NSA Revelations And Cloud Security
Edward Snowden’s recent disclosures, including concerns about the NSA’s ability to break certain types of encryption, and the extent of surveillance on cloud service providers, put the entire cloud industry into an uproar.
The bad news is that this has eroded companies’ trust that their data can be secure in the cloud. In fact, industry analysts are predicting that these disclosures will cost US cloud service providers between $22 and $35 billion in revenue by 2016.
But there is light at the end of this tunnel, and what will emerge is a safer, more resilient cloud.
Is Encryption Dead?
In short, no. Expert cryptographer and author of the book “Practical Cryptography,” Bruce Schneier, recently blogged: “Whatever the NSA has up its top-secret sleeves, the mathematics of cryptography will still be the most secure part of any encryption system. I worry a lot more about poorly designed cryptographic products, software bugs, bad passwords, companies that collaborate with the NSA to leak all or part of the keys, and insecure computers and networks. Those are where the real vulnerabilities are, and where the NSA spends the bulk of its efforts.”
Even Snowden has also commented, “Properly implemented strong crypto systems are one of the few things that you can rely on.”
Consequently, we will see continued adoption of encryption technologies in the cloud to protect data in transit and at rest in these shared storage infrastructures.
Encryption will evolve
The evolution of encryption algorithms is nothing new. In recent years, as compute power gets stronger, we’ve seen the migration from DES, to 3DES, to AES-128/256. These longer key lengths are the ‘math’ that prevents computer systems from being able to ‘guess’ an encryption key. The good news here is that as computer systems get more powerful, they can leverage encryption with longer key lengths easily, without degrading performance.
Further, encryption standards are approved by independent bodies like the National Institute of Standards and Technology (NIST), and are put up for extensive public review before they are published. While those who lean toward conspiracy theories hint at intentional ‘backdoors’ built into these algorithms that can be exploited by the NSA or others, it’s highly unlikely these wouldn’t be found during the review process. These reviews will continue to play a critical role as encryption technologies adapt in the future. Furthermore, the details and implementation of encryption algorithms, such as AES, are public domain.
The Importance of Key Management
If you use AES encryption with a 256-bit key strength, but your encryption system only uses an eight-character password to access those keys, then you effectively have reduced the strength of your encryption key significantly, since a hacker must only guess your password, instead of the actual key. This is why managing and storing these keys securely is so critical.
Threats from Abroad
Data has become a treasure trove, and the cloud can make an even sweeter target. You can be sure that if the NSA is interested in your data, others are as well. Make sure you clearly understand your cloud service provider’s (CSP) service level agreements, particularly as related to security measures. The cloud will become too cost effective to avoid for most organizations, so continued pressure from cloud clients will be the best way to gain security improvements.
Bring your own security
While many CSPs – like Google – have introduced encryption in their cloud offerings, you still need to look a bit deeper. Google’s encryption may protect you from a hacker who manages to get access to their infrastructure, but it won’t prevent Google from giving your data to the Feds. To be sure you are the only one with access to your data, use strong encryption with a good key management system, and make sure YOU keep the keys, not your CSP.
You can use the cloud, but remember that security is ultimately your responsibility.
- Encrypt any data you put in the cloud that you want to be private.
- Use strong crypto (for example one utilizing AES-256, RSA-2048) to protect the data.
- Use a strong key management solution that supports multi-tenancy, strong separation and audit of administrative roles.
- Use a key management system that you retain outside of your CSP, and that is independent of your provider.
By Steve Pate
Steve co-founder and CTO of HighCloud Security, has more than 25 years of experience in designing, building, and delivering file system, operating system, and security technologies, with a proven history of converting market-changing ideas into enterprise-ready products. Before HighCloud Security, he built and led teams at ICL, SCO, VERITAS, HyTrust, Vormetric, and others. Steve has published two books on UNIX kernel internals and UNIX file systems. He earned his bachelor’s in computer science from the University of Leeds.