence community to the steps outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes well beyond that. Other government agencies accessing data with a subpoena, such as the IRS, may set off more sensitive issues in this privacy vs. security debate.

Sieve theory
The current methodology is based on what some observers are calling the sieve theory: It doesn't matter as much what data goes into the data mining process; the information that is produced from the process justifies the activity. In the course of action, all kinds of enterprise data can get caught up and stored in ways that the data owners never intended -- regardless of legal arguments about Fourth Amendment rights.

So what options are available to enterprises looking to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?

Customers need to proactively take control of their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit is no longer sufficient. To ensure that the data is never decrypted outside their control, businesses must implement encryption "in use." This way, they can apply the proper governance over the data, regardless of where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the needs of law enforcement and anti-terrorism agencies.

If there is a legitimate and lawful reason why an organization should hand over data in response to a request, then businesses should have a seat at the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only way to accomplish this.

We each play a role in protecting information that should be private in this real-life drama. The government's role is to continue to gather and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping up to do their part to protect their environments from internal and external threats. Most importantly, we all have personal responsibility, as well, and we must take action to implement persistent encryption to protect what we believe in.

Elad Yoran is currently CEO and Chairman of Vaultive. His nearly 20 years in the cyber security industry spans experience as an executive, consultant, investor, investment banker and a several-time successful entrepreneur. Elad's entrepreneurial experience includes Riptech, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
3/19/2014 | 2:49:06 PM
How far does privacy extend
I really hope that the Lavabit case forces the writing of acceptable privacy laws that balance the ability for individual citizens who haven't done anything to warrant surveillance to have privacy from government entities, and balancing the overall security of nations as a whole.  Right now the "push everything through and we'll find something" mentality is unjustifiable.  Encryption is absolutely the right tool when it comes to enforcing privacy, however my gut tells me those who leverage these types of services will have a nice red card added to their files and automatically be deemed to have something to hide.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7981
PUBLISHED: 2020-01-25
sql.rb in Geocoder before 1.6.1 allows Boolean-based SQL injection when within_bounding_box is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data.
CVE-2019-0141
PUBLISHED: 2020-01-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-7596
PUBLISHED: 2020-01-25
Codecov npm module before 3.6.2 allows remote attackers to execute arbitrary commands via the "gcov-args" argument.
CVE-2020-7980
PUBLISHED: 2020-01-25
Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.
CVE-2012-6613
PUBLISHED: 2020-01-25
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.