What government agencies tell us about cloud security
Thu 8 Feb 2018 | Michael Mudd

In 2013, following what became known as the Snowden Revelations, a survey carried out by the Cloud Security Alliance, a trade body, revealed that some 10% of non-U.S. businesses cancelled plans to use US – based cloud computing service providers.
This result shows a minority were ill-informed of;
- How the Internet works,
- What the NSA is actually doing, and
- What Cloud computing is – and isn’t.
Still, the reach of the ‘five eyes’ intelligence agencies outlined in documents released gives specific details about the US government’s PRISM data mining programme that were revealed by the now fugitive NSA contractor, Edward Snowden. This appears to have come as a surprise to many companies that previously thought the biggest government surveillance risk was from China or the former Soviets.
Setting aside any global espionage issues, the shift in how data is accessed and stored in today’s business world is also causing concern among some Asian and European business executives who are now aware that using public Cloud computing services could lead to their data being stored in the US.
This means it is subject to US laws and therefore potentially vulnerable to the Patriot Act, through a FISA order from the Foreign Intelligence Surveillance Court or a National Security Letter (NSL), which authorizes court-ordered access by US law enforcement agencies to data. Questions are now being asked by enterprises of cloud service providers; where is my data stored and can you guarantee that it stays physically in that jurisdiction?
The roots of the internet
Let’s look first at how the internet works. If you recall an old-fashioned telephone switchboard from the 1930’s, to make a call you dialled a local operator at an ‘exchange,’ and the operator physically plugged you into a copper cable to connect your call. There was no security; operators can and did listen in. In fact, many calls including transatlantic calls have been tapped by the British and US governments at the transatlantic landing stations since at least 1912.
A packet sent from Hong Kong to Singapore may well go through a switch in San Francisco or Tokyo
One such message from the German Ambassador to Mexico, led the US to understand how Germany was encouraging Mexico to attack the US during World War I. The message was intercepted by British naval intelligence, from the transatlantic cable tap, the code broken and the war took a different turn. The French used to copy all telexes and telegrams to gain a competitive advantage until it was revealed and the practice ceased less than 20 years ago.
Fast forward to the 21st century and the equivalent to the exchanges/landing stations are the public and private network service providers that own and maintain the vast global fibre optic cables that encircle the globe. They also have physical landing points with large switches, automated of course, but essentially it’s the same point where voice and data traffic, reduced to digital bytes, may be tapped for analysis by the world’s most powerful computers scanning billions of messages a second.
The Internet we have today evolved from a cold war US military communications system that by sending redundant binary packets of data was designed to still work if a section or relay switch was destroyed. The original 13 “Root servers” that controlled the distribution of the packets were in the US.
The global network
But since 2000 they have been virtually redistributed globally to allow faster service across the planet. This means the switches – the routers – are in many locations outside the US, so that performance is enhanced and costs reduced by ensuring data packets can always get through. As they travel at close to the speed of light, physical distance does not mean anything to digitized data, it’s also always two-way traffic; what goes comes back as check packets.
A packet sent from Hong Kong to Singapore may well go through a switch in San Francisco or Tokyo. Indeed, according to Akamai, an Internet company, 99% of all internet traffic routinely traverses switches physically located in the US as it is the route with the most capacity that is always taken due to high availability.
This is carrying all communications today, including banks, insurance companies, government agencies and yours and my email and voice traffic. With the vast majority of commercial data being encrypted, this ensures the integrity of the traffic up to normal levels expected by business.
The work of security agencies
So what are the 40,000+ employees of the NSA actually doing? According to the details of perhaps the most intrusive of their monitoring systems, ‘PRISM’ as revealed by Mr Snowden they are using a system named ‘TEMPORA’ pioneered by its UK partner, GHCQ. This enables eavesdropping on the global communications networks, with government approval; nothing significantly different than what spies have been doing for a hundred years; tapping the main switches of the global communications networks, but with the added twist of allegedly tapping private lines between data centres owned by the likes of Google and Facebook without their permission.
This means that the thousands of miles of subsea fibre optic cables carrying billions of packets a second traversing daily are accessed, automated scanners extract the metadata to identify a particular data stream or keywords which have been tagged as ‘of interest’. What is the practical effect of FISA Orders on users of US cloud services?
