1. Avoiding US Cloud Providers:
EU Protectionism or Valid
Concerns
2013 Cloud Security Alliance Congress
Session 12
December 4, 2013
Jon-Michael C. Brook
Cloud, Security & Privacy Principal
2. • Protectionism
• “[T]he economic policy of restraining trade between states through methods such as tariffs on
imported goods, restrictive quotas, and a variety of other government regulations designed to
allow (according to proponents) "fair competition" between imports and goods and service
produced domestically.” - wikipedia
• Examples
• Historically, most famous for US – American Revolutionary War
• Stamp Act, Tea Act -> Boston tea party
• US – Sugar cane: Brazil far more efficient in producing than sugar beets
• Protect the sugar industry in US, offer credits/tax incentives AND put tariffs on imports
• India – Local subsidiaries only
• Arguments simply don’t hold up – Fledgling industries, national importance
• Typically lead to stagnant economies and little motivation for innovation
• Milton Friedman/Paul Krugman: Free trade “…has a ripple effect throughout the
economy.”
• Alan Greenspan: Protectionism leads “…to an atrophy of our competitive ability. ... If
the protectionist route is followed, newer, more efficient industries will have less
scope to expand, and overall output and economic welfare will suffer.”
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 2
Tariffs & Protectionism
3. • Viviane Reding - European Commissioner for Justice, Fundamental Rights and Citizenship
Jan 2012 – reform proposal of the EU's 1995 data protection directive rules:
• "strengthen online privacy rights and boost Europe's digital
economy".
• "A single law will do away with the current fragmentation and
costly administrative burdens, leading to savings for businesses of
around €2.3bn a year.”
• "The initiative will help reinforce consumer confidence in online
services, providing a much-needed boost to growth, jobs, and
innovation in Europe."
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 3
What EU Cloud?
Vote on single law draft resolution May 2014
4. • “For the private sector, such European clouds could become also
attractive as they could advertise, ‘These are European clouds, so
your personal data is safe.” – Vivian Reding
• “The questions raised around the United States’ FISA act have
focused the minds of Europeans keen to share, but only with those
they chose. TeamDrive has confirmed that European cloud users
want to have data stored under the EU banner, away from the prying
eyes of the US government.” – TeamDrive
• “[W]e comply with the highest German European data privacy
standards. And that is important when you consider the furor around
the issue of unauthorised access in some third countries that don’t
offer the same level of security. But we can deliver CLOUD SERVICES
‘MADE IN GERMANY’ – around the world.” – T-systems
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 4
FUD & Protectionism
5. • PATRIOT Act - Allows cryptographic material access requests
• US citizens some protections
• No protections for non-US citizens
• §215 Allows access to customer records in BULK – non-content meta data
• Voluntarily disclosed to a 3rd party - Supreme Ct ruling
• Requires Court Order for more
• Customer data not a business record
• Requires Search Warrant
• Google, Yahoo, Microsoft, Apple
• Obama – Criminal, yes; Civil - Unknown
• Never tried to get foreign data
• FISA Amendments Act – 50 USC § 1881A
• Foreign Intelligence – Potential Attacks, Sabotage/Terrorism, Clandestine Intel
• Info must pertain to a foreign power or foreign territory; Not a foreign citizen
• Not Business Intelligence - Canada clipped in October NYT release surrounding Brazil
mining, US Merkel surveillance on Dollar purchase/sells
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 5
At Issue
6. • 4th Amendment
• Warrantless search and seizure
• Electronic Communications Privacy Act (ECPA) 1986
• Extend Wiretap statute
• No voluntary disclosures of customer data by providers
• Amended by
• Communications Assistance to Law Enforcement Act (CALEA) 1994, PATRIOT Act 2001,
PATRIOT Reauthorization 2006
• Federal Intelligence Surveillance Act (FISA) 1978
• Judicial Approval Regime
• No data retention requirements
• Amended 1998
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 6
US Laws & Privacy Protections
Laws always behind technology and require judicial interpretation
7. • Full day symposium by CSA Legal Council at 2013 RSA Summit
• US much more respectful of citizen’s privacy
• EU General
• Voluntary service provider disclosures
• EU Data Retention Directive – 6 months to 2 years
• Countries
• UK
• TEMPORA - "Mastering the Internet" and "Global Telecoms Exploitation"
• France
• Non-judicial wiretapping, connections inside France and between France and other countries are all monitored,
even for scientific and economic data
• Deutschland
• G10 act, intelligence services may monitor and record telecommunications without a court order if they are
investigating serious crime, terrorism or threat against their national security.
