SlideShare a Scribd company logo

2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers

Download as PPTX, PDF
J
Jon-Michael C. Brook, CISSP
1 of 22
Avoiding US Cloud Providers: EU Protectionism or Valid Concerns 2013 Cloud Security Alliance Congress Session 12 December 4, 2013 Jon-Michael C. Brook Cloud, Security & Privacy Principal
• Protectionism • “[T]he economic policy of restraining trade between states through methods such as tariffs on imported goods, restrictive quotas, and a variety of other government regulations designed to allow (according to proponents) "fair competition" between imports and goods and service produced domestically.” - wikipedia • Examples • Historically, most famous for US – American Revolutionary War • Stamp Act, Tea Act -> Boston tea party • US – Sugar cane: Brazil far more efficient in producing than sugar beets • Protect the sugar industry in US, offer credits/tax incentives AND put tariffs on imports • India – Local subsidiaries only • Arguments simply don’t hold up – Fledgling industries, national importance • Typically lead to stagnant economies and little motivation for innovation • Milton Friedman/Paul Krugman: Free trade “…has a ripple effect throughout the economy.” • Alan Greenspan: Protectionism leads “…to an atrophy of our competitive ability. ... If the protectionist route is followed, newer, more efficient industries will have less scope to expand, and overall output and economic welfare will suffer.” Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 2 Tariffs & Protectionism
• Viviane Reding - European Commissioner for Justice, Fundamental Rights and Citizenship Jan 2012 – reform proposal of the EU's 1995 data protection directive rules: • "strengthen online privacy rights and boost Europe's digital economy". • "A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3bn a year.” • "The initiative will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs, and innovation in Europe." Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 3 What EU Cloud? Vote on single law draft resolution May 2014
• “For the private sector, such European clouds could become also attractive as they could advertise, ‘These are European clouds, so your personal data is safe.” – Vivian Reding • “The questions raised around the United States’ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” – TeamDrive • “[W]e comply with the highest German European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don’t offer the same level of security. But we can deliver CLOUD SERVICES ‘MADE IN GERMANY’ – around the world.” – T-systems Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 4 FUD & Protectionism
• PATRIOT Act - Allows cryptographic material access requests • US citizens some protections • No protections for non-US citizens • §215 Allows access to customer records in BULK – non-content meta data • Voluntarily disclosed to a 3rd party - Supreme Ct ruling • Requires Court Order for more • Customer data not a business record • Requires Search Warrant • Google, Yahoo, Microsoft, Apple • Obama – Criminal, yes; Civil - Unknown • Never tried to get foreign data • FISA Amendments Act – 50 USC § 1881A • Foreign Intelligence – Potential Attacks, Sabotage/Terrorism, Clandestine Intel • Info must pertain to a foreign power or foreign territory; Not a foreign citizen • Not Business Intelligence - Canada clipped in October NYT release surrounding Brazil mining, US Merkel surveillance on Dollar purchase/sells Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 5 At Issue
• 4th Amendment • Warrantless search and seizure • Electronic Communications Privacy Act (ECPA) 1986 • Extend Wiretap statute • No voluntary disclosures of customer data by providers • Amended by • Communications Assistance to Law Enforcement Act (CALEA) 1994, PATRIOT Act 2001, PATRIOT Reauthorization 2006 • Federal Intelligence Surveillance Act (FISA) 1978 • Judicial Approval Regime • No data retention requirements • Amended 1998 Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 6 US Laws & Privacy Protections Laws always behind technology and require judicial interpretation
• Full day symposium by CSA Legal Council at 2013 RSA Summit • US much more respectful of citizen’s privacy • EU General • Voluntary service provider disclosures • EU Data Retention Directive – 6 months to 2 years • Countries • UK • TEMPORA - "Mastering the Internet" and "Global Telecoms Exploitation" • France • Non-judicial wiretapping, connections inside France and between France and other countries are all monitored, even for scientific and economic data • Deutschland • G10 act, intelligence services may monitor and record telecommunications without a court order if they are investigating serious crime, terrorism or threat against their national security. • Federal Trojan – do need court order w/o notification to CSP. • Spain • No warrant required Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 7 Glass Houses - EU Monitoring Laws US better protects from Gov intercept, EU couldn’t meet US legal standards but European citizens (officials?) less suspicious of EU Government/abuses
