Why NSA Revelations Will Be Good For Cloud Security

Why NSA Revelations Will Be Good For Cloud Security

NSA Revelations And Cloud Security

Edward Snowden’s recent disclosures, including concerns about the NSA’s ability to break certain types of encryption, and the extent of surveillance on cloud service providers, put the entire cloud industry into an uproar.

The bad news is that this has eroded companies’  trust that their data can be secure in the cloud. In fact, industry analysts are predicting that these disclosures will cost US cloud service providers between $22 and $35 billion in revenue by 2016.

But there is light at the end of this tunnel, and what will emerge is a safer, more resilient cloud.

Is Encryption Dead?

In short, no. Expert cryptographer and author of the book “Practical Cryptography,” Bruce Schneier, recently blogged: “Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.”

Even Snowden has also commented, “Properly implemented strong crypto systems are one of the few things that you can rely on.”

Consequently, we will see continued adoption of encryption technologies in the cloud to protect data in transit and at rest in these shared storage infrastructures.

Encryption will evolve

The evolution of encryption algorithms is nothing new. In recent years, as compute power gets stronger, we’ve seen the migration from DES, to 3DES, to AES-128/256. These longer key lengths are the ‘math’ that prevents computer systems from being able to ‘guess’ an encryption key.  The good news here is that as computer systems get more powerful, they can leverage encryption with longer key lengths easily, without degrading performance.

Further, encryption standards are approved by independent bodies like the National Institute of Standards and Technology (NIST), and are put up for extensive public review before they are published. While those who lean toward conspiracy theories hint at intentional ‘backdoors’ built into these algorithms that can be exploited by the NSA or others, it’s highly unlikely these wouldn’t be found during the review process. These reviews will continue to play a critical role as encryption technologies adapt in the future. Furthermore, the details and implementation of encryption algorithms, such as AES, are public domain.

The Importance of Key Management

If you use AES encryption with a 256-bit key strength, but your encryption system only uses an eight-character password to access those keys, then you effectively have reduced the strength of your encryption key significantly, since a hacker must only guess your password, instead of the actual key. This is why managing and storing these keys securely is so critical.

Threats from Abroad

Data has become a treasure trove, and the cloud can make an even sweeter target. You can be sure that if the NSA is interested in your data, others are as well. Make sure you clearly understand your cloud service provider’s (CSP) service level agreements, particularly as related to security measures. The cloud will become too cost effective to avoid for most organizations, so continued pressure from cloud clients will be the best way to gain security improvements.

Bring your own security

While many CSPs – like Google – have introduced encryption in their cloud offerings, you still need to look a bit deeper. Google’s encryption may protect you from a hacker who manages to get access to their infrastructure, but it won’t prevent Google from giving your data to the Feds. To be sure you are the only one with access to your data, use strong encryption with a good key management system, and make sure YOU keep the keys, not your CSP.

Summary

You can use the cloud, but remember that security is ultimately your responsibility.

  • Encrypt any data you put in the cloud that you want to be private.
  • Use strong crypto (for example one utilizing AES-256, RSA-2048) to protect the data.
  • Use a strong key management solution that supports multi-tenancy, strong separation and audit of administrative roles.
  • Use a key management system that you retain outside of your CSP, and that is independent of your provider.

steve-pate

By Steve Pate

Steve  co-founder and CTO of HighCloud Security, has more than 25 years of experience in designing, building, and delivering file system, operating system, and security technologies, with a proven history of converting market-changing ideas into enterprise-ready products. Before HighCloud Security, he built and led teams at ICL, SCO, VERITAS, HyTrust, Vormetric, and others. Steve has published two books on UNIX kernel internals and UNIX file systems. He earned his bachelor’s in computer science from the University of Leeds.

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as offer green/cleantech learning and consultive services around the world.

Our vision is to create awareness and to help find innovative ways to connect our planet in a positive eco-friendly manner.

In the meantime, you may connect with CloudTweaks by following and sharing our resources.

View All Articles

2 Responses to Why NSA Revelations Will Be Good For Cloud Security

  1. I guess, that many foreign but also american customers will start to rethink, whether they will use cloud services located in the US. The migration to services located abroad already started since I read everywhere that developers rethink their personal strategy where they store their data and I believe that those personal decisions will also have a long term effect on their companies strategy they influence. Rackspace, Amazon etc are dead meat on the long run.

  2. One first step to building a security posture with the cloud and today’s converged infrastructure is that there is little to know privacy. We are insecure. That sets the stage for a proactive stance of Observe –> Orient –> Decide –> and Act. –http://bit.ly/paul_calento

Are Cloud Solutions Secure Enough Out-of-the-box?

Are Cloud Solutions Secure Enough Out-of-the-box?

Out-of-the-box Cloud Solutions Although people may argue that data is not safe in the Cloud because using cloud infrastructure requires trusting another party to look after mission critical data, cloud services actually are more secure than legacy systems. In fact, a recent study on the state of cloud security in the enterprise market revealed that…

SaaS Freemium Models and the Hidden Cost of Free

SaaS Freemium Models and the Hidden Cost of Free

SaaS Freemium Models We’ve all been lured into sexy “try before you buy” freemium models that provide just the right amount of functionality to get you started. Yet, it’s not quite enough to complete the job. “Getting the job done” often requires stepping up to a paid or premium version that provides more functionality, capabilities…

What Technology Can Displace The Password?

What Technology Can Displace The Password?

The Future Password Many people shout that the password is dead or should be killed dead. The password could be killed, however, only when there is an alternative to the password. Let us think about what technology can displace the password. Some people might say that multi-factor authentications or ID federations will do it. It is not…

The Concept Of Securing IoT To Secure Your Building

The Concept Of Securing IoT To Secure Your Building

Securing IoT Ah, security. It is the dulcet tone of a symphony that we play over and over in the IT world. IoT (Internet of Things) and the myriad of connected devices allow us some intriguing security options. For example, in a mesh array of sensors, you could effectively force users to correctly identify themselves…

Cloud Security: The Top 8 Risks According To ENISA

Cloud Security: The Top 8 Risks According To ENISA

Cloud Security Risks Does security in the cloud ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way. So what are the most important risks? The European Network Information Security Agency did extensive research on that,…

New Smartphones From Apple, Samsung and HTC Promise To Light Up 2016

New Smartphones From Apple, Samsung and HTC Promise To Light Up 2016

New Smartphones from Apple, Samsung and HTC (Sponsored post courtesy of Verizon Wireless) The launch of the Galaxy S7 Edge at the Mobile World Congress in Barcelona during February was the first shot in a vintage year for mobile phones. The S7 is an incredible piece of hardware, but launches from HTC and Apple later in the…

Featured Sponsored Articles
How Successful Businesses Ensure Quality Team Communication

How Successful Businesses Ensure Quality Team Communication

Quality Team Communication  (Sponsored post courtesy of Hubgets) Successful team communication and collaboration are as vital to project and overall business success as the quality of products and services an organization develops. We rely on a host of business tools to ensure appropriate customer interactions, sound product manufacturing, and smooth back-end operations. However, the interpersonal relationships…

Featured Sponsored Articles
How To Develop A Business Continuity Plan Using Internet Performance Management

How To Develop A Business Continuity Plan Using Internet Performance Management

Internet Performance Management Planning CDN Performance Series Provided By Dyn In our previous post, we laid out the problems of business continuity and Internet Performance Management in today’s online environment.  In this article, we will take a look at some of the ways you can use traffic steering capabilities to execute business continuity planning and…

Featured Sponsored Articles

CloudTweaks is recognized as one of the leading influencers in cloud computing, infosec, big data and the internet of things (IoT) information. Our goal is to continue to build our growing information portal by providing the best in-depth articles, interviews, event listings, whitepapers, infographics and much more.

Sponsor