Pragmatic Cybersecurity unpublished

Pragmatic Cybersecurity unpublished

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

Cloud, Data Sovereignty and Spies

The Snowden revelations regarding the activities of the NSA (and other agencies) have long been assumed to be damaging to the on-going adoption of cloud computing.   A report issued by NTT Communications (linked to below) provides some empirical evidence of the changes to corporate opinion resulting from the increased awareness of state security apparatus activities:

Unfortunately, it appears as though enterprises are still seeking the easy answer – keep the data in a trusted location and only use cloud providers that guarantee data residency in such locations.  This is unfortunate as it both underestimates the capabilities of the threat actors they are concerned about and overestimates (in most cases) the levels of interest such actors have in mundane corporate data.

Let’s look at it the problem a different way:  if the US government sees you as a target of interest, do you really think that you’re going to be able to keep them out (at least whilst maintaining a useable service)?  Or that hosting the data outside of the physical shores of the US will prevent them gaining access to your data?  One of the more fun document releases of the last few months was the release of the NSA’s ANT catalogue – a catalogue of exploits and implants available to their Tailored Access Operations team to compromise well-known firewall providers, operating systems and other IT components.   The released version of the catalogue dates from 2008.   I daresay their capability has not declined in the meantime.   And those are only some of the technical mechanisms for getting in to your systems.  If your stuff is really interesting, there are often ways to hack humans too such as financial incentives or other, less pleasant, techniques.   Hosting your data in a trusted physical location will not help you unless you have complete control of the supply chain, operational management and all communications. (This is a reason why the concept of a secure European-only “Schengen Cloud” is also flawed unless the EU can somehow source all of the design expertise, fabrication facilities and distribution mechanisms from inside its borders).

Now, I think it’s important to note that the NSA is not the only Intelligence agency out there.  The Snowden revelations have also painted some unflattering pictures of the activities of the UK’s own GCHQ and also equivalents in Sweden, Canada and Australia.   But does anyone believe that the national security agencies of other nations are better behaved?  I don’t.

What can we do about the threat posed by national security agencies?  Firstly, consider whether they really do represent a threat to you and your data.  Are you of sufficient interest that they will not only collect your data but then use it to cause you harm?  If they are not likely to cause you harm then do you really need to worry - providing that you are not actively handing across your data in violation of data protection or other compliance requirements?   There has to be a balance of cost, benefit and effectiveness here – you could easily spend a lot of money to combat minimal real risk and still not be able to prevent compromise if they do take a real interest or if you are caught up in a general trawl for information.   I’m not saying to just give in, just be realistic about what you can achieve - and don’t consider hosting your data within your own country to be a sufficient countermeasure.

Spies spy.   Regardless of the current controversy, it is highly unlikely the world’s second oldest profession will undergo a significant change in behaviours in the long term.  We just need to learn to deal with the consequences as best we can using all of the information we have available – don’t just follow the crowd and take what is perceived to be the easy option.

About the author

Ian Cole
Ian Cole
Ian has been employed with Capgemini since 2006 and during this period has been assigned on a number of public and private sector projects within the various market sectors. Ian’s security interests are in information assurance/protective security; he also has a penchant for deciphering security speak to simple English targeted at a CxO level. Ian is a Security Cleared consultant with over 15 years experience in information security. He has an MSc in IT Security and is a member of CESG’s Listed Advisor Scheme (CLAS), an Associate Member of Institute of Information Security Professionals (IISP), a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA) and an ISO27001 Lead Auditor.

Leave a comment

Your email address will not be published. Required fields are marked *.