back to article Sysadmins: Keep YOUR data away from NSA spooks

During a meeting this week I had a question put to me that almost every client asks at some point: will our data remain our data even after we send it rocketing into the cloud? I love this question simply because it means I’m making progress getting companies up to speed on their IT requirements. What set this encounter apart …

COMMENTS

This topic is closed for new posts.
  1. Dodgy Geezer Silver badge

    I didn't know the Register supported UKIP...?

    ...because that, in a nutshell, is why we should leave the EU....

    1. Anonymous Coward
      Anonymous Coward

      Re: I didn't know the Register supported UKIP...?

      Somewhat tortuous logic...

    2. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: I didn't know the Register supported UKIP...?

        @Larry: Were these "spy bases" in any way secret or hidden you may have a point, but you only need to go onto the moors near Harrogate and you'll see that secret and hidden are two words which really don't apply. Everyone knows what's done up there, with a heavy dose of conspiracy bollocks thrown in for good measure, mind.

        As for the US having control over Trident, I seriously doubt that the UK would have abandoned its existing delivery system were it not to have full control over the new one. Also, just to re-iterate, Trident is the delivery system, not the warheads, which are British.

        1. This post has been deleted by its author

      2. breakfast
        Facepalm

        Re: I didn't know the Register supported UKIP...?

        In fairness, they have an indirect point- if we were to leave the EU we would become an absolute insignifance on the world stage, certainly no use to America or other European countries, which would mean that there would be no real cause for anyone to spy on us- we would just be an abject non-entity in global terms.

        Europe may notice us if, like Norway, we were to be subject to EU law but have no hand in deciding it, but only to point and laugh.

    3. Anonymous Coward
      Anonymous Coward

      Re: I didn't know the Register supported UKIP...?

      Leaving the EU won't affect the problem.

  2. Chris Miller

    As usual

    It all depends on what you mean by 'cloud'. It looks from the article as though we're talking about Amazon, Microsoft, Google, etc hosting your applications and/or data across some global network of data centres. But then we come to: "There are some things it just makes sense to use the cloud for." In the sense of 'cloud' used above, I think there are a relatively small set of circumstances where cloud services make business sense, irrespective of all the hype we read (startups and new web services where demand is hard to judge just about cover it).

    Of course, some proponents of 'cloud' like to boost the concept by using the term to mean anything that isn't hosted on your own servers sitting in your own data centre. But colo services are significantly easier to control and there's no need to use some global player if you don't feel comfortable with them, there's usually some local player who are just as capable and operate under the same legislative framework that you're already subject to.

    Bottom line: if you want someone else to host your (sensitive) data - use encryption. But for myself (I'm paranoid, but am I paranoid enough), I wouldn't recommend hosting any commercially sensitive data on services where a foreign government may have the ultimate say over who gets to see it.

    1. IanzThingz
      Pint

      Re: As usual

      The thing is, it's the Internet & stuff, so is it possible to be 'too' paranoid? Probably not.

      Beer because its Friday and a wonderful weekend is in the offing.

  3. skipper

    Couldn't agree more - if you're going for a cloud provider, go local, and go small (within reason). If you're not in a massive company, then the provider will care far more about your business and your specific needs.

  4. Piro Silver badge

    We do it all locally

    The only way to be sure.

    1. itzman

      Re: We do it all locally

      Indeed. the cost of doing it locally however, implies someone you trust building it for you. And that is not trivial in terms of expense.

  5. Anonymous Coward
    Anonymous Coward

    No mention of cryptography? Very interesting topic at the mo., especially in this context.

    1. Duncan Macdonald

      No point in encryption

      If you are using a cloud service then the machines in the cloud have to be able to process the data. If the data is encrypted then the machines will need the decryption key - which means that NSA etc will still have access to your data.

      Cloud services should only be used for data that you do not mind everyone seeing - if the data needs to be kept secret then it MUST be kept in house.

      1. Anonymous Coward
        Anonymous Coward

        Re: No point in encryption

        Negative. Encrypting your data locally BEFORE putting it into the cloud ensures the hosting service (& the NSA) only see an opaque blob of data. Metadata generated/owned by the hosting service will obviously be vulnerable to snooping but your data will not.

        1. Velv
          FAIL

          Re: No point in encryption

          Encrypting it BEFORE putting it in the cloud implies you are only storing it.

          The types of cloud service mentioned is around infrastructure or software as a service, so you're spinning up applications and servers which will perform processing in the cloud, therefore it's likely the app will need unencrypted access to the data, ergo someone other than you has access to the keys.

