Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

10/3/2014
11:32 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

To Combat Government Snooping, Encrypt Data Before Putting It In Cloud, Says Interop Speaker

If Uncle Sam wants your data, make him come directly to you.

INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.

According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)   

Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.

It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.

Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mroberts1161
50%
50%
mroberts1161,
User Rank: Strategist
10/26/2014 | 8:03:05 PM
Re: Government snooping
Gov would still need to get the key.

 
ctchism
50%
50%
ctchism,
User Rank: Apprentice
10/15/2014 | 10:14:59 AM
Government snooping
Who amongst us thinks that the government does not have the unencryption algorthythm for all of the "allowed" encryption methods allowed in the U.S. now?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/7/2014 | 12:51:47 PM
Re: it's that simple...
@Marilyn  "That could take some time to wind through the courts." I don't care how long it takes, as long as they come out with the right answer.   :)   If the government goes ahead and says that MS has to turn over data located in another country, they're going to make international business a nightmare.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/7/2014 | 7:46:15 AM
Re: it's that simple...
The US cloud companies doing business in Europe are definitely handicapped by US government policy, that's for sure. The outcome of the Microsoft appeal will be telling..though I'm not holding my breath. That could take some time to wind through the courts.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 1:32:26 PM
Re: it's that simple...
@Pablo  Sigh. It's exhausting. If I were a company outside the US, I wouldn't want to use any US-based cloud services either. I don't know if that's ever going to change. Or if it will change too late.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 1:27:39 PM
Re: it's that simple...
@Sara, this is the usual problem with dual-use technology. Once the surveillance and spying programs are in place the temptation to use them for obtaining other intelligence is too big to resist.

One thing is clear to me: no European corporation trusts the US government to refrain from spying on them. And full encryption programs, plus zer-knowledge services are booming.

The AirWatch CEO was telling us that they are now serving their international customers from Canada and the UK, but they can't stop the US from requesting access; they'll fight it, but that is as far as they can go.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:33:05 PM
Re: it's that simple...
@Pablo  Well that's an interesting viewpoint:  "He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure."  What do you think, Pablo? Is he right or wrong? Does he have inside information? 

I can see his point, and it might be totally right when the US is trying to explain why they want data located in another country. But looking for industrial secrets might not be the reason for their domestic snooping.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 5:12:06 AM
Re: it's that simple...
More than a year ago, before the Ed Snowden NSA scandal, the UN published the Report of the Special Rapporteur (Google "UN A/HRC/23/40") on the right to freedom of opinion and expression. One of the conclusions was that: 

"Individuals should be free to use whatever technology they choose to secure their communications. States should not interfere with the use of encryption technologies, nor compel the provision of encryption keys."

I believe Apple and Google are going in that direction with their decsion to encrypt smartphones by default, and not store encryption keys in their servers.

A few days ago I attended the AirWatch Connect conference in London. I had an interesting discussion with the CIO of a major European pharmaceutical company. He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/3/2014 | 4:32:34 PM
Re: it's that simple...
>But the key trick here is that all encryption keys should be kept on-site by the customer.  

Preferrably not on a Post-It stuck to one's monitor.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
10/3/2014 | 1:50:25 PM
it's that simple...
It seems like perfect sense that all data should be encrypted before it hits cloud servers or storage, but sadly I don't think it's too common a practice.  As the article clearly points out, the side benefit of encryption, aside fromenhanced security on the data itself, is that indeed, if there is a government request for your data and the provider complies, the data they pass on will be of no value.  But the key trick here is that all encryption keys should be kept on-site by the customer.  This not only limits the exposure that could come from the provider having access to the raw, unecrypted data, but ensures that the data remains in the control of the customer.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.