Pros and Cons of US-Based Cloud Services

Monday, March 31, 2014

Gilad Parann-Nissany

B742830daed9314883a0edc63daefc42

Government surveillance in cloud computing is a prominent issue.  It has been fueled by the headlines about the NSA monitoring public data and the subsequent global discussion on the safety of cloud computing in general, and U.S.-based cloud services in particular.

Increased awareness that the U.S. intelligence services have permission to monitor, and in fact, are monitoring, the data of corporations and private individuals in other countries causes anger from companies and individuals alike.

The U.S. cloud hosting industry is (rightfully) concerned about losing offshore business.

Uncle Sam wants your data

The Patriot Act gives U.S. intelligence agencies a legal basis for surveillance of the data of U.S. and non-U.S. citizens. It may apply to clouds hosted by U.S. companies, regardless of their geo-physical location. In other words, the law may not end at American shores.  This could mean that if your data is stored in the cloud with physical machines in Ireland or New Zealand and the service provider is a U.S. company, your data is within the range of the NSA, FBI or any other U.S. intelligence agency.

The issue broadens: it’s not only about cloud services in the U.S. It’s also about data stored anywhere in the world by U.S. cloud service providers. If Microsoft, Google, or Amazon have physical machines abroad they aren’t out of reach.  This is what leads many companies to take their business away from U.S. cloud companies. 

Surveillance is a global game

We now know that the NSA surveillance and data collection programs are not unique.  The UK and its GCHQ have a similar program. Indeed, some countries cooperate with and share data with each other. Outside the West, there are multiple government sponsored programs that are extremely intrusive. Chinese and North Korean data collection efforts have been in the news. France and India are also in the game.

Simply moving to a foreign cloud security company doesn’t solve the problem of unwanted data access.

The issue is even broader than that.

Even if your systems are in a physical data center, you’re still not safe. The NSA revelations tell us that physical computers can and have been bugged; for example, by hacking into them on a massive basis or even placing bugs on the motherboard. Another concern is what happens when your data is on the network, in transit between your data centers and your users? Will it traverse a network infrastructure, switches, routers, hard lines, or territory that is under surveillance?

Conspiracy theory paranoia or actual real world issue?

Is there no silver lining to this particular cloud?

Living in the real world

Despite the negative headlines, there is good news. Cloud business has not fallen off so much. Many people (not all) do have solid reasons to use the cloud, and are less swayed by paranoia than the doomsayers may have expected.

In our own experience, the security discussion with the customer is subtly altered. A year ago, there was an almost pure focus on compliance as the driver for security discussions. Compliance has remained a very large and dominant topic, but in current conversations, security for its own sake, takes a bigger part. People want to meet the regulations, but they also want to know that they have, in doing so, achieved strong security.

In particular, across the industry, the need for strong encryption of data has gotten a lot of positive emphasis. All data touch points - storage, network, and access - need to be encrypted. Using encryption breaks the economic model of massive surveillance; the potential thieves must give personal attention to you, and try to steal your encryption keys. Breaking into your office and stealing your encryption keys from your wall safe isn’t economically effective, unless you really happen to be the owner of military grade data.

Any company or individual using cloud services today should encrypt data in addition to their firewall, anti-virus and other security measures. Incidentally, it is also encouraged by regulation in several sensitive sectors, notably businesses in the health industry under HIPAA patient and data privacy laws and the payment card industry under PCI DSS standards.

Mitigating damages and reducing risk

As we mentioned above, the nationality and geo-location of the cloud service provider have become moot points. Protection of the actual data is ultimately the only issue. You want to get to the point where your data is encrypted, and the encryption keys really are in your wall safe.

On the other hand, to be practical, you also want to manage real world systems. Keeping everything in your wall safe has its limits. So one recommendation is to use split-key encryption. Split-key encryption provides two required keys where both keys are needed to decrypt the data.  Even if one key is compromised the data is still encrypted. And one of those keys, your “master key,” can really be kept in your wall safe, while the other is managed by automated means.

Another recommendation is to couple that encryption technology with Homomorphic key managementwhich keeps your master key encrypted wherever it goes, even when it’s used by a computing system. Without both keys the data should be incomprehensible to anyone else no matter where it is physically stored, or which organization has legal access to it. This mix of technologies provides the strong level of security that companies with sensitive data want. 

16039
Cloud Security General HIPAA PCI DSS General
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.