If Uncle Sam wants your data, make him come directly to you.
INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.
According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)
Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.
It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.
Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024