Cloud computing 2014: Moving to a zero-trust security model
- 01 January, 2014 00:58
The leaking of classified documents detailing the data collection activities of the U.S. National Security Agency earlier this year reignited some long-standing concerns about the vulnerability of enterprise data stored in the cloud.
But instead of scaring businesses away from using hosted services, as some experts predicted, the leaks about the NSA spy programs are driving some long overdue changes in enterprise and service provider security and privacy policies.
When Edward Snowden first began spilling details of the NSA's surveillance practices to selected reporters in June, industry analysts had expected that the revelations would put a severe crimp on plans for cloud deployment.
For instance, the Information Technology & Innovation Foundation in August said the leaks could cause U.S. cloud providers to lose 10% to 20% of the foreign market to overseas competitors -- or up to $35 billion in potential sales through 2016.
Another industry group, the Cloud Security Alliance, predicted a similar backlash due to concerns by Europen companies that thje U.S. government would access to their data.
Six months later, the impact appears to be less severe than expected.
Despite some reports of slowing sales of cloud services by U.S. vendors to overseas companies, experts now expect that the Snowden leaks will have little effect on long-term sales. The business benefits of using cloud-based services continue to supersede enterprise fears of government snooping.
At the same time though, the detailing of classified NSA spy programs has prompted an increased emphasis on cloud data security and protection that's expected to grow further in 2014.
The leaks hammered home just how little control companies have over data stored in the cloud, said Richard Stiennon, principal at consulting firm IT-Harvest. "There is a fundamental shift to a zero-trust model in the cloud." The disclosures showed enterprises that "there cannot be any chink in the trust chain from internal resources to the cloud and back."
Analysys say IT security officials are looking at several key areas, such as data encryption, key management and data ownership, regionalization, and the need for increased government transparency, to improve cloud security.
Encryption has gained a lot of attention since the Snowden leaks. Major service providers like Microsoft, Yahoo and Google set the tone by adding end-to-end encryption of data they host and manage for customers.
For instance, Google Cloud Storage now automatically encrypts all new data before it's written to disk. Such server-side encryption will soon be available for older data stored in Google clouds.
Since the NSA programs were disclosed, Microsoft has announced that it plans to ramp up encryption support for various services, including Outlook.com, Office 365, SkyDrive and Windows Azure.
By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.
Like Google, Microsoft says it plans to encrypt all stored data in the cloud
Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the "Perfect Forward Secrecy" method for future-proofing encrypted data.
Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers.
Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.
Key management and data ownership
The U.S. government's position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.
While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company.
"Encryption is only as secure as its key management system," Chiu said. "While cloud providers may implement encryption, customers need to be aware that if providers hold encryption keys, it's still possible that they can access data -- or provide the keys to someone who requests them."
Such concerns have sparked increased interest in approaches that let enterprise users of cloud services to own the encryption and cryptographic key management process while data is at rest, in use and in transit.
A growing number of vendors, including Vaultive, CipherCloud, TrendMicro and HyTrust, offer tools designed to make it easier for businesses to retain more control of their data while taking advantage of cloud hosted infrastructures and services.
CipherCloud, for instance, sells a gateway technology that lets companies encrypt data while in transit to and from the cloud and while stored. The gateway lets enterprises store encryption keys locally, and to interact with the encrypted data in the cloud.
Such technologies mean that government agencies would have to seek help from the owners of data to gain access. The goal is to eliminate the handing over of such keys to government agencies by cloud vendors without the knowledge of the data owners.
Security experts have long recommended using persistent encryption to secure data in the cloud. To date, adoption has been low due to the cost and complexity of key management. That may be changing.
"For enterprises that require true data privacy for compliance or internal purposes, we will see those companies implement encryption themselves, and maintain their own keys on premise," predicts Chiu.
Vaultive, CipherCloud and the other vendors say they are seeing a marked increase in enterprise interest in their technologies due to the NSA surveillance disclosures.
The Snowden data leaks could also accelerate regionalization of cloud services.
Data residency requirements and fears of hosting data on U.S.-based servers and infrastructures could prompt non-U.S. customers especially to increasingly look to use cloud providers closer to home.
Enterprises in China and the Asia-Pacific region in particular appear to be more apprehensive about U.S. service providers and technology since the NSA disclosures, Stiennon said. Many are expected to start looking at regional and local options for hosting needs.
"I don't like to use the word Balkanization, but there is going to be a fragmentation of cloud service providers," Steinnon said. Hundreds of small public cloud providers have been springing up in different regions of the world over the past few years to serve local markets. Many will likely benefit from concerns about government snooping raised by the Snowden leaks, Stiennon predicted
Meanwhile, large U.S.-based cloud service providers are setting up service operations in different regions of the world in part to lower delivery costs and deliver better performance to local customers, said Gartner analyst Lawrence Pingree.
In December, for instance, Amazon announced that it plans to start delivering Amazon Web Services products in China starting 2014. The plan calls for the company to install cloud servers in China facilities to deliver hosted services to businesses in that country.
"A lot of cloud and SaaS providers are regionalizing" to improve agility and performance, Pingree said. The heightened attention on security issues will likely further speed the use of regional centers, he said
Concerns stemming from the Snowden affair are also sure to force the government to be more transparent about data collection programs.
Google, Microsoft, Yahoo and an array of other high-technology vendors are now pressing the government to allow them to disclose details about secret requests for customer data by the NSA and other intelligence agencies. The companies argue that laws prohibiting them disclosing details of such requests have created false perceptions about their role in government data collection activities.
In an unprecedented move, the heads of Google, Apple, Facebook and Microsoft in December sent an open letter to President Obama demanding government surveillance reform and increased transparency.
Google, Microsoft and others plan to provide more details in their periodic Transparency Reports, and have indicated a willingness to legally challenge certain government requests for data.
Analysts note that even telecom companies, which have long been markedly slow to respond to questions about their data sharing habits with the government, may be coming around.
Verizon, for instance, says it plans to soon release a Transparency Report that details law enforcement requests for its customer data.
Government snooping could constitute an "advanced persistent threat" alongside sophisticated malware and cyberattacks," Microsoft general counsel Brad Smith wrote in a blog post in December.
Except in the most limited circumstances, Microsoft will fight government attempts to get customer data from the cloud, Smith said. "We believe that government agencies can go directly to business customers or government customers for information or data about one of their employees - just as they did before these customers moved to the cloud."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter @jaivijayan, or subscribe to Jaikumar's RSS feed. His email address is firstname.lastname@example.org.