Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

10/3/2014
11:32 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

To Combat Government Snooping, Encrypt Data Before Putting It In Cloud, Says Interop Speaker

If Uncle Sam wants your data, make him come directly to you.

INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.

According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)   

Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.

It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.

Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mroberts1161
50%
50%
mroberts1161,
User Rank: Strategist
10/26/2014 | 8:03:05 PM
Re: Government snooping
Gov would still need to get the key.

 
ctchism
50%
50%
ctchism,
User Rank: Apprentice
10/15/2014 | 10:14:59 AM
Government snooping
Who amongst us thinks that the government does not have the unencryption algorthythm for all of the "allowed" encryption methods allowed in the U.S. now?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/7/2014 | 12:51:47 PM
Re: it's that simple...
@Marilyn  "That could take some time to wind through the courts." I don't care how long it takes, as long as they come out with the right answer.   :)   If the government goes ahead and says that MS has to turn over data located in another country, they're going to make international business a nightmare.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/7/2014 | 7:46:15 AM
Re: it's that simple...
The US cloud companies doing business in Europe are definitely handicapped by US government policy, that's for sure. The outcome of the Microsoft appeal will be telling..though I'm not holding my breath. That could take some time to wind through the courts.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 1:32:26 PM
Re: it's that simple...
@Pablo  Sigh. It's exhausting. If I were a company outside the US, I wouldn't want to use any US-based cloud services either. I don't know if that's ever going to change. Or if it will change too late.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 1:27:39 PM
Re: it's that simple...
@Sara, this is the usual problem with dual-use technology. Once the surveillance and spying programs are in place the temptation to use them for obtaining other intelligence is too big to resist.

One thing is clear to me: no European corporation trusts the US government to refrain from spying on them. And full encryption programs, plus zer-knowledge services are booming.

The AirWatch CEO was telling us that they are now serving their international customers from Canada and the UK, but they can't stop the US from requesting access; they'll fight it, but that is as far as they can go.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:33:05 PM
Re: it's that simple...
@Pablo  Well that's an interesting viewpoint:  "He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure."  What do you think, Pablo? Is he right or wrong? Does he have inside information? 

I can see his point, and it might be totally right when the US is trying to explain why they want data located in another country. But looking for industrial secrets might not be the reason for their domestic snooping.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 5:12:06 AM
Re: it's that simple...
More than a year ago, before the Ed Snowden NSA scandal, the UN published the Report of the Special Rapporteur (Google "UN A/HRC/23/40") on the right to freedom of opinion and expression. One of the conclusions was that: 

"Individuals should be free to use whatever technology they choose to secure their communications. States should not interfere with the use of encryption technologies, nor compel the provision of encryption keys."

I believe Apple and Google are going in that direction with their decsion to encrypt smartphones by default, and not store encryption keys in their servers.

A few days ago I attended the AirWatch Connect conference in London. I had an interesting discussion with the CIO of a major European pharmaceutical company. He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/3/2014 | 4:32:34 PM
Re: it's that simple...
>But the key trick here is that all encryption keys should be kept on-site by the customer.  

Preferrably not on a Post-It stuck to one's monitor.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
10/3/2014 | 1:50:25 PM
it's that simple...
It seems like perfect sense that all data should be encrypted before it hits cloud servers or storage, but sadly I don't think it's too common a practice.  As the article clearly points out, the side benefit of encryption, aside fromenhanced security on the data itself, is that indeed, if there is a government request for your data and the provider complies, the data they pass on will be of no value.  But the key trick here is that all encryption keys should be kept on-site by the customer.  This not only limits the exposure that could come from the provider having access to the raw, unecrypted data, but ensures that the data remains in the control of the customer.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2228
PUBLISHED: 2020-02-19
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages.
CVE-2014-2727
PUBLISHED: 2020-02-19
The STARTTLS implementation in MailMarshal before 7.2 allows plaintext command injection.
CVE-2015-2104
PUBLISHED: 2020-02-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2014-3622
PUBLISHED: 2020-02-19
Use-after-free vulnerability in the add_post_var function in the Posthandler component in PHP 5.6.x before 5.6.1 might allow remote attackers to execute arbitrary code by leveraging a third-party filter extension that accesses a certain ksep value.
CVE-2016-10000
PUBLISHED: 2020-02-19
Insufficient type checks were employed prior to casting input data in SimpleXMLElement_exportNode and simplexml_import_dom. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive).