Is Cloud Computing dead after PRISM?
As Edward Snowden, the NSA leaker who kicked off the PRISM scandal seeks asylum around the world and creates headlines on every major newspaper, some of us have started discussing the more serious ramifications of the scandal.
Naturally, the aspect that interests us most is cloud security and we are analyzing what level of paranoia is justified based on what we learned from this affair.
Does the government control your Hypervisor?
One argument that comes up a lot: if the government can get cloud providers to cooperate using laws like the Patriot Act, then it can get your hypervisor provider to cooperate with them as well. With your provider’s cooperation, you may have a backdoor inserted in the hypervisor courtesy of the government. Then, everything you do or store in the cloud is under Big Brother government surveillance.
Scary stuff, right?
The short answer: true, the government can indeed have backdoors in your hypervisor. However, they can also have backdoors in your operating system (maybe on your laptop) or your network (perhaps on your router), using the same laws to demand cooperation from the vendors. So the cloud is not uniquely vulnerable in this respect.
If you really want to hide from any possibility of government backdoors, you should disconnect from the net and go live in a safe house in Pakistan; and even then, the government will eventually get you.
Oh, so really nothing is new with PRISM, we have always been under the government’s thumb, and we can all smile in quiet desperation? Not quite.
Cloud Security is special because Cloud Economics are special
A longer and much more meaningful answer: the cloud is “special” because it allows any snooper (including, but not limited to, the government) to scan massive amounts of cloud-based information, without regard to who owns it, and WITHOUT needing to open specific backdoors to specific resources.
Remember, even for the government, there is a question of cost-effectiveness. Scanning all the data from a cloud provider is relatively easy, because massive amounts of data from multiple owners is all available; in fact, many of the cloud providers scan it regularly themselves (for advertising purposes, or even security scans).
Though possible, scanning your laptop through a backdoor is less likely, because it requires a specific decision to chase after YOU. So the “economics” of PRISM are simple: it is a huge net that catches all fish, rather than a fish hook that targets one fish.
Achieving Cloud Encryption through unique Cloud Key Management
Assuming a safe-house in Pakistan is overkill for you, how do you avoid swimming with the school of fish that gets caught in the government’s net? How do you make yourself special?
Metaphors aside, the accepted technique is to encrypt your data using your own unique encryption keys.
Note these words: unique encryption keys. You must be sure that you, and only you, own your keys.
That means that you cannot opt for a solution that is controlled by anyone other than yourself. Specifically, avoid a solution that is owned by your cloud provider, since such an approach is open to subpoena.
This brings up a contradiction. How on earth can you use the cloud’s full potential, yet defend yourself from your cloud provider and keep key ownership to yourself?
Our advice: try split-key encryption, a technology in which you keep control even in the cloud; and homomorphic key management, a technology that encrypts your encryption keys, even at the time when they are being used by you (for additional information read this white paper). The combination of these two technologies gives you an Enterprise-worthy assurance that only you control your encryption keys.
What level of paranoia is justified in the wake of PRISM? The truth is, no paranoia is necessary if you take proper steps to understand your exposure to risk and to properly protect yourself. These technologies change the economics of surveillance – making you the fish that swims on its own path, rather than with the school of fish that gets caught by the Big Brother fishnet.