The revelations over the extent of the National Security Agency's surveillance program have spurred businesses to ask more questions about the security of their cloud-based data. And the questions are now a whole lot more pointed.
Cloud solution providers say the fallout associated with the steady barrage of news associated with the NSA documents leaked by government contractor and former CIA employee Edward Snowden is difficult to predict. But they also say that their first step is to ensure a level of trust with their cloud customers.
According to a report in early September from The Guardian, the documents revealed that both the NSA and its U.K. counterpart, the GCHQ, compromised virtually all security measures used by Internet companies to protect communications, financial and health data. The report also stated that the NSA spent roughly $250 million to "covertly influence" product designs of private security technology vendors, which included such tactics as inserting secret vulnerabilities and back-door access points into commercial security software.
That news was just the latest in a string of revelations about the NSA's domestic surveillance program through leaked documents Snowden provided to the press. Previous reports included revelations about the U.S. government's ability to obtain telephone records without a warrant and the eye-opening Prism program, a secret initiative that gives the NSA direct access to the internal systems of companies such as Microsoft, Google, Facebook and Apple.
The scope of the government's surveillance program is still being understood, said Edison Peres, senior vice president, worldwide channels at Cisco Systems, San Jose, Calif. There won't be a rush away from cloud providers, he said, but interest in building private clouds has been growing and should continue to grow.
"There's a lot of work being done as it relates to building out private clouds. That's where a lot of opportunity is today," Peres said. "You need to be able to talk to your customers about what makes the most sense. If you cannot be in that conversation because you don't carry it, white-label it or support it, then you might not have the same credibility that the customers might need from partners going forward."
The NSA revelations have made it imperative for solution providers to be better informed about the SaaS-based solutions and cloud options they offer, said Eric Hart, co-owner and operations manager at Network Performance Inc., a South Burlington, Vt., provider of networking and security technologies.
The differences in cloud architectures need to be clearly laid out and an assessment made to determine the best fit for the client's needs, Hart said. In many cases, a company's most valuable intellectual property will be kept locked down behind the company firewall, he said.
"Honestly, our customers are not super-educated on the technical aspects of this stuff and they tell me that they really have nothing to hide," Hart said. "As this unwinds it will have some impact and eyebrows will be raised, but we'll just have to continue to have a conversation with customers."
HINDERING CLOUD ADOPTION, HURTING CLOUD PROVIDERS' REVENUE
Companies have embraced cloud services to reduce costs and boost employee productivity, so pivoting back to maintaining data on servers in the company data center is improbable and unfeasible, said Garry Sidaway, global director of security strategy at MSP WideAngle, an NTT Com Security firm.
"There's been a natural spike of awareness in how data is stored and secured by services and used by employees," Sidaway told CRN. "There's an opportunity here to embed security into these services and increase transparency so people don't cease trust in the brand or the services that are being delivered."
But some organizations are predicting a negative impact on cloud adoption, precipitated by overseas businesses' distrust in U.S. cloud providers caused by the NSA issues. A report issued in August by the Information Technology and Innovation Foundation (ITIF), a public policy think tank, said U.S. cloud computing providers stand to lose a minimum of $21.5 billion over the next three years to European and Asian providers as a result of the NSA Prism program revelations. The ITIF cautioned, however, that its data was thin and that it was still too early to determine what the ultimate repercussions will be.
"If U.S. firms are to maintain their lead in the market, they must be able to compete in the global market," the ITIF said in its report. "It is clear that if the U.S. government continues to impede U.S. cloud computing providers, other nations are more than willing to step in to grow their own industries at the expense of U.S. businesses."
Companies are considering the deployment of private clouds, using virtual machines to create a cloud-based data center behind corporate firewalls, said Andreas Mertz, managing director and principal consultant at Germany-based IT security consultancy and managed security services firm IT-Cube. Another approach is to use co-location services, a remote data center that is walled off from other cloud customers and offers more control over company data, Mertz said.
Completely dismissing U.S. technology companies and security vendors is virtually impossible, but businesses overseas are reconsidering the cloud services they use, Mertz said.
"The discussion about the NSA news has pushed back whole cloud initiatives in Germany for at least two years," he said. "They're still using social media like Facebook but everybody is really concerned about security issues and, in terms of the business and intellectual property, a lot of companies stepped back from each cloud initiative they were working on and are undertaking feasibility studies to go to a private cloud."
'THERE'S ENCRYPTION, AND THEN THERE'S ENCRYPTION'
Steve Pate, co-founder and CTO of HighCloud Security in Mountain View, Calif., said he's particularly concerned about the news that the government is poking holes in commercial security products.
