In the past few months, we have seen progressively more coverage of the way existing laws were used to realize access to cloud-based data without the information owner’s knowledge or consent. What’s different with the newest revelation, as highlighted within the Manhattan Times recently, are reports of the National Security Agency actively attempting to undermine encryption technology and standards, including those adopted by National Institute of Standards and Technology, similar to the twin EC DRBG standard.

Does this mean that the NSA’s reach into electronic communications is so profound, and its abilities to dig into our communications so extensive, that companies must come to terms with two equally unattractive options: accept that there’s no method to control their very own data even if they encrypt it, or avoid using cloud services?

In brief, no. Peeling back the layers, the location is absolutely not as dire as heated coverage suggests. Actually, security experts say that the reports, while critical to fostering a debate on policy and law, can have overstated the NSA’s capabilities. While basic precautions are unlikely to face within the way of the NSA’s surveillance efforts, as cryptography expert Bruce Schneier notes: “The defense is straightforward, if annoying: stay with symmetric cryptography in keeping with shared secrets, and use 256-bit keys.” Without access to the keys or the facility to crack the encryption, the NSA must directly approach the info owner who holds the keys to access the info.

The bottom line is The important thing

Internet encryption is barely keys and locks: We take into account that after we lock a door, the extent of protection is determined by how strong and sophisticated the lock is and whether we store the keys safely. If we hold tight to the keys, and the encryption equivalent of the lock is impervious to hammer blows or perhaps a master safecracker, it’s less critical how the encrypted data moves during the network. But provided that the attacker has access to the keys, the security of the lock has no relevance.

The reports outline a couple of scenarios on how the NSA has potentially worked to undermine Internet encryption, ranked from highly unlikely to most probable:

— Implement data-intensive and computationally intensive brute-force attacks to crack data encryption (highly unlikely)

— Coerce vendors to preserve an “NSA-friendly” back door into their encryption and products (unlikely)

— Coerce vendors to weaken their very own encryption (improbable)

— Hack the keys, or hack Internet infrastructure inclusive of switches and routers(likely)

— Force cloud service providers at hand over encryption keys or open their infrastructures to tapping by the NSA (definitely)

A brute-force attack could be considered someone dealing with the method of trying each variation of a key before finding the person who works. This requires both a considerable amount of standard corporate data encrypted with the objective key for comparison — 70 TB by Schneier’s estimation — and immense amounts of dedicated computer power. The variety of potential combinations increases exponentially with each additional “bit” added to the most important.

The second one and third scenarios involve the maker of the keys collaborating at the design of the keys with a 3rd party, or perhaps designing the lock in order that the third party knows exactly which sort of keys work. The lock continues to be mostly secure, but some third party can create a copy set of keys whenever it desires to. Those duplicates become some degree of vulnerability that undermines the lock’s long-term security.

[ Of the 26% of respondents to our Cloud Security & Risk Survey with out a plans to take advantage of public cloud services, 58% cite security because the reason. Here’s how one can gain the advantages of cloud and decrease risk. ]

The third scenario amounts to theft of the keys. Again, in case your version of securing encryption keys is hiding them under a rock by front door, hacking the keys is a reasonably straightforward proposition for a company as technically sophisticated because the NSA. Don’t store keys in an accessible place, and restrict access in your key management system.

The fourth scenario is now an issue of public knowledge — and one of several consequences of ways cloud computing functions. When third-party cloud providers hold encryption keys, they’re lawfully compelled to open the lock (decrypt the information) before turning over the information.

So, don’t hand them your keys.

Control Within the Age Of PRISM

When the scoop of the PRISM program first broke, many observers argued that the chance of unauthorized disclosure was overstated. The most recent revelations make it obvious that there’s a real risk, and encryption provided by cloud providers buys you no privacy and confidentiality protection.

Businesses have many important reasons to offer protection to the privacy in their data: compliance with regulations; protecting attorney-client privilege; adhering to international data residency/privacy laws; protecting intellectual property, financial, employee and customer information; and more. If IT can’t depend upon encryption supplied by cloud providers, do we still utilize cloud computing services?

Yes, but again, companies ought to take precautions. The Cloud Security Alliance maintains a suite of best practices that define how organizations can maintain ownership and control in their data. The ideal practices highlight the necessity to define roles and responsibilities: The cloud enterprise is accountable for securing, managing and monitoring its environment and facilities.

However, the responsibility for shielding data lies squarely at the end user. The CSA’s guidance could be summarized as follows:

— Data must be encrypted before it leaves the top user organization’s control.

— Encryption need to be implemented for data at rest, in transit and in use, a comparatively new capability.

— Encryption keys ought to be retained by the tip user organization, not the cloud enterprise.

— Select a cloud agency that clings to the CSA’s set of best practices. (Our IaaS Buyer’s Guide of 21 providers asks in regards to the CSA STAR program.)

Do not be overwhelmed by new revelations, but in addition don’t assume any cloud provider goes to care up to you do about privacy and confidentiality, or that it won’t hand data over in keeping with a central authority request. Protecting your data wherever it resides is an issue of understanding how secure your encryption scheme is and being responsive to who holds the encryption keys — and the way tightly.