          1. Anonymous Coward
            Facepalm

            Re: No point in encryption

            Not necessarlity. Since you'll have a connection to your in-house data center (where you store the keys,) your application will be able to restart and make a secured request for the keys... And it occurs to me that causing your application to dump core will create a cloud copy of the keys...

            Never mind. You're correct.

        2. Mephistro

          Re: No point in encryption (@ac 19th July 2013 09:04 GMT)

          "Encrypting your data locally BEFORE putting it into the cloud ensures the hosting service (& the NSA) only see an opaque blob of data"

          Or so you say. The PRISM Scandal seems to suggest that the NSA has -or can obtain if it wishes- access to every level of the cloud service. That would include ways of hacking into the VMs themselves to spill the presumedly secure data. I'd bet my money that some skulduggery with security certificates and the VM's BIOS/UEFI/whatever would do the trick.

          You're trying to protect your data from the guys that [have/can gain] total control over your VMs. An uphill battle, methinks.

      2. Anonymous Coward
        Anonymous Coward

        Re: No point in encryption

        Not necessarily. http://www.google.com/search?hl=en&q=cloud+cryptography

        ...but regardless... Even if you manage to find a local service you trust, what about the pipes?

      3. itzman

        Re: No point in encryption

        Is that true? encrypted data is encrypted data, and unless you need it to me metamorphosed you dont need to decrypt it.

  6. Martin 47

    Go local? Does that not depend on just who owns your local provider, but hey if your that worried what are you doing using any American products like microsoft, Google et al?

    1. sabroni Silver badge

      re: Does that not depend on just who owns your local provider

      You will already be operating under the same legal and sovereignty restrictions as your local provider. So providing you're already obeying the law you are under no more risk by using a local cloud service provider.

      Using a Microsoft OS is a long way from giving them all your data to host.

    2. Anonymous Coward
      Anonymous Coward

      ...and whether the "local" service uses *any* US (or Chinese - allegedly) wares its self... even if the company isn't spying on you, how can you be sure none of their switches, routers, etc is?

      (Your != you're btw)

      1. sabroni Silver badge

        I used you're and your correctly, if you're going to be a grammer nazi get it right else you just look like a bell-end.

        And I'm fully aware that any hosting company may be compromised. But that applies to all of them, wherever they're located. This article is about which government has sovereignty over your data. Didn't you read it? Too busy imagining grammatical errors?

        1. Anonymous Coward
          Anonymous Coward

          Shit!

          Sorry, I have jumped the gun. You're grammer is impeccable but mine sux. I'll go and read the article now....

        2. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          @sabroni

          My comment was in reply to "Martin 47" ...our posts overlapped. Not sure what the motivated the other AC to interject immediately above. This exchange has suddenly turned very bizarre.

          --AC08:58

          1. Anonymous Coward
            Pint

            Re: @sabroni

            You think it's bizarre...I think it's amusing.

            1. sabroni Silver badge
              Meh

              Re: @sabroni

              Get a login.

        4. Anonymous Coward
          Anonymous Coward

          @sabroni

          Oh, I get it. "The other AC" is you, apologising to yourself on my behalf!

          ...and you called me a "bell-end"!

          Try to get out more.

          --AC08:58

          1. frank ly

            Re: @sabroni et al etc.

            I always knew that a situation like this would happen eventually.

    3. MrXavia
      Unhappy

      I try NOT to use American products, but its hard...

      No option but a US OS on my phone (this is why I really want firefox OS to be a success on mobile!)...

      No option but to use google/bing if I want decent results (please someone tell me of a UK/EU based search engine with Google quality results, I beg you!)

  7. HKmk23

    Head in the cloud's.....again.

    Would you hand your wallet to a stranger?...........No, I thought not.

    So why even consider handing the family jewels (your data) to a stranger?

    If you cannot keep it in house and encrypted, your IT model is wrong.

    Simples.........as those TV rats would say.

    1. Anonymous Coward
      Anonymous Coward

      Re: Head in the cloud's.....again.

      With comments like that all I can say is "Welcome to 1985".

      You're exactly the type of IT staff that forces business users to find they're own solutions.

      1. Tom 38
        Headmaster

        Re: Head in the cloud's.....again.

        "their" - unless you are implying that business users actually embody the solution.

      2. Chris Miller

        @AC 10:00

        I get that a lot: We don't employ anyone over the age of 50, because all they do is say: "We tried that in 1985 and it didn't work". To which the only sensible answer is: that's exactly why you need (some) people over 50.

        Business users define IT requirements, if they're defining your IT solutions, your operation is FUBAR.

        1. Down not across
          Thumb Up

          Re: @AC 10:00

          "Business users define IT requirements, if they're defining your IT solutions, your operation is FUBAR."