"I think it's fairly troubling," Pate said. "I'd be surprised if the government was able to go through these product development cycles without the news leaking out from these vendors, but that's not to say it's not happening. In fact, it may be happening without their knowledge."
Pate believes the NSA's practices could negatively impact cloud business in the short term. "The biggest thing we've seen," he said, "is a growing reluctance of foreign companies to work with U.S. cloud providers."
David Canellos, CEO of PerspecSys, a cloud security company based in Mclean, Va., said he's seen a similar trend of companies, especially those based outside the U.S, becoming apprehensive about cloud migration. "Some organizations are becoming concerned, particularly businesses overseas that are apprehensive about working with U.S. cloud providers," he said. "And some companies are even looking at ripping out their cloud services and going back to on-premise systems. They're at least asking those questions."
HighCloud's Pate said vendors and solution providers need to stress basic principles about strong encryption standards and basic key management. HighCloud, for example, uses multilevel AES (advanced encryption standard) 256-bit encryption.
"There's encryption, and then there's encryption," he said. "If you're using an encryption key that's smaller than 80 bits then, yes, it's theoretically possible for the government or anyone else to easily crack those codes using brute-force techniques."
Unable to ensure their customers' privacy and security, two secure email providers shuttered their doors in August. Lavabit, which Snowden reportedly used to leak classified documents related to the agency's surveillance activities, ceased its operations. Silent Circle then followed with the shutdown of its secure email component to its secure communication platform.
Just a few days after the two firms terminated their services, LastPass CEO Joe Siegrist said he began getting customer inquiries about the security of his password management service. Siegrist went public to sustain trust with his loyal customers, explaining why his service is secure and no legal authority could force his firm to gain access to encrypted password files, he said. Why? Simply because the key is maintained by the user, Siegrist said.
"We could never be asked to hand that key over because we don't have it," Siegrist told CRN. "They're worried that there is some kind of collusion going on and a vast conspiracy that they think we're part of, and that is just not the case."
Siegrist said that the public's fear about government surveillance is based partly on misguided information. Service providers that sell or rely on Web-based services need to educate their customers about how to maintain privacy by properly implementing encryption and other basic security measures, he said.
"We are already seeing people be more cognizant of security and are more inclined to want the data stored locally or in their country," Siegrist said. "It may cause a lot of these cloud services to potentially have to consider hosting in other countries and doing more to reassure their customers that moving and controlling data is not quite as simple as it was in the past."
Hopefully the NSA news will help educate people about taking basic security measures such as using stronger passwords and backing up important data, said Stefan Tanase, a senior security researcher at Kaspersky Lab. IT teams need to do a better job of patching vulnerable systems and addressing configuration weaknesses that open doors to cybercriminals, Tanase said.
"What is usually happening is that attackers are stealing the keys to the cloud," Tanase said. "The big cloud players have gotten the security of the actual cloud right, but it is the users of the cloud that are being targeted and they are usually victims of their own mistakes."
TECHNOLOGY VENDORS UNDER FIRE
Technology vendors in the end may be the ones to feel the biggest brunt of the NSA news, experts say. A lot of conclusions are being drawn about the leaked documents that are simply not factual, said Ryan Hurst, chief technology officer of GlobalSign, one of the Internet's earliest trust service providers. The firm, which was established in 1996, issues digital certificates to people, servers and mobile devices for Public Key Infrastructure-enabled applications to validate legitimate software, encrypt data and secure Internet transactions and communications.
"I fear that those that don't follow what's happening very closely are going to walk away with feeling that you shouldn't be encrypting your data because it really doesn't matter. That's the wrong answer," Hurst said. "Businesses need to worry about patching servers and ensuring applications are designed securely and secure software practices are used. It's paramount to look at the problem more holistically, otherwise all forms of attackers are going to have more success."
The level of mistrust in technology providers is rising, say experts. RSA, the Security Division of EMC, recently revealed that a software encryption toolkit it provides developers was set by default to a controversial algorithm. The default setting enabled a slower, weaker encryption scheme that cryptography experts say contains a back door to decrypt protected data.
"The consequence is that everybody using the RSA toolkit has to go back into their products and verify that they aren't using that random number generator," said Robert David Graham, a noted cryptography expert and CEO of security consultancy Errata Security. "But it's not just RSA's products, anybody using Microsoft's crypto libraries or the OpenSSL library has to do the same."
ROBERT WRIGHT contributed to this story.
PUBLISHED SEPT. 30, 2013