If Uncle Sam wants your data, make him come directly to you.
INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.
According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)
Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.
It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.
Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024