Following the revelation that Microsoft may have decrypted customer data and provided it to the NSA, I'm concerned about encryption key management of cloud data. Should encryption keys always be managed in house (not in the cloud)? I also heard that even without the encryption keys, a cloud provider could still decrypt customer data if it takes a "snapshot" of the computer server's memory. How do we handle all this?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
The revelations regarding government access to encrypted data from cloud providers has dramatically changed my perception of cloud services. These services have always required an extension of the trust boundary outside of the organization, but they were always backed up by contracts containing service-level and non-disclosure agreements. The security community has even developed different types of audits and certifications, such as the SSAE-16 audit and the NIST Cloud Computing Reference Architecture, to further bolster our trust in cloud services. Basically, no one had ever seriously considered the risk of government intelligence organizations having direct access to these services without legal oversight, but this is the new reality under which all cloud services need to be scrutinized.
This new reality also affects the way information should be encrypted in the cloud. In the past, I would have recommended private encryption keys be managed in the cloud to avoid the complexities of encryption key management, with the assumption that the risks inherent in allowing a cloud provider to manage private keys could be mitigated through contracts, controls and audits. Now we know cloud providers cannot actually honor these contracts when responding to government requests for information. As a result, organizations need to develop processes to store private encryption keys in house to drive these types of investigations back through the appropriate legal channels.
This situation also presents other cloud-based encryption concerns that need to be addressed. Storing private keys in-house may only work for storage applications where the cloud service does not need the private key to process information. Applications running in the cloud will need to decrypt data for processing, which leaves the private key vulnerable to a number of memory-based methods of retrieval. There isn't a good answer to this problem as of yet, so organizations may just have to accept the inherent risk or move these services back in-house if the risk is deemed too great.
There may be no good technical way to protect your organization's data from unwarranted access by government agencies (whether in the U.S. or not). There are still reportedly access points, or "taps", installed in all of the major telecom providers' networks, which would limit the effectiveness of any encrypted communication, whether the data is hosted internally or in the cloud. Encrypted data can be stored for high-speed decryption on hardware manufactured specifically to break private keys and algorithms.
Companies outside of the U.S. are already considering moving cloud-based services hosted in the U.S. to other countries. This issue has garnered a lot of public attention and may have enough momentum to spur changes to policies and the transparency of these types of government programs in the future. Until then, the government controls the network, the encryption standards and the laws while commanding an extraordinary budget. As a result, it is impossible for the average organization to develop any lasting technical security measures to keep their data private anywhere on the Internet. Welcome to the new reality.
This was first published in October 2013