“The Cloud is Inevitable” – Observations from Infosecurity 2013 in London
I’m just back from a trip to London for the InfoSecurity Europe show – by far the largest annual security conference in Europe, with over 12,000 attendees. It was not only a successful trip in terms of winning an important award, but also for the insights it gave us into the interest European companies have in cloud security.
It seems as though I never left the show floor, giving dozens of presentations and demonstrations over three days. There was a very high level of interest in cloud security and the CipherCloud solution, but I also noticed some interesting trends while speaking with hundreds of attendees.
Conventional wisdom has been that European businesses are more conservative, more regulated, and more cautious about moving systems to the cloud. But I’m not so sure that’s true anymore. While they may be slower to adopt than the U.S., the move to the cloud is clearly a global trend and the benefits of the cloud are clearly winning over the perceived risks.
The term I heard from numerous attendees is that the Cloud is “inevitable”. However, this was always followed with “but we’re worried about security and compliance”. Our map of global privacy, data residency, and host nation access laws sparked numerous discussions and healthy debates about how each country’s laws are interpreted. (For example, I learned that every state in Germany can interpret and enforce national data privacy laws in different ways.)
But the recurring theme was that Cloud initiatives are definitely happening in Europe, an IT security is often playing catch-up, trying to secure cloud applications that have already crept into enterprise use. With the prevalence of BYOD and the viral spread of convenient content sharing sites, most people seem to accept that corporate information is already going into the cloud, and IT must now deal with a new reality.
Through my own informal survey of what cloud applications people are trying to protect, I was not surprised to hear strong interest in Salesforce, Force.com, and content sharing tools such as Box and Sharepoint. But I was surprised by the strong interest in Office 365 – easily the topic of more than half the demos I gave.
It seems like enterprise adoption of Gmail in Europe was small – representing too big a shift in the trust model for sensitive communications. But many organizations now see the benefits of moving their internal Exchange servers to the cloud – allowing them to maintain familiar tools for their end-users while dramatically reducing infrastructure costs. But again, the big question is security – can organizations adequately protect sensitive and regulated information if it resides in unknown cloud locations. For this audience, CipherCloud’s solution resonated extremely well.
CIA Teams with AWS to Use the Cloud
When spies use the cloud for sharing, storing and using their secrets, you better believe security is going to be of paramount importance.
That’s why a reported deal between the Central Intelligence Agency (CIA) and Amazon and its Amazon Web Services for cloud services is a major indicator of not only the cost savings by using the cloud, but of the levels of security that can and will be applied to data stored there.
The deal, which has an estimated $600 million price tag attached to it, has the cloud industry a buzz with how the creation of a “private cloud” for the CIA is a broadside salvo fired at concerns that the cloud is inherently insecure, and could even be considered a major endorsement of the cloud by the spy agency.
Certainly it appears to be an indicator that even the most security conscious and conservative organizations are moving to the cloud, and there is a firm belief that the cloud can be made secure.
The CIA, as spy agencies are want to do, is remaining tight lipped about its efforts, but considering the far flung and multifaceted information needs of the CIA and its operatives, it’s not surprising that the Agency would be extremely interested in adopting cloud computing. After all, the CIA conducts massive amounts of information gathering and analysis, which creates not only a tremendous amount of storage requirements, but also the difficulty of distributing the right information to the right asset in a timely manner, and potentially anywhere in around the globe.
In a speech in New York recently, the CIA’s chief technical officer, Gus Hunt, made clear the importance of distributed data collection can be to his agency.
“The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time,” Hunt said. “Since you can’t connect dots you don’t have, it drives us into a mode of, we fundamentally try to collect everything and hang on to it forever.”
It’s likely that the Agency and Amazon’s project will segregate some big chunk of AWS capacity, but it’s still the cloud, and by their very nature data centers must be interconnected. Moreover, currently Amazon does its most secure backups (S3) in Singapore, far outside U.S. jurisdiction and protection, which may require a reworking of Amazon’s security strategy.
