To Combat Government Snooping, Encrypt Data Before Putting It In Cloud, Says Interop Speaker

If Uncle Sam wants your data, make him come directly to you.

Sara Peters, Senior Editor

October 3, 2014

2 Min Read
Dark Reading logo in a gray background | Dark Reading

interoplogo180.jpg

INTEROP NEW YORK -- Using cloud services allows your organization to hand off "the basic blocking and tackling" of securing an infrastructure, but it also allows a cloud service provider to hand your organization's data to the government, said Elad Yoran, CEO of Security Growth Partners and an advisory board member for Vaultive, at the Interop conference this week. The solution, he said, is to make sure that the only data a cloud provider can give the government is complete gibberish.

According to Yoran, organizations should encrypt data before it ever enters the cloud and keep the encryption keys themselves, stored elsewhere. (Vaultive sells an appliance for this "encryption-in-use," which sits in the organization's DMZ, encrypting and decrypting data as it passes to and from the cloud server.)   

Although this would not prevent the government from demanding access to an organization's data, it would force authorities to subpoena the organization directly -- not via a cloud provider -- so the company's own legal department could lead the process. Further, it would prevent the government from acquiring multiple cloud users' data even if it only needed one user's data.

It would also address the "data residency" problem. The practice of keeping data on a server in one country so it is exempt from another country's demands may not work anymore, since a court ruling against Microsoft in July. The court ruled that because Microsoft is an American company, it must surrender customer data to the American government, even though that data resides on servers in Ireland, outside US jurisdiction. Microsoft has appealed the decision and refused to release the data. The government is holding Microsoft under contempt of court and may seek sanctions even though the appeal process is ongoing.

Yoran expects that, eventually, the laws will catch up and may find a way around "encryption-in-use," but, he says, it is preferable to the status quo.

About the Author

Sara Peters

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


See more from Sara Peters
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Pegasus Spyware concept with binary code background
Endpoint Security
WhatsApp: NSO Group Operates Pegasus Spyware for CustomersWhatsApp: NSO Group Operates Pegasus Spyware for Customers
byJai Vijayan, Contributing Writer
Nov 18, 2024
4 Min Read
Laptop with Palo Alto networks logo
Cyberattacks & Data Breaches
Palo Alto Networks Patches Critical Zero-Day Firewall BugPalo Alto Networks Patches Critical Zero-Day Firewall Bug
byBecky Bracken, Senior Editor, Dark Reading
Nov 18, 2024
3 Min Read
ChatGPT, typed out on a screen
Сloud Security
ChatGPT Exposes Its Instructions, Knowledge & OS FilesChatGPT Exposes Its Instructions, Knowledge & OS Files
byNate Nelson, Contributing Writer
Nov 15, 2024
4 Min Read
Reports
More Reports
Webinars
More Webinars
White Papers
More Whitepapers
Events
More Events