• Federal Trojan – do need court order w/o notification to CSP.
• Spain
• No warrant required
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 7
Glass Houses - EU Monitoring Laws
US better protects from Gov intercept, EU couldn’t meet US legal standards
but European citizens (officials?) less suspicious of EU Government/abuses
8. • Originally, talk included much different crypto discussion
• Cryptography major protection mechanism for Cloud
• Multi-tenancy reliance on no cross-talk/hypervisor monitoring
• Minimal evidence that cryptographic algorithms are flawed or embedded with
backdoors
• No historical evidence NSA corrupted underlying crypto algorithms/methodologies
• 1970’s DES S-box suggestions from NSA actually strengthened algorithm
• Bruce Schneier observed that "It took the academic community two decades to figure out that the
NSA 'tweaks' actually improved the security of DES.“
• Clipper chip – Agency learning experience? Government key escrow experiment
• Now, essentially key escrow by CSPs
• ToS: In June 2011, a Microsoft executive admitted at the Office 365 launch in London, under the Patriot
Act, the company could be made to turn over information stored overseas to US authorities without
seeking consent or even providing prior notice to the data owner.
• Usage Agreements - iCloud, AWS, Mozy, Box, etc.. will turn over keys/data w/ warrant
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 8
Snowden Revelations
Reliance on any one technology…
9. • Underlying mathematics sound
• Crypto shelf life - Moore’s law and key material length
• Slowly chip away at the key space to limit brute force search
• Implementation problems
• PRISM still unknown/fuzzy as to what hand NSA had – 3 choices?
1. Discovered flaws w/o disclosure
2. Contacted by manufacturer and asked to stay silent (as w/ DES)
3. Strong armed flaws into products
• RNG
• Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG)
• Schneier – Original standard specification included “default” seed values
• Mozilla RNG flaw
• ECC
• Elliptic Curves & variables chosen are suboptimal (formula, prime, cofactor)
CSA 2013 Congress EU Cloud: Protectionism or Reality - 9
Algorithmic Issues?
US DoD uses the same algorithms for Top Secret data
10. • Who uses what?
• Principal expectation - bad crypto implementations
• PKCS#11 – RSA, also known as “cryptoki”
• Microsoft CAPI – API used by IIS, CA, also available in .NET
• Microsoft CNG API – next gen crypto API available for Vista onwards, IIS, ADCS
et al
• OpenSSL crypto
• JCE/JCA – Java API
CSA 2013 Congress EU Cloud: Protectionism or Reality - 10
Cryptographic Implementations
11. • 5 NIST tenants – biggest issues
• Metering – administrative access
• Elasticity – moving targets
• Self service
• Broad Network Access – plenty of connectivity
• Resource Pooling - Multi-tenancy, co-mingled data, scattered locations
CSA 2013 Congress EU Cloud: Protectionism or Reality - 11
CSP vs Enterprise - unique challenges
Don’t Trust Administrators, Wider pipes, Everything together
12. • Physical protections –
• Assumption: best practices implemented by CSPs, not really a Gov issue
directly, but could be used by Gov – think telco providers and wiring closet
drops for warrantless wiretapping
• Role Based Access Controls
• System Administrators segmented from hardware administrators
• Identity and Access Management (IdAM)
• Pre Snowden
• Heavy dose of cryptography w/ a side of key management
• Processes and procedures may be implemented by ANY CSP.