And of course, with any deployment like this – the key question is who holds the encryption keys. If the CIA maintains exclusive control, which is likely, then security can be held to a higher standard. But if anyone, for any reason, on the Amazon side has access to these keys, than there are significant security risks.
Responding to the Myths about CipherCloud’s Encryption Technology
A couple of recent discussions in a few board threads contributed to by our competitors have questioned CipherCloud’s approach to delivering cloud information protection.
Most of the comments and posts were based on very limited publically available information, some of which was outdated. As a result I thought I would take a few minutes to provide some clarity on this topic.
To start off, I wanted to provide some clarity to the question of whether CipherCloud uses homomorphic encryption. The answer is NO. Homomorphic encryption is far from ready for practical usage due to performance and lack of capabilities.
But, CipherCloud does use publicly available, well researched, and NIST validated cryptographic algorithms that have been implemented in compliance with FIPS 140-2 standards. We also leverage our reverse proxy architecture, which is always in the data path, and incorporates in-depth knowledge of cloud applications for in-line processing and transformation of data on-the-fly to support common operations including search and sort.
CipherCloud, also to be rather direct, and address some of the concerns that were raised in the threads, does NOT implement 1:1 mapping or ECB mode for any customer deployments.
The cited CipherCloud product demo in the board threads (which is quite outdated) was focused on highlighting our reverse-proxy concept for cloud information protection to organizations using cloud applications. Some of the fundamental security features made available today (e.g. full field encryption, randomization through IVs, etc.) were either disabled because we were not comfortable sharing such IP on the internet while our patents are still pending, or not available at the time of recording. I’m sure most of you will appreciate that cloud information protection is one of the most desired spaces for investment, and many competitors are attempting to replicate CipherCloud’s success. CipherCloud continues to invest significantly on R&D efforts to offer ongoing security improvements to customers with each new release of the product.
In addition to having conducted independent third-party cryptographic design reviews, CipherCloud is currently in the process of obtaining our FIPS 140-2 certification, which can be verified by visiting the following NIST website: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf. All of our customers, that I know of, have selected our solution as the recognized standard for cloud information protection after a thorough evaluation, testing, and scrutiny of our product’s design and implementation by their cryptographers and key management experts.
As to the DMCA Notice sent to a site hosting images from a CipherCloud video, CipherCloud’s legal team like most other companies actively regulates the usage of our intellectual property, including copyright. But, based on feedback from the community, we are implementing a modified policy to avoid such incidents going forward and wholeheartedly apologize for the temporary disruption to the discussion threads on the internet.
I understand and appreciate the interest in the market to better understand our technology, and I am happy to discuss additional details around our encryption implementation with our customers, prospects and partners. If you are interested in learning more, please contact CipherCloud directly via our website at info@ciphercloud.com
The Department of the Navy Turns to the Cloud
Facing a $2 billion budget cut over the next five years, the United States Department of the Navy (DoN) is turning to the cloud in a cost saving effort for “non-sensitive” information and applications.
The Department of the Navy Chief Information Officer, Terry A. Halvorsen, recently sent out the memo, “Department of the Navy Approach to Cloud Computing,” explaining that “in order to increase efficiency without sacrificing operational effectiveness, organizations, system/application owners and program managers must expand their analyses of alternatives for hosting Department of the Navy systems and information to include Department of Defense and commercial cloud service providers.”
Forbes Magazine then covered the announcement in its story U.S. Navy Issues New Cloud Computing Policy. The fact that a major arm of the U.S. government is turning to cloud computing for its data needs is a clear indicator of just how strong a business trend adoption of the cloud has become. And the fact that Halvorsen is quoted in the Forbes article as saying the move is not only an effort to save money going forward, also so the Navy can “specifically look at IT as an enabler,” is significant as well.
We’ve been touting the importance of looking to secure use of the cloud as a business enabler for sometime now, and clearly some very large and important organizations are falling in line with that idea.
Of course, the Department of the Navy will also have some serious hurdles to overcome with its adoption of the cloud if it does not take the appropriate steps in dealing with the demarcation between sensitive and non-sensitive data.
As part of the memo, the Department of the Navy has said the first stage of its cloud initiative is going to be publicly releasable information, requiring segregating everything that is publicly available. As an arm of the U.S. Armed Forces, there’s no doubt that the Department of the Navy has a great deal of highly sensitive information that it needs to protect. But it’s arguable that there are going to be instances of data bleed between how you separate and segregate public versus sensitive system information. You can’t just say this data center is all public, and this one is all secured information. With the cloud, all such information sharing is blurred.
Of course, for CipherCloud, all roads lead to the importance of encrypting data sent via the cloud. As the Department of the Navy moves forward with this adoption of cloud systems, one should expect the importance of securing data to come to the fore front of their efforts.
DoJ Attempting to Update Privacy in the Cloud
The U.S. Department of Justice is looking at updating the 1986 Electronic Communications Privacy Act (ECPA) law, which is woefully behind the times when it comes to securing data sent or stored over the cloud. But, like most legislation passed to regulate technology, it’ll probably be out of step with the real world.
According to an article posted over at CIO magazine (Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod), the Obama Administration and the DoJ want to update the Act “to provide stronger privacy protections for Webmail, documents stored online and other cloud services.”
Arguments are being heard by House subcommittees and cloud heavyweights Google, Microsoft and Facebook have weighed in on just how out of date the ECPA is. An best cited in the story demonstrate the Act’s archaic nature: “emails and other communications that have been stored with a third-party provider for more than six months on the strength of a subpoena, rather than a warrant issued by a judge.”
Why 180 days? Perhaps it was because when the law was written it was so prohibitively expensive to store data that few people bothered to keep email more than six months?
It’s clearly time to update ECPA, and legislators should be encourage do so. But the pace of legislation, and Congress, can’t keep up with the technological change. We have communication acts that were written when cell phones didn’t exist, and every time the legislature tries to get specific about technology they get it wrong.
Just look at the CAN-SPAM Act of 2003, which has done nothing to inhibit the flow of junk email to your inbox. The Internet and the cloud in particular, has no notion of national borders. So what good are government privacy regulations that are only enforceable in the United States?
It’s about time to update these regulations, but don’t expect the government to solve all these privacy and data access problems by applying regulations to technology. Laws that try to legislate how technology works… like CAN-SPAM trying to put up legal barriers to regulate something that has no legal barriers, is meaningless.
Instead, laws that have forced transparency seem to have the biggest positive impact. Regulators should specify you should protect your information so it can’t be breached, but not specify how to do that. That’s a moving target. It’s up to vendors to keep moving the bar.
Sunshine is a Good Thing for Microsoft
Just how many times last year did Microsoft receive a government or law enforcement request to access user information stored on its network? The answer is 75,378 times. Microsoft is following in Google’s footsteps and has issued a report outlining the frequency of request for government access from last year in an effort to be more “transparent” with its customers about how their data may be accessed.
The 2012 Law Enforcement Requests Report, is an effort by the company “to respect human rights and the principles of free expression and privacy,” as part of its Global Human Rights Statement and its status as a member of the Global Network Initiative. While the human rights approach may strike Microsoft customers as a bit odd, it’s still a good thing that the company is trying to be as upfront and clear about potential data compromises as it possibly can.
Transparency is a good thing when dealing with cloud providers, and Google has been issuing its own Google Transparency Report for several years, and we welcome this as a positive step from both Google and Microsoft.
Microsoft’s numbers are also of interest. According to the report, in “2012, Microsoft and Skype received a total of 75,378 law enforcement requests. Those requests potentially impacted 137,424 accounts. While it is not possible to directly compare the number of requests to the number of users affected, it is likely that less than 0.02% of active users were affected.”
Microsoft’s services that were primarily of interest to law enforcement officials were web-mail accounts (Hotmail/Outlook.com), SkyDrive cloud storage; Messenger, and Skype.
The report also states that after review by Microsoft’s compliance team, only 2.2% of law enforcement requests resulted in the disclosure of customer content.
It’s not a large number in the grand scheme of things, and the requests are not as common as people might think, but there are documented instances of law enforcement making requests to cloud providers. And if Microsoft’s numbers mirror Google’s, the number of requests will continue to go up.
The simple fact is that Microsoft, Google and other cloud providers are obligated to provide access to government agencies, at times without the knowledge of the data owners, and as such it behooves those data owners to be aware of how and where their data is stored, accessed and monitored.
There are inherent insecurities in the cloud, and there are regulations on both sides that require privacy, or require disclosure and, frankly, accidents happen. We would argue that it’s very important for customers to understand the risks and take additional steps to secure their data and for all cloud providers to be more transparent about when things are going on.
What the Financial Services Sector Needs to Know When Adopting the Cloud Securely
The financial services industry is increasingly adopting cloud computing. There’s no denying the compelling advantages to moving to the cloud – reduced cost, greater flexibility and scalability, increased mobility, and faster deployment to name a few.
The requirement to protect customer information is still a barrier for many firms though. The fact that customer records and information must be secure and confidential is causing a major headache across the industry. Did you know, for example, that you need to protect your customers’ records against any anticipated threats or hazards as well as unauthorised access that could cause substantial harm or inconvenience to the affected customer?
Worryingly, too many are adopting the cloud but are ignorant or feel they needn’t worry about the risks that cloud computing brings. Recent research from Ernst & Young entitled 2012 Global Information Security Survey revealed that 59% of respondents said they used or planned to use cloud services. Yet over 33% had not taken any measures to mitigate security risks.
Your IP is like gold dust
Companies that have implemented cloud computing are now seeing people gain unauthorised access to their intellectual property (IP). And the pursuit of access to such valuable assets will only continue. We are likely to see additional stealthy, sustained attacks, known as advanced persistent threats (APTs) against companies in the future. Given the large quantity of customer data, the financial services industry is a viable and an attractive target. Your IP is like gold dust to a hacker.
Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP – and your reputation. In August last year, hackers gained access into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Soon after, a journalist from technology publication, Wired, saw his Apple iCloud account compromised by a hacker who gained access by socially engineering the company’s tech support service.
The employees who allowed these high profile breaches to happen were well-meaning but unwitting. Yet, there is always the danger of an intentional inside job. If a member of staff working at a cloud service provider decides to siphon off a client’s data to the highest bidder, it could result in a costly and embarrassing data compromise involving that client’s own customers.
Ignorance is not bliss
As a cloud adopter, you need to understand your responsibilities and remember that reliance on the Cloud service provider is not enough. Many organisations unknowingly rely on service level agreements from their cloud service provider and assume they are responsible for their data’s security. It is not acceptable for financial services firms to claim ignorance and blame a breach on a third party provider.
Now that customer records and information can reside anywhere in a digital cloud, it is no longer enough to think of security in terms of physical infrastructure alone. Cloud security must be addressed as well.
Compliance through encryption
Financial services companies should employ encryption to reduce the risk of disclosure or alteration of sensitive information in storage and transit. This is one of the best methods to keep your information safe from hackers. With this approach, a secret pair of digital codes called ‘keys’ is used to encrypt the software. Without these, the software cannot be decrypted.
Encryption therefore protects your vital data against prying eyes, regardless of where it is stored. Entities who attempt to circumvent the company’s protocols for data access will retrieve only scrambled information.
Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this in itself presents a problem. Who should actually own the keys?
Keep the keys, rotate the keys, destroy the keys
Often, third-party cloud service suppliers that encrypt a client’s information retain the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to unencrypted client information.
To help extract organizations from this predicament, Gartner recommends that the client retains, manages the encryption keys locally and ensures the keys are properly rotated and destroyed to keep them secure over time.
