Why NSA Revelations Will Be Good For Cloud Security

Why NSA Revelations Will Be Good For Cloud Security

Why NSA Revelations Will Be Good For Cloud Security

Edward Snowden’s recent disclosures, including concerns about the NSA’s ability to break certain types of encryption, and the extent of surveillance on cloud service providers, put the entire cloud industry into an uproar.
The bad news is that this has eroded companies’  trust that their data can be secure in the cloud. In fact, industry analysts are predicting that these disclosures will cost US cloud service providers between $22 and $35 billion in revenue by 2016.

But there is light at the end of this tunnel, and what will emerge is a safer, more resilient cloud.

Is Encryption Dead?

In short, no. Expert cryptographer and author of the book “Practical Cryptography,” Bruce Schneier, recently blogged: “Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.”

Even Snowden has also commented, “Properly implemented strong crypto systems are one of the few things that you can rely on.”

Consequently, we will see continued adoption of encryption technologies in the cloud to protect data in transit and at rest in these shared storage infrastructures.

Encryption will evolve

The evolution of encryption algorithms is nothing new. In recent years, as compute power gets stronger, we’ve seen the migration from DES, to 3DES, to AES-128/256. These longer key lengths are the ‘math’ that prevents computer systems from being able to ‘guess’ an encryption key.  The good news here is that as computer systems get more powerful, they can leverage encryption with longer key lengths easily, without degrading performance.

Further, encryption standards are approved by independent bodies like the National Institute of Standards and Technology (NIST), and are put up for extensive public review before they are published. While those who lean toward conspiracy theories hint at intentional ‘backdoors’ built into these algorithms that can be exploited by the NSA or others, it’s highly unlikely these wouldn’t be found during the review process. These reviews will continue to play a critical role as encryption technologies adapt in the future. Furthermore, the details and implementation of encryption algorithms, such as AES, are public domain.

The Importance of Key Management

If you use AES encryption with a 256-bit key strength, but your encryption system only uses an eight-character password to access those keys, then you effectively have reduced the strength of your encryption key significantly, since a hacker must only guess your password, instead of the actual key. This is why managing and storing these keys securely is so critical.

Threats from Abroad

Data has become a treasure trove, and the cloud can make an even sweeter target. You can be sure that if the NSA is interested in your data, others are as well. Make sure you clearly understand your cloud service provider’s (CSP) service level agreements, particularly as related to security measures. The cloud will become too cost effective to avoid for most organizations, so continued pressure from cloud clients will be the best way to gain security improvements.

Bring your own security

While many CSPs – like Google – have introduced encryption in their cloud offerings, you still need to look a bit deeper. Google’s encryption may protect you from a hacker who manages to get access to their infrastructure, but it won’t prevent Google from giving your data to the Feds. To be sure you are the only one with access to your data, use strong encryption with a good key management system, and make sure YOU keep the keys, not your CSP.

Summary

You can use the cloud, but remember that security is ultimately your responsibility.

  • Encrypt any data you put in the cloud that you want to be private.
  • Use strong crypto (for example one utilizing AES-256, RSA-2048) to protect the data.
  • Use a strong key management solution that supports multi-tenancy, strong separation and audit of administrative roles.
  • Use a key management system that you retain outside of your CSP, and that is independent of your provider.

steve-pate

By Steve Pate

Steve Pate, co-founder and CTO of HighCloud Security, has more than 25 years of experience in designing, building, and delivering file system, operating system, and security technologies, with a proven history of converting market-changing ideas into enterprise-ready products. Before HighCloud Security, he built and led teams at ICL, SCO, VERITAS, HyTrust, Vormetric, and others. Steve has published two books on UNIX kernel internals and UNIX file systems. He earned his bachelor’s in computer science from the University of Leeds.

Follow Us!

CloudTweaks

Established in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing information. Most of the excellent CloudTweaks articles are provided by our own paid writers, with a small percentage provided by guest authors from around the globe, including CEOs, CIOs, Technology bloggers and Cloud enthusiasts. Our goal is to continue to build a growing community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more...
Follow Us!

2 Responses to Why NSA Revelations Will Be Good For Cloud Security

  1. I guess, that many foreign but also american customers will start to rethink, whether they will use cloud services located in the US. The migration to services located abroad already started since I read everywhere that developers rethink their personal strategy where they store their data and I believe that those personal decisions will also have a long term effect on their companies strategy they influence. Rackspace, Amazon etc are dead meat on the long run.

  2. One first step to building a security posture with the cloud and today’s converged infrastructure is that there is little to know privacy. We are insecure. That sets the stage for a proactive stance of Observe –> Orient –> Decide –> and Act. –http://bit.ly/paul_calento

Join Our Newsletter

Receive updates each week on news, tips, events, comics and much more...

Can I Contribute To CloudTweaks?

