'THERE'S ENCRYPTION, AND THEN THERE'S ENCRYPTION'
Steve Pate, co-founder and CTO of HighCloud Security in Mountain View, Calif., said he's particularly concerned about the news that the government is poking holes in commercial security products.
"I think it's fairly troubling," Pate said. "I'd be surprised if the government was able to go through these product development cycles without the news leaking out from these vendors, but that's not to say it's not happening. In fact, it may be happening without their knowledge."
Pate believes the NSA's practices could negatively impact cloud business in the short term. "The biggest thing we've seen," he said, "is a growing reluctance of foreign companies to work with U.S. cloud providers."
David Canellos, CEO of PerspecSys, a cloud security company based in Mclean, Va., said he's seen a similar trend of companies, especially those based outside the U.S, becoming apprehensive about cloud migration. "Some organizations are becoming concerned, particularly businesses overseas that are apprehensive about working with U.S. cloud providers," he said. "And some companies are even looking at ripping out their cloud services and going back to on-premise systems. They're at least asking those questions."
HighCloud's Pate said vendors and solution providers need to stress basic principles about strong encryption standards and basic key management. HighCloud, for example, uses multilevel AES (advanced encryption standard) 256-bit encryption.
"There's encryption, and then there's encryption," he said. "If you're using an encryption key that's smaller than 80 bits then, yes, it's theoretically possible for the government or anyone else to easily crack those codes using brute-force techniques."
Unable to ensure their customers' privacy and security, two secure email providers shuttered their doors in August. Lavabit, which Snowden reportedly used to leak classified documents related to the agency's surveillance activities, ceased its operations. Silent Circle then followed with the shutdown of its secure email component to its secure communication platform.
Just a few days after the two firms terminated their services, LastPass CEO Joe Siegrist said he began getting customer inquiries about the security of his password management service. Siegrist went public to sustain trust with his loyal customers, explaining why his service is secure and no legal authority could force his firm to gain access to encrypted password files, he said. Why? Simply because the key is maintained by the user, Siegrist said.
"We could never be asked to hand that key over because we don't have it," Siegrist told CRN. "They're worried that there is some kind of collusion going on and a vast conspiracy that they think we're part of, and that is just not the case."
Siegrist said that the public's fear about government surveillance is based partly on misguided information. Service providers that sell or rely on Web-based services need to educate their customers about how to maintain privacy by properly implementing encryption and other basic security measures, he said.
"We are already seeing people be more cognizant of security and are more inclined to want the data stored locally or in their country," Siegrist said. "It may cause a lot of these cloud services to potentially have to consider hosting in other countries and doing more to reassure their customers that moving and controlling data is not quite as simple as it was in the past."
Hopefully the NSA news will help educate people about taking basic security measures such as using stronger passwords and backing up important data, said Stefan Tanase, a senior security researcher at Kaspersky Lab. IT teams need to do a better job of patching vulnerable systems and addressing configuration weaknesses that open doors to cybercriminals, Tanase said.
"What is usually happening is that attackers are stealing the keys to the cloud," Tanase said. "The big cloud players have gotten the security of the actual cloud right, but it is the users of the cloud that are being targeted and they are usually victims of their own mistakes."
NEXT: Technology Vendors Under Fire