The answer is that the FBI rarely uses FISA orders. In 2013, the US government made 1,588 applications to the Foreign Intelligence Surveillance Courts for FISA orders, however, the vast majority of such orders relate to individuals of interest – mainly terrorist-related – and not to businesses.
What the NSA and other similar agencies can or cannot actually do with data is subject to the laws of the country, and in some cases, legal lines appear to have been crossed – national governments and even the UN have announced investigations. But what has been in place for a long time is the ability of the authorities to seize electronic information – or to tap it – as part of normal security and criminal investigations with full judicial oversight. Between many countries, there are Mutual Legal Assistance Treaties (MLAT’s) for the purposes of gaining information for law enforcement across borders.
The US Patriot Act was a hastily written post 9/11 extension of existing laws, including data access, but still, due cause has to be established so a US court must rule on warrant requests. Similar laws exist in almost all G20 countries. So from a commercial viewpoint, setting aside the more radical allegations with regard to NSA revelations intelligence gathering within the law has had no practical effect on how we conducted commerce last year, and will logically, have no effect today or tomorrow.
Indeed, it may be that even practices which are currently legal in most developed countries around the globe, will get a re-think to better balance privacy and data protection – but the basic premise that data safety has changed with the recent revelations is simply false.
The impact on cloud security
Which comes down to the premise posited by the CSA survey, that somehow NSA/PRISM has made cloud computing ‘less safe’ compared to ‘non-cloud’? Cloud computing refers to a set of business applications that enable off-premise computing and storage of data that is flexible, scalable and being elastic, enjoys massive economies.
The data centres and security systems are exactly that same as being used by ‘on-premise’ computing, but usually much larger and more energy efficient, but they are not any less safe than ‘in-house’ computing or storage. Indeed being newer and having a higher risk profile, they are more akin to critical infrastructure, so the majority has installed better security. The same personal or corporate information is also being sent across the same internet cables through the same switches, irrespective if it hosted by a cloud service provider or your local health provider, insurer or bank.
To be perfectly clear; there is no difference from a security standpoint if a company uses cloud services or not, with respect to the government monitoring issue. The packet transmission is agnostic as to the business application; if it goes across the internet and if that switch is tapped, then the same data may be accessible by the watchers, legally or not.
A key policy challenge that will affect commerce and individuals is to ensure that strong encryption for all private information is mandated to be in place by default, thus any leaks would be meaningless plus ensuring security is robust enough to prevent any leak to criminals that seek to infiltrate online commerce and trusted transactions. CSPs, through their industry associations, are working on a framework for security, integrity and confidence for the Internet and by extension, cloud providers of services and storage.
The Internet is pervasive and being a transmission conduit, treats commercially sensitive information the same, no different if it is being sent/hosted by a CSP or an in-house IT system. No matter what the business application, it’s all bits and bytes in packets to the Internet. The security layers for cloud applications and services are similar for on-premise computing, what is clearly needed is more robust cryptography to thwart the real villains out there – those who want your money or intellectual property.
In other words, it makes no difference from a technical viewpoint, if the data is stored in a corporate data centre/HQ in Dubai or at a cloud data centre in Dublin. Physically, large modern DC’s are bank-strength strong rooms, with multiple layers of security so data may be much better protected than on older captive/owned data centres.
The legality of government spying
Laws preexisted both the Patriot Act and mass collection of data via PRISM, that would allow seizure of data with due cause under a court order. Nothing has changed here either, except greater oversight of the intelligence gatherers appears to be warranted to ensure they do not break laws within their own country. There is probably no realistic expectation for them to obey other countries laws; after all, it’s what spies do.
In summary, the watchers have always been with us; they have legitimate and specific work to do and laws are in place that with robust oversight, should not threaten online commerce at all. In fact, their work that shows up shortcomings in the spies’ own security has highlighted the importance of strong cryptography for commerce, so have in fact assisted commercial firms.
The security of cloud computing – and therefore its integrity – is firmly on sound ground and has not been affected by these revelations. Any other conclusion cannot be supported by facts.