• Standard best practices – should be in place in data centers already
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 12
CSP Protection Mechanisms
13. • Built-in cloud crypto services:
• Encryption for data in motion – no-brainer – lock in web browser, SSL/TLS
certificates protect against Man in the Middle attacks
• Encryption for data at rest – keys held by ISP, readily turned over by CSPs as
per ToS
• SaaS:
• email – Gmail, Yahoo, Live…
• Exceptions: Silent circle, Hushmail, Lavabit – paper key disclosure
• picture – Flickr, Instagram, Photobucket, …
• office – Office365, Zoho, Google Drive, …
• backup – Carbonite, Mozy, iDrive, Norton Backup…
• …
• Object systems: iCloud, Dropbox, Box, S3, SkyDrive, Google Drive…
• Exceptions: Jungle Drive, Spider Oak, Symantec Zone
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 13
Principally encryption
14. • Amazon AWS
• GovCloud – SSL termination on FIPS 140-2 level 3 hardware devices
• HSM – Hardware Security Module access (2013)
• HSMs built into Intel hardware for >8 years now
• Direct access to underlying CPU services
• Other Providers to follow/allow hosting
• Microsoft Azure
• Google Compute Engine
• Force
• Rackspace
• Saavis
• VMWare vCloud Hybrid Services
CSA 2013 Congress EU Cloud: Protectionism or Reality - 14
IaaS Built-in Crypto Offerings
15. • Physical location w/ stronger laws
• US isn’t that bad – for US Citizens
• Switzerland – but even the Swiss cave (2011)
• Privacy = Constitutional fundamental right (Argentina, Brazil, S. Africa)
• Confidentiality
• Don’t use built-in/default keys – EVER
• Essentially consenting to corporate key escrow service for the government
• Forgoing the capability of using key destruction for digital file shredding/retention
• Own key servers
• Separate instance (iffy – aka: server side encryption)
• Hosted w/ another provider (okay - )
• On corporate premises (better – aka: client side encryption)
• Physical control of crypto material (best - gov implementations aka: HSM/Type 1)
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 15
So what can cloud practitioners do about it
16. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 16
Privacy Protection by Country
Privacy Heat map – heatmap.forrestertools.com/
17. • Key management
• Non-government sponsored algorithms
• AES Twofish/Threefish.
• ECC NIST Curves Curve25519 or Curve1174
• Sharing Keys
• Double blind encryption (ease of use v. security): Symantec, ProofPoint, Google
• split custodian/keys, k of m
• Other techniques
• Homomorphic encryption
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 17
So what can cloud practitioners do about it
These are all still susceptible to brute force attacks and crypto
implementation subversion
18. • Server Side
• Client Side on-premise
• HSM
CSA 2013 Congress EU Cloud: Protectionism or Reality - 18
Reference Architectures
AWS references throughout, though should be applicable to other
environments. Check out re:Invent SEC304 for further details.
19. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 19
Server Side Encryption
20. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 20
Client Side Encryption
21. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 21
Case Study: Netflix & HSM
22. • Conclusions
• Bunk? Valid concerns?
• Skip the FUD, implement the best practices
• You’ll never be as efficient at RBAC/separation of duties/physical access
• Security in depth – think Safe measurements
• Weekly revelations - final release of presentation may be found:
https://www.cippguide.org/csa-congress/
• Jon-Michael C. Brook
• jbrook@cippguide.org
• @jonmichaelbrook
• http://www.linkedin.com/in/jonmichaelcbrook
CSA 2013 Congress EU Cloud: Protectionism or Reality - 22
Coda
Editor's Notes
Restraining trade through tariffs, quotas or regulations
Famous, Sugar beets, India
Economic pundits
Friedman – opponent of protectionism
Greenspan – no incentive to innovate
EU Cloud benefit economy
Q? Who actually heard of any EU Cloud Providers?
Currently each country implements DPD; want single Law
Much needed boost
http://eandt.theiet.org/magazine/2013/04/regulating-the-cloud-crowd.cfm
http://www.zdnet.com/bad-assumptions-about-cloud-computing-and-the-patriot-act-7000002614/
http://www.lexisnexis.com/legalnewsroom/international-law/b/commentry/archive/2013/02/26/cheap-shots-eu-privacy-the-usa-patriot-act-and-cloud-computing.aspx
http://siliconangle.com/blog/2013/10/07/eu-move-to-regulate-the-cloud-could-threaten-us-firms/
http://ccskguide.org/european-cloud-computing-concerns/
Electronic Communications Privacy Act of 1986 (ECPA) , codified at 18 U.S.C. §§ 2510–2522) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications.
