Last week I did a webinar concerning the recent news about secret/intelligence services such as the NSA and their activities, e.g. PRISM and others. This is not really news, but the broad and intense public discussion about this is new. In that context, many organizations have raised the question of whether they can still rely on Cloud Computing or whether they would be better off stopping their Cloud initiatives. Businesses raise this question especially as regards the risk of industrial espionage in cloud space – something that is not proven, but appears to be a risk from the perspective of many businesses.
The main points I made are that
- there is a risk in Cloud Computing, but we should not underestimate the risks of attacks against on-premise environments;
- encryption across the entire information lifecycle is a key element in information security especially for Cloud Computing;
- businesses need to understand the information risks to decide about what to put in the Cloud and what not, but also to evaluate the protection requirements for different information.
The attendees raised a large number of questions that I could not fully answer in the remaining time at the end of the webinar. Thus, I want to address some of these questions now.
Are there specific Cloud encryption algorithms, how secure are they, and are they already in use?One question has been about encryption approaches for Cloud Computing and their security. In fact, there are several proven strong encryption methods out there. Most of the algorithms have been published. Clearly, there is a risk of backdoors in the installations; however, this should not be overestimated. Backdoors that are not easily available to the surveillants are not of interest to them.
There are no specific algorithms for the Cloud, which makes sense for two reasons. One is that there are several well-established and proven encryption methods already available. Another is that there is no sense in doing IT for on-premise and the Cloud separately, given that most environments are hybrid.
So it is all about applying existing encryption methods and algorithms, although the solutions might vary and range from secure email over transport security such as TLS to secure folders or simply encrypted files that are held on Cloud services.
Are there encryption approaches where the encryption is managed by the Cloud Service Provider, but all keys are on-premise at the customer?The simple answer here is: No. The CSP would need access to the key for encryption, thus he cannot do this without access to the key. Once he has access he potentially can store the key or pass it to someone else.
How do we know that S/MIME implementations of vendors do not contain backdoors for the NSA, for instance via “key escrow”?We do not know, for “closed source”. However, unless the vendor has access to keys, there cannot be any key escrow. Thus, that risk applies to Cloud Services, where keys are stored at the CSP. But as long as the keys are managed on-premise, this does not work.
How can I automatically support employees in my organization to better protect tools such as Salesforce.com Chatter or Microsoft SharePoint? These tools are rather unprotected by default. Can I use them at all in the manufacturing industry?As with any tools, both on-premise and Cloud, decisions about procurement and implementation should take security into account. The use of Cloud tools favored by the business might require mitigating controls to deal with information risk in an appropriate way. More information on this is available in the replay of this webinar.
I would not say that these tools could not be used at all. However, it is important to understand what information is stored or communicated using these tools and configure them accordingly – or restrict their use. Thus, it requires a thorough understanding of information classification and risk and well-defined policies, before these tools are used.
Isn’t there a risk in using encryption technologies to bypass security?Clearly, there is some risk. S/MIME or PGP might be used to forward information to unauthorized recipients. It comes as no surprise that the Tor network is frequently used for illegal purposes. This is about finding the right balance.
How can I enforce confidentiality for internal communication?Technically, many approaches for digitally signing email and documents are available, as well as encryption. Lotus Notes/Domino is one of the systems that has supported this for many, many years. S/MIME is a standard that supports this for email. Enterprise Rights Management technologies such as Microsoft RMS (Rights Management Services) can do that for documents. So there are various approaches available, many of these are rather mature. Thus, it is about re-evaluating the information risks and identifying an adequate set of technologies to help mitigating these risks, based on well-defined policies.
It is not a question of technology availability. It is a question of setting the organizational framework (Information Stewardship) and investing in security. With all the new incidents – and this goes beyond nation-state attacks and suspected industrial espionage to all the cyber-attacks of today – the equation changes. The risk is far higher today, thus investing in information security is increasingly an economic imperative for businesses.
What about article 10 of the German constitution?The German constitution (“Grundgesetz”) defines on one hand that the privacy of correspondence, posts, and telecommunications are inviolable. On the other hand, the second part of article 10 states that the law might allow exceptions, especially for protecting the free democratic system of Germany or the state of Germany. That gives the government some freedom – so we should not be too surprised if we learn in future about the activities of the German intelligence/secret services.
Interestingly, one of the participants pointed back to the cover story of the German news magazine “Der Spiegel” from week 8 of 1989. That story was about Echelon and talked about the fact that industrial espionage was already happening. However, there was little attention to that story back then. Things have changed now.
Still, as I have said in the webinar: there is not that much news, and there are even less proven facts. Companies should just assume that their information is at risk and act accordingly, both in on-premise environments and the Cloud.
If you need our advice on that, just contact my colleagues at firstname.lastname@example.org and listen to upcoming KuppingerCole webinars on that topic.