          +1 on that. I wish more people would make the important distinction.

    2. Tabor

      Re: Head in the cloud's.....again.

      I do give my wallet to strangers. They're called "banks".

  8. Velv

    All very well, but ...

    Before you worry about where you're going to host your data and who might have access or sovereignty over it, you first have to UNDERSTAND YOUR DATA.

    You cannot make carte blanche statements if you don't who what the data is. OK, so it's "sensitive", "secret", "confidential", "private" - but what does that REALLY mean. Sensitive to who, under what measures.

    Employ a decent data architect in the first place and you'll not only improve your business process and data life cycles but you'll make the job of the infrastructure team much easier too. And probably save yourself £££ on duplicate storage of redundant data.

    1. sabroni Silver badge
      Happy

      This promotional message was brought to you by Velv Data Architects plc, your one stop shop for Data Architecture!

  9. Anonymous Coward
    Anonymous Coward

    No, no, no, no and no - this is NOT a technical problem

    FFS, every techno geek and company is coming out of the woodwork screaming "buy our crypto" as if that was a solution.

    Your crypto and/or security is entirely irrelevant if a government official can legally force you to disclose all under the threat of a jail sentence for non compliance.

    The problem, and thus the solution, is NOT technical. It is law. As things stand, at the moment it is a VERY bad idea to have you HQ in the US if you want to credibly offer a degree of containment against abuse of intercept laws. It is simply NOT possible, and no amount of marketing spin and magic crypto sauce is going to change that.

    I think it's very generous of US lawmakers to give the rest of the planet a chance to sell services by nuking any residual credibility of US based providers. Applaus!

    /sarcasm

    1. Anonymous Coward
      Anonymous Coward

      Re: No, no, no, no and no - this is NOT a technical problem

      Your crypto and/or security is entirely irrelevant if a government official can legally force you to disclose all under the threat of a jail sentence for non compliance.

      ...but at least you'd be aware of when an which government(s) were pwning your data!

      1. Anonymous Coward
        Anonymous Coward

        Re: No, no, no, no and no - this is NOT a technical problem

        ...but at least you'd be aware of when an which government(s) were pwning your data!

        Not if they exchange it between "friends" like the NSA and GCHQ appear to be doing...

    2. Paul Crawford Silver badge

      Re: No, no, no, no and no - this is NOT a technical problem

      Yes it is partly a technical problem - because that is what allows other gov to see your data without your knowledge or permission. Cryptography means they need to obtain the key(s) by one means or another, which could be stealthy (e.g. trojan a machine on your system and sniff it that way) or by the more obvious means of a court order.

      However, if it is under your control, then at least you know the request has been made by your courts. And it is under a law that, theoretically at least, you have a democratic input on it. You don't get that with a foreign gov, by definition.

      As to the possibility of a gagging order, if that mattered a lot (e.g. wistleblower site) you could split the keys to two holders in different legal regimes so they need to gag under to sets of laws. Possible, but it ups the effort and so is only likely for really, really, important stuff. And lets face it, most people/comentards have a far higher opinion of their importance that spooks are likely to have.

      Of course, if it is software-as-a-service or similar the data is unencrypted while in use, so not technically practical to protect in most cases. But you could have some shared/useful things like email and dropbox-like document sharing that is decently protected by encrypting the data before it is sent/hosted and relying on client-side processing that works through the encryption layer.

      1. Anonymous Coward
        Anonymous Coward

        Re: No, no, no, no and no - this is NOT a technical problem

        Is there a country that has an "always legal to disclose" policy? Put half of your key there and don't tell anyone.

      2. wigginsix
        Black Helicopters

        Re: No, no, no, no and no - this is NOT a technical problem

        This is the problem with Data Sovereignty. I simplified it immensely for this article but the topic is so very broad and has implications that are so far reaching we've only just scratched the surface. Every single piece of data we let loose online has the potential to be sovereign to a Foreign Power. Its not just the bytes we elect to store in massive data centers of the "Official" Cloud service providers that we need to be concerned with when we consider data sovereignty. We need to consider the pipes too, but that's another article altogether.

        The law is notoriously slow to respond in cases like this. First it will attempt to press some law(s) already on the books into active service to solve, or at least provide a stopgap solution to, the problem at hand. Then, once all of the political posturing is over, they (may) eventually produce a law. It might even be a good law. It won't make a lick of difference.

        One way or another a government is GOING to get their hands on your data. Chances are they already have the keys they need. Frankly I'd rather deal with the one who's jurisdiction I choose to live under than one who considers me an enemy combatant simply because I'm not a citizen.

        Companies will always be sovereign first and foremost to the laws of the land in which they are headquartered. If you think that encryption will save you, I beg to differ. Give me a datacenter and your password hash and I'll have your data unencrypted in a jiffy. Oh you used a randomised 64 character password stored in a centralised cloud password service? Even better since they're located in the same jurisdiction as your data.

        Welcome to the joys of the Internet era. We're entering an era of unprecedented interaction with companies sovereign to powers we have no rights with. If we want rights we're going to have to fight hard for them. The best, and safest, way we can fight is to do so with our wallets. Don't trust that multinational company with your data? Don't pay them money, or give them your business. Find a local cloud provider you can (and do) trust. It's really the only solution we have at the moment.

        1. Graham Cobb Silver badge

          Re: No, no, no, no and no - this is NOT a technical problem

          One way or another a government is GOING to get their hands on your data.

          I would put this a little differently... you cannot stop a government from getting their hands on your data if the REALLY want to. However, I believe you can make it harder and more expensive. Possibly so expensive that if you are not a major target they will choose to spend their resources elsewhere instead. And, of course, that also helps with protecion against more run-of-the-mill thieves who do not have the resources of governments behind them.

          But that is a small disagreement really. I agree with your point that "We're entering an era of unprecedented interaction with companies sovereign to powers we have no rights with". The only way Microsoft or Google or Amazon are going to get international cloud service business from now on is if they successfully get their government to provide their users (even when not US citizens) with significant rights.

          It will take a while, but I think it will happen eventually -- the campaign contributions from US high-tech companies will dwarf even those of Hollywood. And we all know how many laws they bought!

    3. SecurityPedant

      Re: No, no, no, no and no - this is NOT a technical problem

      Actually, there is a very elegant technical solution to this and cryptography is at its core.

      Encrypted data requires keys to decrypt it. Assuming you encrypt your data with a key length and algorithm which isn't easily broken, then you end up with data + keys. You can then store the data in the cloud, but keep the keys local.

      Now assuming that the data isn't actually decrypted by an application running in the cloud environment. The only way to decrypt the data is to come to your keystore, get a key, and decrypt it.

      Thus if you were to encrypt your data and store it in Dropbox or Skydrive but retain the keys in your own sovereign state. If Microsoft were to get a legal request, they would, as per their own practice, hand over the data. But it would be the encrypted data and the next step is one of the following...

      1. The organization requesting attempts to brute force the crypto.

      2. The courts now have to come to you to get the keys.

  10. Jim 59

    Cloud

    ownCloud is not bad. Gives you basic cloud services and storage running on your own servers, with https access. No NSA worries.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cloud

      "No NSA worries."

      Where the hell did that come from? Are you suggesting that "ownCloud" operates on a plane above secret legal instruments *and* corruption *and* that the NSA is incapable of MITMing your piss-poor SSL "security"? Seriously?

      1. Jim 59

        Re: Cloud

        Thanks for the foam-flecked response AC@13:21. No. I mention ownCloud because it addresses the main thrust of the article, viz. data "sovereignty". The data remains on your own premises.

  11. Anonymous Coward
    Anonymous Coward

    Don't forget your data centers

    I have been working through similar issues for clients and the interesting one that keeps popping up is who owns and runs the data centers and comms links.

    A recent client had sovereignty issues with their DR arrangements as they had multiple data centers in multiple locations with data being replicated between them....in theory they owned all of their servers but they were located in regional DC providers with multiple contracts and a single global WAN contract providing the backbone links between them.

    If the NSA wanted to access their data (we did a risk analysis on this and found it negligible) then they could issue a FISA requests to the DC provider and insert a tap at the network level. Kind of icky really.

    So basically if you don't host on your own physical premises and own everything (including the comms links) you are at various levels of risk already......cloud just gives the NSA another entity to issue FISA requests to - your org -> (comms) -> cloud provider -> (comms) -> dc provider -> hardware -> data

    In theory the comms providers should be locked out of the equation but with all the hubub around Huawei spying for the Chinese government then you have to assume you are borked at almost every level of the tree and are bleeding data to anyone with the wherewithal to influence the companies. I am sure Cisco has had multiple conversations with the NSA under seal.

    So what do you do? Perform a risk analysis, stick an entry in the corporate risk register, have a mitigation plan for each link in the chain you can control and wait and see where the holes appear over time.