The ECPA also added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act,18 U.S.C. §§ 2701-12. The ECPA also included so-called pen/trap provisions that permit the tracing of telephone communications. §§ 3121-27. The ECPA has been amended by the Communications Assistance to Law Enforcement Act (CALEA) (1994), the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008).[1]
The law entitles federal agencies to subpoena 180-day-old emails.[2]
http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
The Foreign Intelligence Surveillance Act (FISA) was introduced on May 18, 1977, by Senator Ted Kennedy and was signed into law by President Carter in 1978. The bill was cosponsored by nine Senators: Birch Bayh, James O. Eastland, Jake Garn, Walter Huddleston, Daniel Inouye, Charles Mathias, John L. McClellan, Gaylord Nelson, and Strom Thurmond.
The FISA resulted from extensive investigations by Senate Committees into the legality of domestic intelligence activities. These investigations were led separately by Sam Ervin and Frank Church in 1978 as a response to President Richard Nixon’s usage of federal resources to spy on political and activist groups, which violates the Fourth Amendment.[4] The act was created to provide Judicial and congressional oversight of the government's covert surveillance activities of foreign entities and individuals in the United States, while maintaining the secrecy needed to protect national security. It allowed surveillance, without court order, within the United States for up to one year unless the "surveillance will acquire the contents of any communication to which a United States person is a party". If a United States person is involved, judicial authorization was required within 72 hours after surveillance begins.
Generally, the statute permits electronic surveillance in two scenarios.
Without a court order[edit]
The President may authorize, through the Attorney General, electronic surveillance without a court order for the period of one year provided it is only for foreign intelligence information;[7] targeting foreign powers as defined by 50 U.S.C. § 1801(a)(1),(2),(3)[12] or their agents; and there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party.[13]
The Attorney General is required to make a certification of these conditions under seal to the Foreign Intelligence Surveillance Court,[14] and report on their compliance to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence.[15]
Since 50 U.S.C. § 1802(a)(1)(A) of this act specifically limits warrantless surveillance to foreign powers as defined by 50 U.S.C. §1801(a) (1),(2), (3) and omits the definitions contained in 50 U.S.C. §1801(a) (4),(5),(6) the act does not authorize the use of warrantless surveillance on: groups engaged in international terrorism or activities in preparation therefore; foreign-based political organizations, not substantially composed of United States persons; or entities that are directed and controlled by a foreign government or governments.[16] Under the FISA act, anyone who engages in electronic surveillance except as authorized by statute is subject to both criminal penalties[17] and civil liabilities.[18]
Under 50 U.S.C. § 1811, the President may also authorize warrantless surveillance at the beginning of a war. Specifically, he may authorize such surveillance "for a period not to exceed fifteen calendar days following a declaration of war by the Congress".[19]
With a court order[edit]
Alternatively, the government may seek a court order permitting the surveillance using the FISA court.[20] Approval of a FISA application requires the court find probable cause that the target of the surveillance be a "foreign power" or an "agent of a foreign power", and that the places at which surveillance is requested is used or will be used by that foreign power or its agent. In addition, the court must find that the proposed surveillance meet certain "minimization requirements" for information pertaining to U.S. persons.[21]
http://en.wikipedia.org/wiki/FISA
CSA Legal Council
http://www.thewhir.com/web-hosting-news/cloud-security-alliance-launches-website-for-cloud-related-legal-issues
https://cloudsecurityalliance.org/research/clic/
http://en.wikipedia.org/wiki/Tempora
http://www.bbc.co.uk/news/world-europe-23553837
http://www.bbc.co.uk/news/world-europe-23178284
Snowden – Crypto revelations
CSP – Crypto major protection – all data side by side
Algorithms – NSA involvement DES
Q? Who reads usage agreements?