Yes, much of our focus in 2015 will be on working with other influencers in a collaborative manner. If you're a technology influencer looking to collaborate with CloudTweaks – a globally recognized leader in cloud computing information – drop us an email with “tech influencer” in the subject line.

What is the 12/12 Program?

This program is designed to better handle the thousands of requests we receive from people looking to submit articles. The 12/12 program is the commitment of 12 articles delivered over a 12-month period.  

Wait! What if I just want to submit one article?

Our popular pay as you go sponsorship program provides the flexibility to submit as you wish and is designed for all budgets.

Contributors

Ten Tips For Successful Business Intelligence Implementation

Ten Tips For Successful Business Intelligence Implementation

Ten Tips for Successful Business Intelligence Implementation The cost of Business Intelligence (BI) software goes far beyond the purchase price. Time spent researching, implementing, and maintaining your BI investment can snowball quickly and mistakes are often expensive. Your time is valuable – save it by learning from other businesses’ experiences. We’ve compiled the top ten

Knots And Cloud Service Providers

Knots And Cloud Service Providers

How Do These Two Compare? In Boy Scouts, I learned how to tie knots. The quickest knot you can tie is the slipknot. It’s very effective for connecting one thing to another via the rope you have. It was used in setting up tents, mooring boats to docks temporarily and lifting your food up into

What Ever Happened To Google Glass?

What Ever Happened To Google Glass?

What Ever Happened to Google Glass? It was supposed to be the next big thing in tech so where did it go? Last year you could not go anywhere without hearing about some insane new use for the product and now it seems to have vanished in a plume of smoke. A Lackluster Rollout Back

Posted on by

Big Data

To Have and Have Not: Big Data Initiatives In Developing Countries

To Have and Have Not: Big Data Initiatives In Developing Countries

Big Data Initiatives In Developing Countries The poor of the developing countries are becoming increasingly connected, to the point where they too are part of the Big Data revolution that’s happening across the globe. It didn’t come with laptops, though, as some supposed it would. Whereas it costs a fortune to connect broadband to a

Big Data In Your Garden: Initiatives For Better Understanding Nature

Big Data In Your Garden: Initiatives For Better Understanding Nature

Big Data in Your Garden Big Data and IoT initiatives are springing up all across the globe, making cities, protesters–and just about everything else–smarter. However, thus far there’s been little attention paid to the interactions between these bizarre technologies and living things other than humans. Biology, that is, human biology is one field where Big

Who Holds the Key to the City: Big Data and City Management

Who Holds the Key to the City: Big Data and City Management

Big Data and City Management Cities like New York, Madrid, and especially Rio de Janeiro are augmented with Big Data-powered initiatives that range from combating crime with predictive analytics (New York & Madrid) to providing real-time data for improved management. Although Big Data is no panacea and is mainly used in conjunction with a greater

Internet of Things

Where’s the Capital of the Internet of Things?

Where’s the Capital of the Internet of Things?

Where’s the Capital? We all know the capitals of fashion are London, New York and Paris, while the capital of film is Hollywood (or Bollywood!) – but what’s the new capital of the internet? Specifically, the internet of things? The answer – according to new research by Ozy – might surprise you. It’s not Tokyo, Seoul,

Smart Cities – How Big Data Is Changing The Power Grid

Smart Cities – How Big Data Is Changing The Power Grid

Smart Cities And Big Data As Anthony Townsend argues in his SMART CITIES, even though the communications industry has changed beyond recognition since its inception, the way we consume power has remained stubbornly anachronistic. The rules of physics are, of course, partially to blame, for making grid networks harder to decentralize, as opposed to communication

Aggregated News

Popular News Sources

Microsoft to enter the STRUGGLE of the Human Wrist

Microsoft to enter the STRUGGLE of the Human Wrist

It’s not just a thumb war, it’s total digit war The battle for the future of the human wrist entered a new phase on Monday after it was claimed that tech goliath Microsoft is planning to release its own wearable computer in the coming weeks.…Read the source article at The Register About Latest Posts Follow

Standards Organization ISO Takes on Cloud Computing Standards

Standards Organization ISO Takes on Cloud Computing Standards

Given the quality differences in different cloud services and issues of compatibility, ISO, the world’s best known standards body has issued two standards related to cloud computing…. Read the source article at Web Host Industry Review About Latest Posts Follow Us!CloudTweaksEstablished in 2009, CloudTweaks.com is recognized as one of the leading authorities in cloud computing

IBM Paying $1.5 Billion to Shed Its Chip Division

IBM Paying $1.5 Billion to Shed Its Chip Division

IBM will pay $1.5 billion to Globalfoundries in order to shed its costly chip division. IBM will make payments to the chipmaker over three years, but it took a $4.7 billion charge for the third quarter when it reported earnings Monday. Read the source article at Mashable About Latest Posts Follow Us!CloudTweaksEstablished in 2009, CloudTweaks.com is