    Personally I think the NSA broke AES256 years ago which is why they stopped kicking up a fuss about it :-)

    1. Trevor_Pott Gold badge

      Re: Don't forget your data centers

      Your cavalier attitude only works if you are a company that can survive a privacy lawsuit or six. If you're an SME then one lawsuit can screw you. Indeed; in many nations that lawsuit can pierce the corporate veil and go after the major shareholders as well. A little bit of paperwork just won't cut it when it is your personal ass on the line.

  12. Marco van Beek
    Linux

    Is it just me?

    Or are the Emperor's clothes starting to look a bit see-through?

    Yes, the Cloud is great for some things but it is not the answer to every single IT question. This is just another question that should have been asked first by every single business, rather than believing the hype. If you really, absolutely have to use a cloud service run by a third party, and data sovereignty is an issue, use servers based in Switzerland. At least for the moment they require a legal paper trail that cannot be gagged.

    Have a look at Peter Houpermans' article on this very site on the subject from a few months ago.

    I also have to say that expecting your average IT person to understand complex legal issues that confabulate the best legal minds in the world is expecting a bit much. The average lawyer charges a whole lot more than the average IT person, so I would suggest the next time someone asks if their data is safe in the cloud, tell them to ask their lawyer to read all the EULA's before letting you install any new software or connect them to any new service.

    Tux because at least she understands me....

  13. Ian Moyse
    Megaphone

    Buy local becoming popular against USA giants

    I have been selling cloud services for over 8 years now and dealing and talking to clients about both data sovereignty and data liberation (how easy it is to get your data back should you decide to change service and in what format you can extract it).

    We have seen an increase in customers wanting local EU or UK data sovereignty and showing mistrust of the vendors hosting the data in the USA or even hosting on EU shores but owned by a USA firm! Rightly or wrongly this is customer perception and feeling and it may hinder cloud adoption or lead them to localised EU vendors who are bringing strong solutions ot bear that are often more functional or cheaper anyways, Compare CRM's at G2 crowd.com or take a look at the Huddles of the world compared to Sharepoint for example.

    Ian Moyse

    Workbooks.com

    1. This post has been deleted by its author

  14. Damian Skeeles

    Before PRISM

    Hey Aaron,

    I think this article is a bit kneejerk - the issues regarding data sovereignty, snooping, etc are wider than PRISM, and so are the mitigations.

    The PATRIOT act predates PRISM, and has been seen as a risk of US authorities accessing records relating to companies holding data in US data centres. Some commentators judge PRISM to be a wiretap, in which case it may be irrelevant to encrypted data.

    Also, you don't mention network or data-at-rest encryption, which is an effective control. I remember a data commissioner stating that data encrypted at rest using AES-256 didn't matter where it was hosted, assuming there was no legislative ability to demand it be decrypted, as the host service provider / state authorities / whoever could not read it.

    Finally; you don't mention the data value. If its a public website, sure, why not host it in the cloud.

    I agree there are large legislative hurdles to Cloud adoption, which some CSPs work hard to address - such as Amazon opening a Sydney DC. Most are technical hurdles, and there are generally technical means to work around those.

    1. Trevor_Pott Gold badge

      Re: Before PRISM

      Amazon operating a cloud in DC does not solve the problem. An Australian's data in a Sydney datacenter is still going to be open to inspection by American authorities because Amazon is an American company. They can be - and have been - compelled to transfer copies of private data belonging to foreign nationals back to America to be inspected by American officials.

      To be perfectly clear: Australian data entrusted to an Australian company running on servers in Australia would be vulnerable to intercept by the American government because Amazon is American.

      To be 100% crystal clear and sure that even a damage control expert such as yourself can be made to understand: American cloud providers cannot be trusted with your data full stop. Anyone who uses an American cloud provider and isn't an American company with a 100% American client base is a complete fucking idiot.

      In civilized countries privacy is recognized as a human right. Which means that the fact that some yanks have an economic interest in standing up public clouds does not remove your legal responsibility as a "data controller" to prevent private data - anything personally identifiable, corporately sensitive and so forth - from falling into the hands of anyone other than yourself (as the data controller), the individual (to whom the data belongs) and if absolutely nessecary the lawful intercept of a nation whose privacy laws meet or exceed those of both your self (as a data controller) and that of the data owner.

      It has been established in a court of law in Canada, the EU and Switzerland that the United States' privacy laws are inadequate by the standards of these countries and it is not to be considered a country where the storage of personally identifiable information is to be allowed.

      The hurdles to cloud adoption are emphatically not technical. They are legal and an American provider cannot be made to be trustworthy through any application of technology. No matter how many times you use the word "encryption" this does not guarantee that the American government is unable to intercept foreign data under the care of a foreign controller. Because this can not be guaranteed, they should never be used.

This topic is closed for new posts.

Other stories you might like