Encryption Can Create Stormy Weather in the Cloud

Encryption has received a lot of attention lately as a solution to the growing data breach problem, but one of the hang-ups dogging the technology has been its ability to play nice in the cloud.

That’s especially true if an organization wants to control the keys by which its data is scrambled and use services offered by a cloud provider beyond simple storage.

For example, if a cloud provider can’t decrypt a client’s data, it could break the provider’s antivirus, data loss prevention, file preview and text indexing functions, as well as pose performance challenges.

“If the cloud provider can’t decrypt your data, the cloud just becomes a dumb bucket,” Adrian Sanabria, a senior analyst with the enterprise security practice at The 451 Group, told TechNewsWorld.

That’s why cloud service providers in the past have had access to users’ data encryption keys. As long as a user trusted their provider, that approach was acceptable, but that’s no longer the case for many organizations.

Trust But Keep Keys

Compliance with regulations requires some businesses to control the keys by which they encrypt their data. Other organizations just don’t want to lose control of their information.

However, if an organization wants to use a cloud provider’s services, it can allow a provider to access its keys. “Encryption still takes place in the cloud, but it’s done with keys managed by the customer,” Todd Partridge, director of product marketing at Intralinks, told TechNewsWorld.

From a security perspective, though, that solution is imperfect. A rogue employee of the cloud provider could abuse those key privileges to peek at, or leak a customer’s data. The solution also opens the door for lawyers or government authorities to snatch the data.

Those authorities usually obtain data from a provider through a civil or criminal subpoena. As long as there isn’t a gag order attached to the subpoena — a rare occurrence except in national security cases — a customer with control of its encryption keys has a chance to protect their data.

“After we receive a subpoena, we inform the customer that we’ve received it, at which time the customer can deny us access to its encryption keys,” Intralinks’ Partridge explained. “If they do that, the only thing we could hand over to the courts is encrypted data.”

“In the instances where we’re served with a subpoena for data with a gag order, there’s pretty much nothing we can do but turn over decrypted data without telling the customer,” he added.

IoT Takes PR Hit

The Internet of Things has barely gotten off the ground, but that hasn’t stopped security issues from being raised about it.

Last week, Sen. Ed Markey (D-Mass.) released a report exploring the potential hacking of automobile electronics.

Meanwhile, Samsung came under fire for its smart TV terms of service agreement, which warns that “if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

In his report, Markey noted: “New technologies in cars have enabled valuable features that have the potential to improve driver safety and vehicle performance. Along with these benefits, vehicles are becoming more connected through electronic systems like navigation, infotainment and safety monitoring tools.”

“The proliferation of these technologies,” he continued, “raises concerns about the ability of hackers to gain access and control to the essential functions and features of those cars and for others to utilize information on drivers’ habits for commercial purposes without the drivers’ knowledge or consent.”

Solution in Cloud

If auto makers want to mitigate future cyberattacks on their products, they’ll need to focus their security efforts in the cloud, maintains Andreas Mai, director of smart connected vehicles at Cisco.

“Cloud services need to assist a vehicle’s threat defense, and remove threats before they reach vehicles,” he told TechNewsWorld.

He says that the cloud needs to process attack information from millions of vehicles, and based on the results, update the vehicle’s onboard defense continuously.

“Misbehaving vehicles and anomalies need to be detected and addressed from the cloud,” he added. “It will simply not be acceptable to vehicle owners to visit a dealer every time a cyberattack needs to be addressed.”

While Markey’s report raised serious concerns about connected autos, it may not have scratched the surface of the problem. “The situation is worse than Markey imagines and the answer remains elusive even as the need for a solution intensifies,” observed Roger C. Lanctot, associate director of the global automotive practice for Strategy Analytics.

“Time to shelve the self-driving cars until we sort this out,” he told TechNewsWorld.

Too Smart TV

The Samsung smart TV furor also attracted a senator’s attention. Sen. Al Franken (D-Minn.) sent a letter to Samsung, as well as fellow smart TV maker LG, asking some pointed questions about the gathering of voice data containing personal information.

Samsung said it would respond to Franken’s letter. In the meantime, it clarified its warning, saying that voice commands are captured and sent to third parties only when users conduct searches through its TVs. The third party is Nuance, a service provider that converts a user’s speech into commands the TV can understand.

“Monitoring by smart TVs is part of a larger trend towards tracking all kinds of activities and behaviors,” noted Lance Cottrell, chief scientist at Ntrepid. “Location tracking, financial tracking and web tracking also provide very invasive levels of information about us.”

“Increasingly people need to think about what things they really want to keep private,” he told TechNewsWorld, “because it is almost impossible to protect everything without going completely off the grid.”

Breach Diary

  • Feb. 8. New York Superintendent of Financial Services Benjamin M. Lawsky announces his agency will integrate regular, targeted assessments of cybersecurity preparedness at insurance companies as part of its examination process.
  • Feb. 10. Former Florida Governor Jeb Bush’s team releases to the public more than 300,000 emails created while he was in office. Emails contained personal information of some 12,000 people who are now at risk of identity theft and other forms of fraud.
  • Feb. 10. Cyber Caliphate hacks Newsweek Twitter account. Profile picture and banner defaced and messages threatening Michelle Obama and praising cyberjihad posted to account’s timeline.
  • Feb. 10. Obama Administration announces Cyber Threat Intelligence Integration Center. Center will fuse intelligence from around the government when a cybercrisis occurs.
  • Feb. 10. Security researcher Mark Burnett publishes 10 million user names and passwords to the Internet in protest of a proposed federal law. Measure announced by Obama Administration would amend Computer Fraud and Abuse Act to make actions similar to Burnett’s punishable by up to 10 years in prison.
  • Feb. 10. Microsoft patches bug in Internet Explorer that was exploited by attackers targeting U.S. defense and financial services firms.
  • Feb. 12. Anthem announces it will offer for free two years of identity protection and credit monitoring, as well as US$1 million in identity theft insurance. Earlier this month 80 million customer records at the health care payment organization were compromised by hackers.
  • Feb. 12. Alcatel-Lucent’s Motive Security Labs releases report estimating 16 million mobile devices are infected with malware worldwide.
  • Feb. 13. President Barrack Obama holds cybercrime summit at Stanford University in Palo Alto, Calif.

Upcoming Security Events

  • Feb. 17. Cyber Threat Spotlight: Social Domains–Fraud’s New Frontier. 1 p.m. ET. BrandProtect webinar. Free with registration.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 19. Secure Because Math: Understanding Machine Learning-Based Security Products. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown 5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • Feb. 25. Clear and Present Danger. Noon ET. Webinar on anatomy of real world phishing attack. Free.
  • Feb. 25. Five Misconceptions About the Modern DDoS Attack. 11 a.m. ET. Webinar. Free with registration.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 11. Intelligence Squared U.S. Debates: The U.S. Should Adopt The “Right To Be Forgotten” Online. 6:45 p.m. Merkin Concert Hall, Goodman House, 129 W. 67th Street, New York City. Tickets: $40; student, $12.
  • March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
  • March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
  • March 14. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta. Free.
  • March 16-17. B-Sides Vancouver. The Imperial Vancouver, 319 Main St., Vancouver, BC, Canada. Tickets (before March 1): supporter CA$25, plus CA$2.49 fee; professional CA$55, plus CA4.29 fee; VIP CA$125 plus $8.49 fee.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 20-21. B-Sides Salt Lake City. Sheraton Salt Lake City Hotel, Salt Lake City, Utah. Registration: before March 20, $40; $50 at the door.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Mo. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Md. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels