by Sean Gallagher: Governments aren’t going to fix cloud’s privacy problem. It’s up to the industry—and us…
When the technology industry embraced “cloud computing” and made it part of our daily lives, we all made a Faustian bargain. They gave us a way to break free from the expense of owning all the hardware, making computing and storage capacity dirt cheap and available on demand. On the other side, we promised not to worry too much about the fine print.
“In the 2000s we had this wild cloud party,” said Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “That party ended—Edward Snowden crashed that party. And we’ve woken up with a massive privacy and security hangover that companies are now trying to shake.”
It’s not like this happened without warning. In 1999, former Sun Microsystems CEO Scott McNealy spoke in front of the US government and infamously said, “You have zero privacy anyway. Get over it.” But in the wake of the Snowden leaks, US companies that sell “cloud computing” services are now losing international customers in droves. At the same time, law enforcement and intelligence agencies are trying to keep what they have left, pushing back on attempts to make the cloud systems Americans use more secure from criminals and foreign governments because those authorities might get locked out too.
How did we get in this mess? And is there any way to have both the convenience of mobile access to nearly everything while still keeping out the prying eyes of government spies and criminal crackers?
Sticking a pin in “cloud”
When we talk about cloud computing, it can get confusing quickly. “Cloud computing” remains such a nebulous term. The essence of the term today encompasses what’s been called everything from “utility computing” to “application dial-tone” by technology companies during the past three decades. However, it wasn’t until (relatively) cheap general-purpose server virtualization and storage networking came along that what we now call “the cloud” was really possible on a large scale.
The term “cloud” comes from what networking people have referred to as large, opaque networks well before there was an Internet. Very simply, cloud computing is any service that happens somewhere hidden behind the abstraction of an application programming interface in a shared data center owned by someone else providing on-demand and self-service.
Cloud started out as something big Internet companies like Google and Amazon did for themselves—a way to make their own infrastructure cheaper. Then they figured out how to turn what they did internally into a product for others. The upside to these and other “public” cloud services—the ones that can be reached over the public Internet and are available to individuals or companies other than the data center owners—is that they are relentlessly efficient and relatively cheap compared to running your own.
If you’re an application developer, depending on what kind of service you use, the large footprint of the big cloud companies also means you can reach a global audience or avoid downtime. Whether you’re an organization or a smart-phone user, this means you can get to your stuff (nearly) all the time, dirt cheap and worry-free. What’s not to like?
Admiral Ackbar explains it all
Well, for one thing, it’s a trap.
Putting our data and applications on a “service” that runs on someone else’s computers, as it turns out, is not a really great idea if you like privacy. Cloud computing is a bit like a bus station locker—you may have the key, but that doesn’t mean someone else can’t pop it open and see what’s inside. That’s why so many financial service companies, healthcare providers, and government agencies would rather build their own versions of what Amazon offers (or at least hire someone to do it for them without connecting it to the Internet).
Some are more apt to pop that locker open for themselves or for inquiring governments. Remember, we chose to put data in the cloud. With how the US government interprets the law, expectations of privacy are different when using the cloud as opposed to storing data on a hard drive. Currently, the feds believe they can take a look at cloud data without serving you a warrant for it. And in many cases, due to piracy concerns, the Motion Picture Association of America and the Recording Industry Association of America also get to take a free look.
In its iCloud terms of service, for example, Apple states:
Apple reserves the right at all times to determine whether Content is appropriate and in compliance with this Agreement, and may pre-screen, move, refuse, modify and/or remove Content at any time… You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate.
This doesn’t apply only to Apple’s iCloud, of course. All cloud providers are more or less going to cough up users’ apps and content on demand from the government when the data falls under its jurisdiction. And if they happen to be a US company, it doesn’t matter where the data is—the US government considers it under its jurisdiction. That was demonstrated by the US Justice Department’s recent efforts. The feds tried to force Microsoft to turn over data from an Irish data center in response to a federal warrant—and the Justice Department won. “It is a question of control, not a question of the location of that information,” US District Judge Loretta Preska said in her ruling—affirming that, as Ars’ David Kravets wrote, the world’s servers belong to the US.
According to Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, this makes it really hard to tell other countries they can’t do the same thing to our data. “It’s been US policy,” he said. “It’s so difficult for us to pull back from it. We say that borders shouldn’t matter that much, but then the way that NSA treats US companies, and the ways Justice serves national security letters—clearly being a US company matters. When we are going out and demanding data from companies in ways that seem extraterritorial, and to me it seems enforcing this sovereignty-based notion over the cloud, it fits in with Russian and Chinese designs [on controlling their portions of the Internet]. It makes it more difficult for us to make our case that borders don’t matter very much when someone uses the cloud.”
Tinfoil truth
It wasn’t enough for the US Government to be able to demand data from any American company using criminal warrants, National Security Letters, and FISA warrants. The NSA and the UK’s GCHQ went as far as to break into the very networks that connected Google’s and Yahoo’s global data centers, giving them eyes within the inner workings of those cloud services. At the same time, the NSA and the FBI have both tried to make privacy work in the cloud to ensure they could tap into it—the NSA by paying RSA to insert an exploitable weakness into its encryption tools and the FBI by constantly raising fears of how terrorists and criminals could avoid detection by using strong encryption in the cloud and on devices connected to it.
In the process, our government may have made the cloud more vulnerable to others who want to break into cloud content—including other countries’ intelligence agencies and criminal organizations that have ties to them. “What we see from intelligence agencies looks almost like a conspiracy, where civilians in every country can be spied on by every other countries’ intelligence agencies,” said Eckersley. “We haven’t seen anything to change that prevailing equilibrium. The NSA has these somewhat flimsy privacy protections for US individuals and none for anyone else.”
If that same model is applied to every country, Eckersley said, “It’s a free for all—a class conflict between governments and spy agencies on one side, and the individuals and businesses that suffer on the other.”
As “the Fappening” demonstrated, it doesn’t take a national intelligence organization to break the chain of trust that connects us to the cloud. While the attacks on the iCloud and Google accounts of various celebrities were, as Apple said, “highly focused” attacks on individuals’ passwords and not technically a breach of the cloud services themselves, they demonstrated that individual attackers could take advantage of the cloud in the same way criminal and state-sponsored crackers go after target networks. These efforts used what they found in one cloud account to move laterally to another, slowly and methodically exposing “high value” targets.
Export controls
There was already a privacy problem for US cloud providers before anyone knew about the NSA’s pillage of cloud provider data. Part of the problem facing the cloud is that the laws that govern cloud privacy predate the Internet. In an article for the Santa Clara Law review entitled, “The Uncertain Future: Privacy and Security in Cloud Computing,” James Ryan noted that unlike the European Union, the US has no single comprehensive set of rules to govern how to protect cloud data:
Laws and regulations regarding cloud computing are mostly handled by whichever agency regulates the particular industry sector purchasing the cloud service. This means that privacy law comes in various parts from the Federal Trade Commission Act, the Electronic Communications Privacy Act (specifically the Stored Communications Act), the Health Insurance Portability and Accountability Act, and the Fair Credit Reporting Act, rather than from a centralized regulation governing cloud computing itself. Piecemeal regulatory action leaves the political players unable to realize their policy goals and companies subject to illogical and unpredictable policies meant for other industries and technologies.
The tossed salad of privacy standards, the backlash from NSA surveillance, and the Justice Department’s quest for total world domination of the Internet have contributed to an unraveling of both public and private clouds. And all the while, countries respond by putting limits on what data can cross national borders.
This has more than a business impact—it impacts security as well, according to Haney. “It’s already happening on the network monitoring side. The larger your data set, the more attacks you can spot. If you’re a large-scale service provider, and European data can’t come to the US, it’s restricting what you can do in terms of responding to attacks. This is already happening now—they have to compare all the European data with other European data, the Brazilian data just with Brazilian data, and only then between them and US data. It degrades the ability to monitor worldwide threats.”
Congress is unlikely to do anything to fix the situation, and an international agreement on privacy is an even more remote possibility. “The only course we have is building protections from the ground up,” Eckersley insisted. And that means the tech industry and cloud users need to make it happen themselves.
Shipping a fix
Beyond big cloud players, fixing cloud privacy is important to the entire software industry, as more technologies that used to be shipped in a box and mounted on a rack are being pushed to the cloud. Mobile devices have driven a greater demand for cloud data storage and offloading of computation, but security is, ironically, the next big cloud thing. CloudFlare, for example, has been providing its customers with traffic filtering to block not just denial of service attacks but other sorts of exploits based on traffic analysis—including exploits based on the recent Shellshock vulnerability.
The ability to rapidly scale up computing power and network capacity in the cloud could make it ideal for virtual firewalls, intrusion detection, and the same sort of deep packet inspection and network traffic analysis that the NSA has deployed in its own distributed global cloud. “Content security is already moving to the cloud,” said John Yun, director of product marketing at Blue Coat. “Many enterprises have budgeted future security expenses for cloud-only solutions.”
But each part of the cloud model presents its own privacy and security problems. The most obvious target is cloud storage, where better use of encryption could provide greater protection. SpiderOak, for example, encrypts content before it goes into the cloud. Amazon’s Simple Storage Service also supports “client side” encryption—which puts all the responsibility for key management, and data encryption and decryption, in the hands of the customer—in addition to its own server-side encryption process.
Protecting data passing through the cloud, such as e-mail and instant messaging, requires cloud providers to offer an alternative to being the man in the middle. Cloud-based messaging and communications services such as Silent Circle and Wickr only use cloud-based servers to route traffic, and these services don’t store the keys used to encrypt the content. But such offerings are aimed at the most privacy-aware users; they aren’t exactly mainstream yet.
Apple’s handling of its iMessage service is an example of a more accessible route to privacy—encryption by default. “Apple’s protections are a first step toward ensuring that law enforcement and spy agencies actually need a warrant before they can read messages,” Eckersley acknowledged. He added “those protections are partial, applying to messages and not e-mail. All of your e-mail is still unencrypted in Apple’s cloud.”
Dealing with security within cloud computing infrastructure and applications is a bit of a harder nut to crack. Even services targeted at a more technical customer are dependent on a leap of faith that the data center operator—or someone who works for them, maybe someone who’s renting capacity on the same physical machine as your virtual server—isn’t going to go poking around the contents of your server. “Things like the Amazon Web Services virtual hosting model—we don’t know how to secure them,” said Eckersley. “We don’t know how to run VMs so we don’t let the people running see what’s going on in them.”
Cristian Borcea, associate chair of the Computer Science Department at the New Jersey Institute of Technology, noted that systems built on cloud services could be vulnerable as well. This can happen through side-channel attacks that exploit the hardware in infrastructure-as-a-service clouds like Amazon’s or more especially in new “cloud” services that provision physical system-on-a-chip servers for users. “Using a physical processor might help in some ways, but it doesn’t mean someone on a nearby core can’t snoop on the bus,” he said.
One way to ensure the privacy of applications in the cloud, Borcea suggested, would be to break up processing and data components of a system over multiple providers. That way, no one has the pieces required to expose the security of the system. He also said that clouds need something similar to the Trusted Computing Group’s Trusted Platform Model to help guarantee that each component of a distributed cloud application was what it claimed to be, not some malicious service posing as a legitimate one.
CloudFlow is trying a similar approach, and Eckersley said it shows promise. CloudFlow wants to create a framework for building distributed cloud applications based on trusted services that can be connected together to form processes and workflows spanning multiple providers. But as Eckersley pointed out, using multiple vendors doesn’t help if they all collude—or if the government grabs data from all of them.
Lead, follow, or get out of the way
For the industry to pull off a truly private and secure cloud—or at least one that fits within the level of risk that most people and companies are willing to accept—it must make privacy a priority rather than a marketing check box. That could happen more quickly if government agencies involved in breaking cloud privacy would lend a hand rather than hamper the effort.
That would require a sea change in their thinking, however. FBI Director James B. Comey’s recent speech citing the use of encryption in the cloud as a threat to law-abiding citizens was an example of the resistance industry faces when addressing the privacy problem. “Everything the FBI has said about Silicon Valley’s efforts to protect their customers has been disingenuous and fear mongering,” said Eckersley. “Since the FBI and NSA have created this big problem for the tech industry, the question to them should be, ‘What are you doing to try and fix this?’”
The Atlantic Council’s Healy, however, feels that the NSA may have come around a bit. At least, the NSA seems to be helping the defense of the Internet and cloud a bit more now since the arrival of new director Admiral Michael S. Rogers.
“The NSA vulnerability disclosure program is one of those places where things have changed,” said Healey, a former signals intelligence officer and ex-NSA employee. “Before Heartbleed, I would have treated it as one of those places were offense is dominant. But during his confirmation, Rogers said that the presumption is that we’re going to release vulnerabilities, and we won’t keep them for our own purposes. When [White House Cybersecurity Coordinator]Michael Daniel did his blog post, he made that official. And when I called on NSA two months ago to ask about progress on that, they said that so far we haven’t kept any for ourselves. That, I think is a credible piece of evidence that I believe them on, that they’re putting defense first.”
That’s a step in the right direction, but, as Eckersley said, there’s a lot more left to be done to ensure that governments are helping the cloud. “Today, any country where Google or Apple or Facebook has an office can compel exposure of all or most of your data. And any country that doesn’t can buy malware and break into your devices. We’re going to have to work for years to build meaningful protections against this.”
That work requires a vision of what the cloud should be, and everyone who holds a stake in its future needs to bring something to the table. What is the best balance of security and convenience, of privacy and efficiency? And what technologies do we need to make the cloud of the future work for all of us? The answers are still in progress (though we’ll try to tackle things as our discussion continues).
Source: Arstechnica