There are other considerations for the financial services industry when embracing a cloud computing strategy. First, make information a first-class citizen in the cloud. Above all, ensure that it is protected. Consider regulatory requirements when building strategies to protect your information and ensure that you cover your bases with regards to data export and residency restrictions.
Managing such requirements can be discouraging for many companies whose expertise is not in cloud computing or information security. Working with a trusted third party can help to cover your security needs while maximising the innovation and competitiveness that the cloud brings.
These recommendations will help you eliminate any data confidentiality and integrity concerns as you fully embrace the cloud and migrate your data and applications. The less time you have to spend worrying about security, the more you can spend on your core business strategies.
How to Thwart Hackers in the Cloud
Posted from my original article in SC Magazine UK http://www.scmagazineuk.com/how-to-thwart-hackers-in-the-cloud/article/285182/
Cloud computing is a familiar term in the enterprise market.
We know it acts as a fantastic tool to help businesses operate more efficiently, yet for security professionals, cloud computing presents potential risks, which is why we all need to be on the same page when it comes to protecting our valuable information.
As we move to a cloud-driven future, businesses are beginning to see security as a major issue. At the moment though, too many cloud adopters are ignorant or feel they needn’t worry about the risks that cloud computing brings.
According to Ernst & Young’s recent research, the 2012 Global Information Security survey, 59 per cent of respondents said that they used or planned to use cloud services. Yet over a third had not taken any measures to mitigate risks.
Hackers want your IP
Cloud computing users are now seeing people gain unauthorised access to their intellectual property, and the quest for access to such worthy assets will only continue. Sophisticated, sustained attacks, known as advanced persistent threats (APTs), against companies are likely to increase in the future.
Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP – and indeed your reputation.
In August last year, hackers broke into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Later that month, a Wired reporter had his Apple iCloud account hacked by an attacker who gained access by socially engineering the company’s tech support service.
While the employees who allowed those breaches to happen were well-meaning but unwitting, there is always the danger of an intentional inside job. If an employee working at a cloud service provider decides to pass off a client’s data to the highest bidder, it could result in an expensive and embarrassing breach involving that client’s own customers.
Be accountable for your information
If you are using the cloud, you must take responsibility for your IP. It’s not acceptable for any cloud user to claim ignorance and blame a breach on its third party provider. Put simply, it won’t stick. The Information Commissioner’s Office (ICO) will come down hard on any negligent cloud adopter, after it recently clarified that a company collecting data from its customers is responsible for that data – regardless of which third party it enlists for help.
Now that information can reside anywhere in a digital cloud, it no longer pays to think of security in terms of physical infrastructure alone. Companies have to think about corporate security in different ways, and this means focusing on the information that you are storing and manipulating.
Mitigate a breach through encryption
One of the best methods to keep your information safe from hackers is encryption. It uses a secret pair of digital codes called keys that are used to encrypt the software. Without these keys, the software cannot be decrypted which means vital information is incoherent to anyone unauthorised to see it – regardless of where it is stored.
Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this itself presents an issue on determining who owns the keys.
Protecting your keys
Cloud service providers that do encrypt a client’s information usually store the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to (unencrypted) client information.
It’s therefore important the client retains and manages the encryption keys locally – and Gartner recommends this too. Companies should also ensure that the keys are properly rotated and destroyed to keep them secure over time.
Your information is number one
When using the cloud, treat your company’s information as a first-class citizen. Make it your priority to protect it. Consider regulatory requirements when implementing strategies to protect your information, and ensure you cover your bases with regards to data export and residency restrictions.
Also, consider working with a trusted third party security platform that can protect any kind of cloud application. Security services that can integrate with existing infrastructure and with custom web apps will help to reduce your costs too. This way, you can embrace moving your information and applications to the cloud – without the headache.
