After Edward Snowden's revelations about the US National Security Agency (NSA), the UK's GCHQ and others, the perception of information security in the cloud has changed, writes Martin Kuppinger. Some people already argue there is no longer any security in the cloud at all. Is it time to switch to panic mode? No, but it is time to think and act more on information security.
One of the leading German IT news portals recently published a comment in that context, which named the court decision that ordered Ladar Levison of encrypted email service Lavabit to hand over keys to US prosecutors the “death penalty for encryption in the US”. This is just one of the many articles I have read in the past few months that raise the question: How much is just about raising fear, uncertainty and doubt? How much is marketing by European – and specifically German – cloud service providers? How is risk really changing and what can we do about it?
When talking with a number of European chief information security officers (CISOs) from various countries, none of them showed any intention to stop cloud initiatives. They had not even considered relying only on local or European Union (EU) cloud service providers. They named two reasons for that:
- Their perception is not that all the revelations and court decisions of the recent past have changed the risk perception from “no risk” to “totally insecure”. Their risk perception has changed, but not fundamentally. Using cloud services, particularly outside the EU, had always been considered a risk.
- Realism: When it comes to weighing information security risks on the one hand and functionality, user convenience and usability on the other, there is little chance to stop the business move to the cloud. Clearly, compliance reasons could become a show-stopper. But no CISO sees the changed public perception of the security of cloud services in general – and US cloud services in particular – as a show-stopper.
One of the reasons for that perception is the simple fact that they know enough about information security to segregate between real challenges and the fear, uncertainty and doubt stories. The court decision on Lavabit affects keys held by a cloud service provider (CSP). In other words: If the CSP does not hold the keys, but the customer itself does, we have a fundamentally different situation. Clearly, that does not work in all scenarios – if data must be processed at the CSP, the CSP needs the keys. But even then, there is a difference between CSPs providing business services such as Salesforce.com, Microsoft Azure and so on; and services such as Lavabit. There remains a risk also for the enterprise-level cloud services, but it is clearly a different story.
Read more about cloud security
Another reason is that stories such as the ones that the NSA can decrypt everything might be correct – but these stories are not about “NSA decrypts everything”. The fact that attacks on (virtually) any type of encryption (commonly used) are feasible is different from these attacks actually running. The computing power required to decrypt everything is just beyond imagination. All of the attackers, whether nation-state, organised crime, or whatever, have to focus their resources. Thus, focusing on encryption will not provide absolute security, but it increases the level of security and mitigates risks.
Other reasons are that the current activities are targeted primarily against terrorists and cyber crime (and what is perceived as such), not on industrial espionage, and the simple fact that not using the cloud does not mean being secure. On-premise environments are also at risk.
There are many reasons to be scared. But there are also good reasons not to go into panic mode. What we need to do is re-evaluate our risk perception of cloud services, regardless of where they are operated. However, good practice regarding the use of cloud services should be that organisations have a centralised, well-defined process for selecting cloud service providers. Such a process is about comparing alternatives in both the service providers – including on-premise services as one alternative – and the way these services are deployed, configured, and used.
This is about understanding risks and taking them into account when deciding on the use of cloud services. But risks are only one decision criterion among others such as functionality, usability and user convenience, cost and time. Standard processes for selecting cloud service providers are a must for any organisation, and these processes must take risk into account without the CISO ending up the notorious naysayer. It is really about showing and assessing alternatives and their consequences in a way that business can make informed decisions. This includes defining and implementing compensatory controls as part of good governance.
Clearly, Edward Snowden's revelations about the NSA have changed the public’s risk perception. However, they have not come as a surprise to information security professionals. Instead of moving into panic mode regarding the use of cloud services, it is about defining and implementing better practices for cloud service provider selection and cloud governance – with the cloud (and its various types) as an alternative to on-premise services. Notably, this includes changing the IT organisation in a way that it handles all types of services consistently, regardless of the deployment model.
Martin Kuppinger is founder and principal analyst at KuppingerCole
This was first published in October 2013