How Surveillance Impacts the Cloud and the Data Center
Venom exploits security vulnerability in a largely ignored floppy disk controller.

How Surveillance Impacts the Cloud and the Data Center

How widespread is government surveillance of data stored in the cloud? What about commercial profiling? Bill Kleyman looks at what we know about surveillance of cloud computing providers, as well as what we don't know and can't know.

cloud-security-470

As the world becomes more and more digitized, there will be more information, more users and a lot more devices requesting large amounts of data. Now more than ever before, users are continuously connected to the cloud. What privacy and protection challenges does this present when there are an increased number of targets to snoop on?

In recent weeks there's been widespread discussion about the National Security Agency (NSA) surveillance programs. Although they will be discussed, this post takes a broader look at just how widespread surveillance programs are in addition to government programs. There are still many questions that the end-user (your customer) is asking and there are still many unknowns when it comes to the safety  and privacy of your clients' data.

Let's ask some of the questions that are on everyone's minds, including your clients.

How Might NSA Surveillance Impact the Global Nature of the Cloud?

The idea that your enterprise's data, i.e. your company's private information, may not be as safe as originally thought has made a lot of people nervous, including both end-users as well as the data center provider. For the corporate organizations that provide data services, the integrity of the information housed on behalf of customers is of the utmost importance. That’s why when government organizations began to eavesdrop on the cloud and data center providers – naturally there were some unhappy parties.

The conversation around data security and privacy is heating up, as even enterprises employing simple cloud services such as Gmail could be observed. Perhaps the biggest worry is what can't be known and can't be disclosed.

From a financial perspective, programs like PRISM can have a very serious impact on U.S companies. The primary reason is that cloud computing continues to be a rapidly growing industry. The August report from The Information Technology & Innovation Foundation points out that these costs can be in the billions of dollars,

“On the low end, U.S. cloud computing providers might lose $21.5 billion over the next three years," the report states. "This estimate assumes the U.S. eventually loses about 10 percent of foreign market to European or Asian competitors and retains its currently projected market share for the domestic market. On the high end, U.S. cloud computing providers might lose $35.0 billion by 2016. This assumes the U.S. eventually loses 20 percent of the foreign market to competitors and retains its current domestic market share.”

How Are Providers Responding?

Here’s the good news: Organizations which "live in the cloud" and house your enterprise information are actually on their customers' side. They want to keep this information secure and private. That’s why cloud providers are actively fighting back against intrusive data requests and looking for options.

They have support in some parts of the government, but progress is slow. For example, Sen. Patrick Leahy's (D-Vt.), chairman of the Senate Judiciary Committee, is actively pushing legislation that would require police to obtain a warrant before accessing emails and other private online messages. Although by early August, the bill was blocked by legislators. Although the bill would not affect the NSA programs, it would curb the ability of local and federal law enforcement officials to access private online messages.

Similarly, large cloud providers are actively and vocally speaking out against these surveillance programs. According to a recent article from TIME, “the largest Internet companies in the United States have joined forces with top civil liberties groups to call on the White House and Congress to increase the transparency surrounding the government’s controversial NSA surveillance programs. Apple, Google, Facebook, Yahoo, Microsoft and Twitter are among the tech giants that have signed a letter to the feds, asking for the right to disclose more information about national security data requests.”

These Internet and cloud facilitators came under direct fire when news reports indicated that NSA used PRISM to examine emails, videos and even online chats. As the article goes on to note, there’s a real immediate challenge around the whole situation. These tech giants are currently prohibited from revealing anything about the requests they receive for such information, because Foreign Intelligence Security Act (FISA) requests are classified top-secret, and the companies are barred from even discussing them.

Here’s the reality: the reputations of major cloud providers can be seriously tarnished if they participate in various surveillance programs. Even more important to note are the treaties that are developed around information sharing between nations. Many Internet-ready, developed nations already have mutual legal assistance treaties (MLATs) which basically allow them to access information from third parties, regardless of whether the data is stored within their borders. This means that surveillance programs have regional and global implications even if your organization is located outside of an affected area.