Australia has Updated Their Privacy Law to Take on the Cloud
Australia has joined a growing list of countries that has established laws to protect the privacy rights of its citizens in the Internet era, but which may create a legal conundrum when it comes to cloud computing.
Australia has actually had a Privacy Act in place since 1988, but has now taken steps to bring its law up to date with The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) which passed through the Australian Parliament on 29 November 2012 and received royal assent on 12 December 2012. You can find updates about the Privacy Reforms on the Australian Government Office of the Australian Information Commissioner website.
This is part of the trend of globally adding to an increase in privacy laws and updates to things that have been around but haven’t been updated for the Internet age. And although the Aussie government has extended the deadline for compliance with the Act until March 12, 2014, enterprises that are either based in Australia, store data there, or have customers based there, should be aware of the significant increase in penalties for non-compliance, which can be as much as $1.1 million (AUS).
While it remains to be seen if the Australian government will actually actively go after enterprises for potential non-compliance, it is clear that they will not be targeting cloud providers for the penalties. The updated Privacy Act does include specific language about who is directly responsible for the security of Australian citizens personal data… the enterprises that hold the data, and not the cloud providers. Even if you store the data offshore, or using a cloud provider somewhere else, the owner of the data is still responsible, according to the updated Act, and the Australian government will come knocking if the data is compromised.
And in what’s becoming a familiar situation, the Australian Privacy Amendment Act can and probably will come in direct conflict with other countries’ data access laws, including the poster child of law enforcement access laws, the U.S. Patriot Act. For example, if the U.S. requires access to an Australian citizen’s personal data, which was created in Australia and stored in the U.S., the two laws would be in conflict, but its not impossible to predict that the Australian government would simply levy a not insignificant fine on the Australian enterprise which holds the data.
As always, it’s important if you are working with a cloud provider to know where your data will be stored, and to encrypt that data before it leaves your enterprise to be stored elsewhere around the world.
You can find out more about how to comply with the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) and by watching the following webinar “Concerned by Cloud Data Residency and Security Issues” by Willy Leichter, a Cloud Security Advocate at CipherCloud
Gartner Report in Line with CipherCloud Capabilities
CipherCloud has worked hard to stress the importance of cloud data security and the need for encryption and key management when utilizing the cloud for Fortune 2000 businesses, so it’s particularly gratifying when a major independent research company like Gartner Inc., issues a report that essentially agrees with nearly everything the company has been saying.
In the report “Five Cloud Data Residency Issues That Must Not Be Ignored,” Gartner analysts Brian Lowans, Neil MacDonald and Carsten Casper, warn Chief Information Security Officers and Chief Security Officers of the importance of complex security and regulatory data residency issues when enterprises plan to store data in the cloud or remote data centers.
The report acknowledges the importance of cloud computing, not only for cost savings but also for the resilience it provides for retrieving data in the face of disaster.
Some of the key issues cited, and recommendations made, in the report include:
- Differing regulations on protecting data in different countries
- National and International laws which provide authorities with access to data, which may conflict with a host country’s privacy rules
- Being aware of where cloud data is actually stored
- Understand how data residency issues affect your data storage footprint
- Only permit the key management and decryption of data by users
But as the final big issue in the report, Gartner recommends companies review their data encryption options. This includes deploying encryption solutions if there are data residency concerns for data crossing borders, ensuring that cloud service providers are not granted access to the secured data, and that keys are managed locally to comply with local privacy requirements. All of which are points CipherCloud has been stressing for some time.
And, not to put too fine a point on it, but the Gartner report lists in its evidence a specific case where CipherCloud was brought in to secure a German multibillion-dollar global consumer packaged goods company adoption of salesforce.com and its necessary access to the cloud. The firm was concerned that Germany’s strict data privacy laws would prevent access to major cloud-based applications, but with the adoption of a cloud encryption gateway solution from CipherCloud, the organization was able at securely store and use sensitive customer data using salesforce.com.
Gratifying indeed to see security being used as an enabler of good business practices, and touted by independent research.
Recent Comments