CSP Key Escrow
https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
http://www.infosecurity-magazine.com/blog/2012/8/27/is-crypto-in-the-cloud-enough-/639.aspx
http://arstechnica.com/apple/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy/
Limited Lifespan – GPU cracking of DES in seconds using rainbow tables
PRISM choices – no disclosure, silence, flaws introduced
Crypto relies on entropy for initialization
ECC -
Vendor avoiding NIST ciphers
http://news.cnet.com/8301-1009_3-57605286-83/silent-circle-nist-encryption-standards-untrustworthy/
Breakdown of NIST ECC
http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf
Suite B Crypto AES & ECC
http://www.nsa.gov/ia/programs/suiteb_cryptography/
Cloud Service Providers
They are bigger than Russel 2000, Forbes 50?
Have to have the best practices
http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy
Lavabit – proper requests serviced, then asked for root keys
Silent Circle – nuked service
Automatic crypto in object systems
http://www.hushmail.com/about/technology/
http://en.wikipedia.org/wiki/Lavabit
http://www.infosecurity-magazine.com/blog/2012/8/27/is-crypto-in-the-cloud-enough-/639.aspx
More
AWS
http://aws.amazon.com/compliance/#fips
Azure
http://www.windowsazure.com/en-us/support/legal/security-overview/
http://msdn.microsoft.com/en-us/magazine/ee291586.aspx
3rd Party Product key management
http://townsendsecurity.com/products/encryption-key-management-for-Microsoft-Azure
securely downloads the private keys into each deployed VM with the private key being non-exportable
http://www.globalfoundationservices.com/security/documents/WindowsAzureSecurityOverview1_0Aug2010.pdf
Location Laws (next slide)
Swiss bank accounts
Switzerland
http://hothardware.com/News/US-Corporations-Look-To-Switzerland-For-Cloud-Services-After-NSA-Spying-Fallout/
http://news.yahoo.com/swisscom-builds-swiss-cloud-spying-storm-rages-151807634--sector.html
http://www.mondaq.com/unitedstates/x/269842/tax+authorities/Switzerland+and+United+States+Reach+Agreement+on+Swiss+Bank
http://www.forbes.com/sites/robertwood/2013/07/09/swiss-banks-reveal-americans-u-k-deal-sputters-and-germany-embraces-fatca/
Worldwide Privacy Laws
http://www.whitecase.com/files/Publication/633ca7b2-2f5f-4783-bb58-6046741e6787/Presentation/PublicationAttachment/e08ff2d5-ec2f-45ba-9a49-6c0c2846542f/Countries%20At%20A%20Glance%20-%20Data%20Privacy%20-%20October%202007.pdf
Key Servers
Separate Instance
Third Party Hosted
http://web.townsendsecurity.com/bid/63737/Protecting-Your-Data-in-the-Microsoft-Windows-Azure-Cloud
http://talkincloud.com/cloud-companies/keynexus-debuts-remote-key-encryption-management-aws
http://www.prnewswire.com/news-releases/aws-customers-can-enforce-control-and-maintain-compliance-with-safenet-cloud-based-encryption-and-secure-key-management-230003341.html
On Corporate Premises
HSM Hybrid w/ AWS - SafeNet
https://aws.amazon.com/cloudhsm/
HSM w/ Azure - Thales
http://www.thales-esecurity.com/msrms/cloud
Physical Control
Non-Gov Algorithms
http://silentcircle.wordpress.com/2013/09/30/nncs/
3rd Party key storage
http://www.ciphercloud.com/cloud-encryption.aspx
Double Blind Crypto
http://en.wikipedia.org/wiki/Blinding_(cryptography)
http://www.proofpoint.com/datasheets/email-archiving/DS-Proofpoint-DoubleBlind-Key-Architecture.pdf
http://www.legaltechnology.com/latest-news/data-security-in-the-snowden-era-1-double-blind-encryption/
http://www.google.com/patents/US5638445
http://www.bit.com.au/News/325432,norton-zone-like-dropbox-with-one-key-difference.aspx
Key Splitting/ Custodians
http://users.telenet.be/d.rijmenants/en/secretsplitting.htm
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
K of M
http://en.wikipedia.org/wiki/Publius_Publishing_System
Homomorphic
http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-cipherspace/1
http://www.networkcomputing.com/cloud-computing/porticor-beefs-up-cloud-security-with-sp/240012638