Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:10 PM
Elad Yoran
Elad Yoran
Connect Directly

The NSA And Your Cloud Data: Navigating The Noise

Revelations about the reach of the National Security Agency have made waves, but don't get overwhelmed.

In the past few months, we've seen increasing coverage of how existing laws have been used to gain access to cloud-based data without the data owner's knowledge or consent. What's different with the latest revelation, as highlighted in The New York Times recently, are reports of the National Security Agency actively trying to undermine encryption technology and standards, including those adopted by National Institute of Standards and Technology, such as the Dual EC DRBG standard.

Does this mean that the NSA's reach into electronic communications is so profound, and its abilities to dig into our communications so extensive, that businesses must come to terms with two equally unattractive options: accept that there is no way to control their own data even when they encrypt it, or avoid using cloud services?

In short, no. Peeling back the layers, the situation is not as dire as heated coverage suggests. In fact, security experts say that the reports, while critical to fostering a debate on policy and law, could have overstated the NSA's capabilities. Although basic precautions are unlikely to stand in the way of the NSA's surveillance efforts, as cryptography expert Bruce Schneier notes: "The defense is easy, if annoying: stick with symmetric cryptography based on shared secrets, and use 256-bit keys." Without access to the keys or the ability to crack the encryption, the NSA must directly approach the data owner who holds the keys to access the data.

The Key Is The Key

Internet encryption is simply keys and locks: We understand that when we lock a door, the level of protection depends on how strong and complex the lock is and whether we store the keys safely. If we hold tight to the keys, and the encryption equivalent of the lock is impervious to hammer blows or even a master safecracker, it's less critical how the encrypted data moves through the network. But as long as the attacker has access to the keys, the protection of the lock has no relevance.

The reports outline a few scenarios on how the NSA has potentially worked to undermine Internet encryption, ranked from highly unlikely to most probable:

-- Implement data-intensive and computationally intensive brute-force attacks to crack data encryption (highly unlikely).

-- Coerce vendors to maintain an "NSA-friendly" back door into their encryption and products (unlikely).

-- Coerce vendors to weaken their own encryption (improbable).

-- Hack the keys, or hack Internet infrastructure such as switches and routers(likely).

-- Force cloud service providers to hand over encryption keys or open their infrastructures to tapping by the NSA (definitely).

A brute-force attack can be thought of as someone going through the process of trying every single variation of a key before finding the one that works. This requires both a large amount of standard corporate data encrypted with the target key for comparison -- 70 TB by Schneier's estimation -- and immense amounts of dedicated computer power. The number of potential combinations increases exponentially with each additional "bit" added to the key.

The second and third scenarios involve the maker of the keys collaborating on the design of the keys with a third party, or even designing the lock so that the third party knows exactly which type of keys work. The lock is still mostly secure, but some third party can create a duplicate set of keys whenever it wants to. Those duplicates become a point of vulnerability that undermines the lock's long-term security.

[ Of the 26% of respondents to our Cloud Security & Risk Survey with no plans to use public cloud services, 58% cite security as the reason. Here's how to gain the benefits of cloud and reduce risk. ]

The third scenario amounts to theft of the keys. Again, if your version of securing encryption keys is hiding them under a rock by the front door, hacking the keys is a fairly straightforward proposition for an organization as technically sophisticated as the NSA. Don't store keys in an accessible place, and restrict access to your key management system.

The fourth scenario is now a matter of public knowledge -- and one of the consequences of how cloud computing functions. When third-party cloud providers hold encryption keys, they are lawfully compelled to open the lock (decrypt the data) before turning over the data.

So, don't hand them your keys.

Control In The Age Of Prism

When the news of the Prism program first broke, many observers argued that the risk of unauthorized disclosure was overstated. The latest revelations make it obvious that there is a real risk, and encryption provided by cloud providers buys you no privacy and confidentiality protection.

Businesses have many important reasons to protect the privacy of their data: compliance with regulations; protecting attorney-client privilege; adhering to international data residency/privacy laws; protecting intellectual property, financial, employee and customer information; and more. If IT can't rely on encryption supplied by cloud providers, can we still make use of cloud computing services?

Yes, but again, companies need to take precautions. The Cloud Security Alliance maintains a set of best practices that outline how organizations can maintain ownership and control of their data. The best practices highlight the need to define roles and responsibilities: The cloud service provider is responsible for securing, managing and monitoring its environment and facilities.

However, the responsibility for protecting data lies squarely on the end user. The CSA's guidance can be summarized as follows:

-- Data should be encrypted before it leaves the end-user organization's control.

-- Encryption should be implemented for data at rest, in transit and in use, a relatively new capability.

-- Encryption keys should be retained by the end-user organization, not the cloud service provider.

-- Select a cloud service provider that adheres to the CSA's set of best practices. (Our IaaS Buyer's Guide of 21 providers asks about the CSA STAR program.)

Don't be overwhelmed by new revelations, but also don't assume any cloud provider is going to care as much as you do about privacy and confidentiality, or that it won't hand data over in response to a government request. Protecting your data wherever it resides is a matter of understanding how secure your encryption scheme is and being aware of who holds the encryption keys -- and how tightly.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/17/2013 | 3:09:38 AM
re: The NSA And Your Cloud Data: Navigating The Noise
I think the risk of detailed surveillance by the NSA is minimal to all but a small minority of suspects who wave red flags at it. Nevertheless, its abilities, whether use or not, set the teeth of many of our neighbors and allies on edge. The risk today is minimal. What if the agency suddenly has a specific interest in you, for whatever reason?
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...