Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Safe Harbor, Lavabit & The Future Of Cloud Security
For cloud computing to grow, we need a balance between individual privacy and control of data, and the government's ability to fight crime and terrorism. Persistent encryption may be the answer.
March 14, 2014
6 Min Read
The ongoing case of the federal government versus Lavabit was a hot topic of discussion at RSA -- not just regarding the merits of the case, but because it demonstrates how the increasingly stringent safe harbor provisions in the European Union can impact US companies doing business in the cloud.
For those who didn't follow the story, Lavabit, an organization that offered encrypted email as a service, shut down last August without explanation. Under a gag order, Lavabit CEO Ladar Levinson was prohibited from disclosing any information relating to the shuttering of the business, as well as the details leading to the termination of Lavabit.
After court documents were unsealed, it emerged that Levison was resisting a government order to provide Lavabit's encryption key to authorities. The nature of the Lavabit email service was that a single key was shared for encrypting all client email. The government insisted on acquiring the key, so that it could access one client's email account -- ex-National Security Agency contractor Edward Snowden. Lavabit objected to handing over the encryption key, since it would not only decrypt one client's email, but it would also provide access to the company's few hundred thousand customers' data in the clear.
So what does the US government's legal dispute with Lavabit over access to its encryption key have in common with discussion over Safe Harbor principles? On a simple level, the connection is obvious -- both are reactions to activities by the NSA (and other agencies within and outside of the US) to access vast amounts of cloud data without the data owner's knowledge or consent. However, this issue is much larger than the NSA.
The NSA is doing what it was created to do: collect data, analyze it, and use it to protect US interests. To date, we haven't seen its agents violate the principles they are sworn to uphold. However, the bigger issue is one of privacy -- a fundamental right that is fueling an important debate over whether people are willing to give up privacy in exchange for security.
In the case of the EU and its Safe Harbor provisions, regulators are moving closer to a version that requires the cloud service provider (CSP) to at least notify data owners when their information has been accessed.
Harbinger of clouds to come
The more profound connection, however, is that both the Lavabit case and the Safe Harbor provisions are harbingers of the future of cloud computing policies. For cloud computing to continue to grow, there needs to be a better balance between end users' requirements for privacy, confidentiality, and direct control of data, and the ability for law enforcement and government agencies to fight crime and terrorism. These are both attempts to nudge the pendulum back from where it has shifted over the last few years, toward ever-greater government surveillance of all cloud and Internet traffic, at the expense of user privacy and confidentiality.
What differentiates the Lavabit case from new EU data residency requirements that flag changes to Safe Harbor provisions that have governed data transfers for more than a decade is that it represents an attempt by a CSP to contest the scope of NSA access to cloud data through the courts. Changes to the Safe Harbor provisions will in all likelihood place a new set of requirements on CSPs (or at least compel them to uphold their own privacy policies better). And they'll have to consult directly with major cloud service providers (most of whom are based in the US) to make that happen.
Regardless of the outcome of both the Lavabit case and the EU's revised set of Safe Harbor provisions, you can be sure that the cloud landscape will be different six months from now -- and it will continue to change into the future. Recent modifications recommended by President Obama on how phone metadata collection is performed almost certainly mean that privacy concerns will play a greater role in national security investigation policies.
On the other hand, Lavabit's legal response to an appeal by the government requesting the defunct service provider's encryption key suggests that it will be a lengthy process within the US to have policies changed, because of the investments the government has made in data mining and capture technologies. Already, we have seen explicit pushback from the intelligence community to the steps outlined by President Obama. Yet, while the NSA and Snowden are currently grabbing headlines, it goes well beyond that. Other government agencies accessing data with a subpoena, such as the IRS, may set off more sensitive issues in this privacy vs. security debate.
The current methodology is based on what some observers are calling the sieve theory: It doesn't matter as much what data goes into the data mining process; the information that is produced from the process justifies the activity. In the course of action, all kinds of enterprise data can get caught up and stored in ways that the data owners never intended -- regardless of legal arguments about Fourth Amendment rights.
So what options are available to enterprises looking to move to the cloud but not willing to become entangled in a privacy, compliance, data residency, and security morass?
Customers need to proactively take control of their own data by persistently encrypting data before sending it to the cloud. Encryption at rest and in transit is no longer sufficient. To ensure that the data is never decrypted outside their control, businesses must implement encryption "in use." This way, they can apply the proper governance over the data, regardless of where it lies. This use of encryption as a circuit breaker allows enterprises to balance their need for privacy and confidentiality with the needs of law enforcement and anti-terrorism agencies.
If there is a legitimate and lawful reason why an organization should hand over data in response to a request, then businesses should have a seat at the table. Encrypting data in all three states of existence, combined with ownership of encryption keys, is the only way to accomplish this.
We each play a role in protecting information that should be private in this real-life drama. The government's role is to continue to gather and analyze data for tax, regulatory, law enforcement, or national security purposes. Cloud providers are stepping up to do their part to protect their environments from internal and external threats. Most importantly, we all have personal responsibility, as well, and we must take action to implement persistent encryption to protect what we believe in.
About the Author(s)
Elad Yoran is currently CEO and Chairman of Vaultive. His nearly 20 years in the cyber security industry spans experience as an executive, consultant, investor, investment banker and a several-time successful entrepreneur. Elad's entrepreneurial experience includes Riptech, the pioneering provider of managed security services to governments and Fortune 500 corporations around the world, acquired by Symantec Corporation; Sentrigo, a leading provider of database security recently acquired by McAfee; and MediaSentry, a provider of anti-piracy technology solutions to the motion picture, music and software industries, acquired by SafeNet. Elad has also served as Vice President, Global Business Development at Symantec and as Vice President at Broadview International (acquired by Jeffries), an investment bank focusing on mergers and acquisitions in the technology industry, where he led the firm's information security practice. Elad has been recognized as "Entrepreneur of the Year" by Ernst & Young.
Elad also serves as general partner of Security Growth Partners and was a leading investor in NetWitness (acquired by EMC/RSA). He is a member of several technology, security and community Boards, including the Cloud Security Alliance (CSA) New York Metro Chapter, KoolSpan (Chairman); FBI Information Technology Advisory Council (ITAC) and previously the Department of Homeland Security Advisory Board for Command, Control and Interoperability for Advanced Data Analysis (CCICADA). Elad serves as Trustee of the Jewish Chapel Fund, US Military Academy at West Point.
Elad authored the Internet Security Threat Report, which was cited in briefings to the U.S. Congress. Elad served as an officer in the U.S. Army and is a veteran of Operation Restore Hope in Somalia. He holds an MBA from the Wharton School of the University of Pennsylvania and a B.S. degree with honors from the United States Military Academy at West Point.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Laptop with ransomware, and bitcoin in the palm of a man's hand to illustrate ransomwareCyberattacks & Data Breaches