What are threats of data stored in ‘the cloud’ and how cloud providers protect their customers

The spying done by the NSA and revealed by Edward Snowden for sure did not much good for revenues of companies selling cloud solutions.

Nobody believes anymore that NSA’s main purpose is to defeat terrorisme. Foremost NSA is very interested in political views of other countries (Germany, the EU), financial data (Swift bank tranfers)  and economical spying (Brazilian oil company Petrobras). National security is used as an excuses to violate people’s privacy.

A lot has to change in the minds of US. At a CIA congress in June Congressman Mike Rogers says Google Is Unpatriotic For Not Wanting NSA To Spy On Its Users.

Many US firms colaborated with the NSA enabling them to add backdoors to hardware and software. See for example this article  on how Microsoft helped the NSA, The NSA itself tampered with US-made routers by intercepting shipments to customers, add backdoors and then shipped the router to the final destination (source The Guardian)

Outsourcing  infrastructure or applications is a matter of trust.  There is a saying that ‘Trust arrives on foot but leaves on horseback’

Add the Patriot Act, American Stored Communications Act (SCA) and the Foreign Intelligence Surveillance Amendments Act (FISAA) and many,  especially European and Brazilian organizations, are worried to store any privacy, intellectual property or any other sensitive information in a datacenter which they do not own and trust. Red alert when the provider is a US company.

Microsoft  admitted in 2011 that data owned by Europeans and stored in European datacenters but processed by US firms is not safe for US authorities.  (source ZDnet).

Data requests
So how many times US authorities request data from providers and what kind of data is requested? Meta data or actual data like content of email? The problem is that this kind of information cannot be made public by law. Providers are not allowed to reveal court orders. They are allowed to reveal the number of orders with a delay of 6 months after the order was handed over. The Guardian has an article about this.

Microsoft received from  January to June 2013  fewer than 1,000 orders from the Fisa court for communications content during the same period, related to between 15,000 and 15,999 “accounts or individual identifiers”.

The company, which owns the internet video calling service Skype, also disclosed that it received fewer than 1,000 orders for metadata – which reveals communications patterns rather than individual message content – related to fewer than 1,000 accounts or identifiers.

Mind these numbers are for all Microsoft services including Skype and Outlook.com. So in many cases court orders from Fisa are related to personal accounts and not to enterprise accounts.

This is important to understand the problem.

Non disclosure of  National Security Letter or court orders (gag order)

US authorities like FBI, US Department of Justice  can request  a cloud/service provider to hand over customers data without disclosing that request to the customer. This is a so called gag order. The official name of such a request is a National Security Letter or NSL.

In any cloud contract of Microsoft and likely every US provider as well some lines are written like the ones below:

The cloud services that Microsoft provides to are governed by contract (the "Contract"). The Contract provides that Microsoft may disclose data to satisfy legal requirements, comply with law or respond to lawful requests by a regulatory _or
judicial body, or as required in a legal proceeding. The Contract also provides that, unless prohibited by law, Microsoft must use commercially reasonable efforts to give notice of any such disclosures in advance, or as soon as commercially reasonable after such

Reach of Patriot Act
So how far reaches that notorious Patriot Act? When is data safe? Nobody knows for sure. Likely it is effective on data stored on servers of any company located in:

– The United States;
– The European Union with a parent company located in the United States;
– The European Union and  uses  data processing services of a subsidiary which is established in the United States;
– The European Union and uses a third party for data storage or data processing, like a US-based hosting company;
– The European Union, but  does structural business with a company in United States of America.

The last one is the most unclear one and open for many interpretations.

There are some other serious security issues as well when using cloud. Amazon supplied Windows Server images in 2014 which were not patched since 2009. Auto update was disabled. Also HP and GoGrid offered images which were not up-to-date with latest security patches and also had auto-update disabled. Microsoft was the only investigated cloud provider which offered up-to-date images. (source Bkav).

So there are some serious issues to solve in cloud computing. What actions are taken by cloud providers to regain trust and how likely are those to keep the bad guys out?

  1. Object to court orders and go to court
  2. Trying to change mind of government
  3. Offer encryption
  4. Contracts
  5. Datacenters located in the EU
  6. Operate datacenters by branches
  7. Employ non US staff
  8. Use non ‘made in the United States’ software or hardware

Object and go to court
In several cases cloud providers like Google and Microsoft went to court when they received a National Security Letter. In an interesting case in 2013 when the FBI handed over a NSL to Microsoft including a non-disclosure, Microsoft went to court.

FBI wanted to have information on an Office 365 customer. After Microsoft filed this challenge in Federal Court in Seattle, the FBI withdrew its Letter.

Microsoft challenged the letter in court, saying the law the FBI used to obtain it violated the First Amendment, and was an unreasonable ban on free speech. 