Will Providers Build Data Centers Outside the U.S. For Global Customers?

Although many providers probably had this idea, the reality is that it may not help much. As mentioned earlier, it probably comes to little surprise that these types of surveillance programs exist all over the world. For example, a recent article from The Guardian states that Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and Internet traffic.

The UK agency is said to have started to process vast streams of sensitive personal information which it is sharing with its American partner, the NSA. The article points out that the sheer scale of the agency's ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate.

When questioned about the process of eavesdropping on an international scale, these spy agencies say that they’re really only looking at “metadata" - the basic information on who has been contacting whom, without actually detailing the content. However, with very little actual oversight, it’s pretty difficult to confirm that metadata is really the only thing being monitored.

Unfortunately, corporate vigilance and knowing where your data really resides is the only way to try to stay ahead of the surveillance game. Regardless of where a data center actually sits, there is the chance the information traveling over the cloud can and will be monitored at some point. There are very few direct links and much of the information that we require passes through multiple publicly available hops. These junction points, on a global scale, can be monitored by 3rd party organizations.

How is Data Mining by Commercial Entities Affecting Privacy?

The government isn't the only one keeping an eye on your data and the footprints it leaves. How is it that a department store can anahyze a pregnant woman's shopping patterns and anticipate her "blessed event"? Or have you noticed how after you search or buy something online that new ads targeting your purchase start popping up? Finally, whenever you’re walking around a large department store – maybe you should disable your Wi-Fi; because someone at corporate may be watching.

These are all examples, outside of government spying programs, where large business and organizations are really beginning to test those privacy waters. Let’s examine the above three examples.

  • Target knows you are among its customers about to become a parent. It’s all about data and purchasing correlation. According to an article from the New York Times, the Target data mining staff determined certain shopping patterns among folks who are about to become parents. By looking at their customers transaction information, retailers are able to make very good assumptions and start sending out targeted campaigns to their customers, ahead of their competitors. Consumers can feel invaded by stores making such assumptions.
  • Online ad and purchase targeting. It happens quite often. You complete a search or make an online purchase. All of a sudden, you start seeing ads for products which are similar – or in some cases the one you’ve already bought! This type of targeted advertising is a result of both cookies and smart tracking robots. Some of these advertisement methods are still a bit hazy, yet users find it rather disturbing just how accurate some of these ads can be.
  • Department stores use Wi-Fi to track shoppers. According to Euclid Analytics, 40-70% of shoppers are carrying a Wi-Fi enabled device. These devices constantly send out short "pings" as they search for Wi-Fi networks nearby. These pings include the phone's MAC address (a unique identifier associated with a specific device) and other “non-personal information” like signal strength that Euclid Analytics use to determine rough location. Why is this important? Because large national retail chains like Nordstrom and Home Depot, utilize Euclid Analytics for tracking shoppers in their stores. This way, they are able to track where customers spend the most time within the stores and what their shopping path looks like. This definitely caused some privacy concerns. So much so that Nordstrom quickly began to feel the fallout of the program and abandoned it.

What lies ahead in data privacy protection?

Cloud computing is becoming the norm for services delivery for many organizations. In fact, a 2013 Cisco Cloud Index report indicates this growth specifically. The report goes on to indicate that cloud traffic has already crossed the zettabyte threshold in 2012.

Cloud providers will strive to protect your data because it’s in their best interest to do so. Organizations like Google, Facebook, Apple, Amazon and others lose a lot of credibility when a user data, including private information, becomes compromised or unsafe. Negative press doesn't help an organization and can distance it from the market it’s trying to attract.

Major cloud providers will need to partner with advocacy and user rights groups to help further the fight around privacy. Remember, the Internet and the cloud are still fairly unregulated. There are still a lot of “wild wild web” elements out here. For the benefit of all, cloud service providers who deploy improved privacy measures and better top-down security will stay ahead of the curve and keep their customers protected from snoops of all types.