Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

10/3/2014
11:32 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
50%
50%

To Combat Government Snooping, Encrypt Data Before Putting It In Cloud, Says Interop Speaker

If Uncle Sam wants your data, make him come directly to you.

INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.

According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)   

Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.

It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.

Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mroberts1161
50%
50%
mroberts1161,
User Rank: Strategist
10/26/2014 | 8:03:05 PM
Re: Government snooping
Gov would still need to get the key.

 
ctchism
50%
50%
ctchism,
User Rank: Apprentice
10/15/2014 | 10:14:59 AM
Government snooping
Who amongst us thinks that the government does not have the unencryption algorthythm for all of the "allowed" encryption methods allowed in the U.S. now?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/7/2014 | 12:51:47 PM
Re: it's that simple...
@Marilyn  "That could take some time to wind through the courts." I don't care how long it takes, as long as they come out with the right answer.   :)   If the government goes ahead and says that MS has to turn over data located in another country, they're going to make international business a nightmare.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/7/2014 | 7:46:15 AM
Re: it's that simple...
The US cloud companies doing business in Europe are definitely handicapped by US government policy, that's for sure. The outcome of the Microsoft appeal will be telling..though I'm not holding my breath. That could take some time to wind through the courts.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 1:32:26 PM
Re: it's that simple...
@Pablo  Sigh. It's exhausting. If I were a company outside the US, I wouldn't want to use any US-based cloud services either. I don't know if that's ever going to change. Or if it will change too late.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 1:27:39 PM
Re: it's that simple...
@Sara, this is the usual problem with dual-use technology. Once the surveillance and spying programs are in place the temptation to use them for obtaining other intelligence is too big to resist.

One thing is clear to me: no European corporation trusts the US government to refrain from spying on them. And full encryption programs, plus zer-knowledge services are booming.

The AirWatch CEO was telling us that they are now serving their international customers from Canada and the UK, but they can't stop the US from requesting access; they'll fight it, but that is as far as they can go.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 12:33:05 PM
Re: it's that simple...
@Pablo  Well that's an interesting viewpoint:  "He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure."  What do you think, Pablo? Is he right or wrong? Does he have inside information? 

I can see his point, and it might be totally right when the US is trying to explain why they want data located in another country. But looking for industrial secrets might not be the reason for their domestic snooping.
Pablo Valerio
50%
50%
Pablo Valerio,
User Rank: Strategist
10/6/2014 | 5:12:06 AM
Re: it's that simple...
More than a year ago, before the Ed Snowden NSA scandal, the UN published the Report of the Special Rapporteur (Google "UN A/HRC/23/40") on the right to freedom of opinion and expression. One of the conclusions was that: 

"Individuals should be free to use whatever technology they choose to secure their communications. States should not interfere with the use of encryption technologies, nor compel the provision of encryption keys."

I believe Apple and Google are going in that direction with their decsion to encrypt smartphones by default, and not store encryption keys in their servers.

A few days ago I attended the AirWatch Connect conference in London. I had an interesting discussion with the CIO of a major European pharmaceutical company. He claimed that the American government is more interested in obtaining industrial secrets, to give the US a big technology advantage, than fighting terrorists, and that foreign companies can't do anything to keep their data secure.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
10/3/2014 | 4:32:34 PM
Re: it's that simple...
>But the key trick here is that all encryption keys should be kept on-site by the customer.  

Preferrably not on a Post-It stuck to one's monitor.
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
10/3/2014 | 1:50:25 PM
it's that simple...
It seems like perfect sense that all data should be encrypted before it hits cloud servers or storage, but sadly I don't think it's too common a practice.  As the article clearly points out, the side benefit of encryption, aside fromenhanced security on the data itself, is that indeed, if there is a government request for your data and the provider complies, the data they pass on will be of no value.  But the key trick here is that all encryption keys should be kept on-site by the customer.  This not only limits the exposure that could come from the provider having access to the raw, unecrypted data, but ensures that the data remains in the control of the customer.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...