Cloud Security Firms: NSA Spying A Double-Edged Sword For Business12:19 PM EST Fri. Sep. 20, 2013
Cloud security firms are growing increasingly concerned about the NSA's domestic surveillance and encryption cracking practices, which they say could have a negative impact on business.
Recent reports claim the U.S. National Security Agency has cracked the majority of encryption technologies used to protect online data as part of its widespread Internet surveillance program.
Cloud security firms say the NSA's practices are bad for business because it undermines customer confidence in moving data to the cloud -- but they also say the news has had a positive effect because it's put a spotlight on the need for better security measures.
"I think customers feel like they're losing control of who's looking at their data -- regardless of whether or not they want to share that data with the government," said Pravin Kothari, founder and CEO of CipherCloud, a data protection firm based in San Jose, Calif. "But it's definitely having a beneficial effect. We're seeing dramatic growth over the last few months since the news."
Still, the potential losses for the cloud industry could be staggering, Kothari said. Last month, the Information Technology & Innovation Foundation released a report that predicted the NSA's PRISM program could end up costing the cloud industry between $22 billion and $35 billion over the next three years.
Kothari said he thinks the losses could be much steeper. "We think there's much more at stake over the loss of trust," he said.
The concerns go beyond the NSA's ability to simply break encryption codes. According to reports from The Guardian and The New York Times, the intelligence agency is working to "covertly influence" product designs of private security technology vendors, which includes inserting secret vulnerabilities and back-door access points into commercial security software.
Steve Pate, co-founder and CTO of HighCloud Security in Mountain View, Calif., said he's concerned about the NSA's antiencryption practices -- particularly the news that the government is poking holes in commercial security products.
"I think it's fairly troubling," Pate said. "I'd be surprised if the government was able to go through these product development cycles without the news leaking out from these vendors, but that's not to say it's not happening. In fact, it may be happening without their knowledge."
Pate believes the NSA's practices could negatively impact the cloud business in the short term. "The biggest thing we've seen," he said, "is a growing reluctance of foreign companies to work with U.S. cloud providers."
David Canellos, CEO of PerspecSys, a cloud security company based in Mclean, Va., said he's seen a similar trend of companies, especially those based outside the U.S, becoming apprehensive about cloud migration. "Some organizations are becoming concerned, particularly businesses overseas that are apprehensive about working with U.S. cloud providers," he said. "And some companies are even looking at ripping out their cloud services and going back to on-premise systems. They're at least asking those questions."
In addition, Canellos said customers shouldn't assume that the NSA is the only entity that can crack online encryption technologies. "If the NSA can circumvent security measures that you'd otherwise trust, then that's a real issue," he said. "And if the NSA can do it, then I believe others can do it as well."
It isn't just cloud security firms that are sounding the alarm over PRISM and other NSA activities; Facebook CEO Mark Zuckerberg this week said the NSA snooping was bad for business because it lowered customer trust for online tech companies.
NEXT: Positive Effects From NSA Revelations
While Canellos said the NSA's activities have come up in just about every conversation he's had with clients and partners in recent months, the concern level isn't high -- yet. "We're not hearing a lot of concern from customers right now, and part of that is because companies feel their encryption standards are strong enough," he said. "But companies are taking notice, and people are still trying to process all of the information."
Still, the NSA revelations are having a positive effect, Canellos said. "It's raising a level of awareness about security, which is good for us," he said. Kothari agreed, saying security technology has shifted in recent years from antivirus protection to encryption, and the NSA news will only accelerate that shift. In fact, Kothari said, an argument can be made that corporate data is actually safer in the cloud.
"It's much harder today, I think, to crack cloud data storage because you have to get past both the cloud provider and the corporate network," Kothari said. "You can be more secure in the cloud today, but you need to encrypt your data before you send it up there."
So in light of the recent NSA news, what's to be done? How can cloud security firms protect client data from prying eyes, whether it's government agents or cybercriminals?
HighCloud's Pate says vendors and solution providers need to stress basic principles about strong encryption standards and basic key management. HighCloud, for example, uses multilevel AES (advanced encryption standard) 256-bit encryption.
"There's encryption, and then there's encryption," he said. "If you're using an encryption key that's smaller than 80 bits then, yes, it's theoretically possible for the government or anyone else to easily crack those codes using brute-force techniques."
An 80-bit key in a symmetric algorithm is equivalent to a 1,024-bit asymmetric encryption key. Therefore, AES 256-bit encryption is equivalent in strength to 15,360-bit asymmetric encryption.
CipherCloud also uses AES 256-bit encryption. Kothari said any 1,024-bit length encryption is unsafe and can be cracked by a powerful computer. Therefore, he said, his company "highly recommends" at least 4,096-bit lengths for Internet communication.
In CipherCloud's case, the company also hands over the encryption keys to the customer; therefore, CipherCloud will never be able to hand over the encryption keys to the government or anyone else because it doesn't possess them. "Key management becomes a big issue," Kothari said. "These keys shouldn't be shared with anyone, regardless of who's asking for them."
In addition to stronger encryption standards and better key management, PerspecSys' Canellos also recommends taking a multi-layered approach to cloud security. For example, PerspecSys combines encryption technology from third parties with its own token system.
"We think tokenization is becoming more mainstream and we're using it as an alternative to just using encryption," Canellos said. "With tokens, there's no algorithm to place a back door."
While the recent NSA revelations may have caused concern within the security community and customers, NSA whistleblower Edward Snowden told The Guardian that strong encryption standards are still a safe bet to protect data. Cloud security firms agree.
"Strong encryption still works," Pate said. "Even Snowden said the government couldn't crack high-level encryption."
PUBLISHED SEPT. 20, 2013