In 2014 a Seattle judge ordered to unseal certain documents of this case. More information on gigaom.com

While this is a small success, many NSLs remain undisclosed.

Trying to change mind of US government
Microsoft is asking the US government this as described in this June 2014 post by Microsoft:

  • End bulk collection
  • Reform the FISA Court
  • Commit not to hack data centers or cables
  • Continue to increase transparency

See this article  Microsoft presses the US government on NSA reform

Encryption
Microsoft and others are doing its very best to make NSA life as hard as possible. They offer encryption in about any solution which stores on-premise created data in Microsoft Azure. The customer is the only one having the encryption key. Office 365 files stored in SharePoint Online and OneDrive for Business will have its own encryption key, So even when the NSA puts a gun to Microsoft head they will not be able to hand over readable data. Microsoft is working on encryption of data travelling between Azure datacenters. Google and others already encrypt that data.

Make sure data is encrypted the moment it leaves your on-premise trusted infrastructure. For how long encryption will be effective remains to be seen. NSA is building a datacenter  with supercomputer to decrypt AES encrypted data (source Forbes)

SSL traffic to and from Azure Web Sites can now be encrypted using Elliptic Curve Cryptography (ECC) certificates. Reversing a private key from a public key is about 10 times harder then when classic encryption methods. More info on ECC here. 

The story of email firm Lavabit shows the power of FBI , NSA and others. Lavabit provided encrypted email services which protect privacy of users. Snowden was one of the users of Lavabit (and probably the reason for the interest of FBI in Lavabit). One day the FBI knocked on the door of the owner of Lavabit holding a court order requiring the installation of surveillance equipment on the Lavabit network.The court order also required Lavabit to hand over its SSL private keys. Lavabit objected to comply, since that would give access to all messages to and from all customers, which would be unfair and unreasonable.

The owner refused, searched for a lawyer, got into a courtcase. The result: Lavabit had to hand over 5 SSL private keys. Lavabit even tried to handover the cryptgraphic material in printed form, stretched over 11 pages in a four-point font. (source Sophos.com)

In the end Lavabit had to close the company. (Source: the Guardian)

Contracts
Recently Microsoft proudly published that their contracts with customers using cloud services comply to the highest standards of the EU. Privacy authorities across Europe approve Microsoft’s cloud commitments.  While this contract is usefull so Microsoft customers are assured Microsoft complies to privacy laws, it is not a guarantee data is safe for the bad guys/curious types like NSA and FBI. As Microsoft states: they will have to handover data if requested and even do not have to inform the customer about the handover.

Datacenters located in the EU
There are severall reasons why US cloud providers offer datacenters located in the EU. First to provide the best possible latency. Secondly because EU laws prohibit certain type of data to be stored outside the EU.
Data stored in a EU datacenter but processed by a US firm is by no ways safe for Patriot Act. See the story about a US judge which orders Microsoft to hand over data stored in a Dublin datacenter. Microsoft goes to court. Many information on internet on this case, like this article.

Operate datacenters by branches of US companies
VMware entered the public cloud IaaS market a while ago by offering vCloud Hybrid Service. Besides 4 US-located datacenters they also have one datacenter located in Slough near London (UK). They stated at VMworld that data is safe for Patriot Act because vCHS is  operated by VMware UK. The datacenter is owned by UK company Savvis. I do not think this can avoid US authorities with court orders to hand over data as VMware UK has a parent in the US.

Employ non-US staff
Dutch telecom and IT services company KPN recently announced that its public cloud offer named CloudNL is fully managed by Dutch administrators which are not bound by U.S. law. This way, according to KPN, the company is not required to hand over data to NSA, FBI and other non-Dutch organizations. However KPN is 100% owner of US company iBasis. This ownership would make KPN a target for the Patriot Act as it does ‘structural business with a US company’. However the KPN believes access by NSA etc via iBasis is blocked because servers are located in Dutch datacenters. Dutch newspaper Trouw reported  (english here). Computerworld has an interesting article on CloudNL as well.

Use non ‘made in the United States’ software or hardware
When software made by US companies is used  the NSA could have a backdoor. Or the Patriot Act could have influence on the requirement to hand over data. So IT company Capgemini decided to build a cloud in which not a single component is made in the US. It provides software for email, calender sharing, presentations, file sharing and video conferencing. News about this cloud offer called Clair was published by nu.nl (translation in English

Capgemini does have about 27 offices in the US so even that might be a backdoor.

Conclusion
There is a lot uncertainty about the power of US acts like the Patriot Act. The only way to find out the reach are legal battles in court. Not all companies offering cloud services are interested in legal battles. They have an interest to be friends with US authorities.

Encryption of data which could be interesting for others and make sure to own the encryption key is a first step to secure data.

 

 

Advertisements

About Marcel van den Berg
I am a technical consultant with a strong focus on server virtualization, desktop virtualization, cloud computing and business continuity/disaster recovery.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: