English   Deutsch   Русский   中文    

Is the cloud really a "honeypot" for PRISM?

Jun 11, 2013 by Peter Cummings

Revelations in the last week around PRISM have shocked many and it is forcing many of us to re-evaluate our position towards providers of cloud services. I don't really believe that it comes as a shock to anyone, that various US Agencies have the ability, nor do I believe that anyone could have doubted that they are actively using that ability to intercept internet traffic and scan it for threats to National Security. What I find shocking is the possible extent of the monitoring and the way it has been done. To me at least an important question has to be asked in the wake of these revelations: Is the cloud as we know it really a honeypot for PRISM?.

Many of us today both in our private and professional services use cloud services in some form. We use cloud services in the shape of email, business tools, document storage and more recently we have seen SaaS vendors emerging through authentication to various systems. In other words Identity and Access Management is moving to the cloud. Many of us, including myself, have seen this as the natural evolution in this field, but while following Apple’s Keynote yesterday from WWDC I heard about the new iCloud Keychain, and yes, Apple is on the list of vendors from which PRISM collects. iCloud Keychain is basically not very different from what we have seen in other products like 1Password and similar cloud single sign-on products. It is a solution that holds your credentials for the services and websites that you use. Indeed depending on the flavour of the tool it can also hold your credit card information and other information. The point is that you use these tools to keep the information that is most sensitive and critical to you, secure. These tools, when used, all of a sudden become the place to break in, because gaining access to all the information stored there can give a hacker all the information needed to steal your identity and abuse it.

Obviously most vendors of these products have gone to great lengths to secure the information held by encrypting the information at rest and only communicating over encrypted lines, and this has put many, including my own, minds at rest thinking that all is well and good. But if US agencies have a backdoor like PRISM, then what is it all good for?

How secure is our information really, and more importantly who is using it and for what? The problem here is that it is not yet publicly known how deep the rabbit-hole goes. Consider if you are taking all the right precautions to secure your data in the cloud; strong password, 2 factor authentication, strong encryption and the list goes on, but then with the help of the vendor all your information is readily available to PRISM in a clear and structured way. Readily available because most cloud vendors today can decrypt your data, they have to, and it is convenient if you lose your information to do so yourself. But if they can help you, then they can help PRISM, and now PRISM is not only monitoring your emails and what flows in cleartext over the internet. All of your information not matter how well secured, could be flowing into PRISM. All of your corporate information, private data and even your credentials for your online banking, credit card information – yes, your entire digital life could be made available to the US Authorities, aided by the very same vendors you trust to protect your data. This is effectively turning the cloud into a "honeypot" or a collector of information for PRISM and at the same time making this the greatest heist of data of all times.

The question that really needs to be answered here is what information has been collected, who has had access to it and how it has been used and more importantly how do we stop it. It is a mockery of the many good initiatives to raise awareness around privacy issues and the fact that more and more people and organisations are taking extra steps to really secure their data, if a US agency can just fly in and grab the information they want at their leisure. A statement released from the European Parliament states:

"Programmes such as PRISM and the laws on the basis of which such programmes are authorised potentially endanger the fundamental right to privacy and to data protection of EU citizens."
On the upside PRISM will also ignite even stronger initiatives around privacy and data protection. No matter how we look at it, the revelations about PRISM serve to decrease the small level of trust in using the cloud, that has been achieved over the last years. If this is the way that we are being monitored then don't mind the hackers - your information is already in the hands of people you did not give it to.


Author info

Peter Cummings
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Customer-Centric Identity Management
As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2016 KuppingerCole