• Originally, talk included much different crypto discussion • Cryptography major protection mechanism for Cloud • Multi-tenancy reliance on no cross-talk/hypervisor monitoring • Minimal evidence that cryptographic algorithms are flawed or embedded with backdoors • No historical evidence NSA corrupted underlying crypto algorithms/methodologies • 1970’s DES S-box suggestions from NSA actually strengthened algorithm • Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES.“ • Clipper chip – Agency learning experience? Government key escrow experiment • Now, essentially key escrow by CSPs • ToS: In June 2011, a Microsoft executive admitted at the Office 365 launch in London, under the Patriot Act, the company could be made to turn over information stored overseas to US authorities without seeking consent or even providing prior notice to the data owner. • Usage Agreements - iCloud, AWS, Mozy, Box, etc.. will turn over keys/data w/ warrant Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 8 Snowden Revelations Reliance on any one technology…
• Underlying mathematics sound • Crypto shelf life - Moore’s law and key material length • Slowly chip away at the key space to limit brute force search • Implementation problems • PRISM still unknown/fuzzy as to what hand NSA had – 3 choices? 1. Discovered flaws w/o disclosure 2. Contacted by manufacturer and asked to stay silent (as w/ DES) 3. Strong armed flaws into products • RNG • Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) • Schneier – Original standard specification included “default” seed values • Mozilla RNG flaw • ECC • Elliptic Curves & variables chosen are suboptimal (formula, prime, cofactor) CSA 2013 Congress EU Cloud: Protectionism or Reality - 9 Algorithmic Issues? US DoD uses the same algorithms for Top Secret data
• Who uses what? • Principal expectation - bad crypto implementations • PKCS#11 – RSA, also known as “cryptoki” • Microsoft CAPI – API used by IIS, CA, also available in .NET • Microsoft CNG API – next gen crypto API available for Vista onwards, IIS, ADCS et al • OpenSSL crypto • JCE/JCA – Java API CSA 2013 Congress EU Cloud: Protectionism or Reality - 10 Cryptographic Implementations
• 5 NIST tenants – biggest issues • Metering – administrative access • Elasticity – moving targets • Self service • Broad Network Access – plenty of connectivity • Resource Pooling - Multi-tenancy, co-mingled data, scattered locations CSA 2013 Congress EU Cloud: Protectionism or Reality - 11 CSP vs Enterprise - unique challenges Don’t Trust Administrators, Wider pipes, Everything together
• Physical protections – • Assumption: best practices implemented by CSPs, not really a Gov issue directly, but could be used by Gov – think telco providers and wiring closet drops for warrantless wiretapping • Role Based Access Controls • System Administrators segmented from hardware administrators • Identity and Access Management (IdAM) • Pre Snowden • Heavy dose of cryptography w/ a side of key management • Processes and procedures may be implemented by ANY CSP. • Standard best practices – should be in place in data centers already Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 12 CSP Protection Mechanisms
• Built-in cloud crypto services: • Encryption for data in motion – no-brainer – lock in web browser, SSL/TLS certificates protect against Man in the Middle attacks • Encryption for data at rest – keys held by ISP, readily turned over by CSPs as per ToS • SaaS: • email – Gmail, Yahoo, Live… • Exceptions: Silent circle, Hushmail, Lavabit – paper key disclosure • picture – Flickr, Instagram, Photobucket, … • office – Office365, Zoho, Google Drive, … • backup – Carbonite, Mozy, iDrive, Norton Backup… • … • Object systems: iCloud, Dropbox, Box, S3, SkyDrive, Google Drive… • Exceptions: Jungle Drive, Spider Oak, Symantec Zone Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 13 Principally encryption
• Amazon AWS • GovCloud – SSL termination on FIPS 140-2 level 3 hardware devices • HSM – Hardware Security Module access (2013) • HSMs built into Intel hardware for >8 years now • Direct access to underlying CPU services • Other Providers to follow/allow hosting • Microsoft Azure • Google Compute Engine • Force • Rackspace • Saavis • VMWare vCloud Hybrid Services CSA 2013 Congress EU Cloud: Protectionism or Reality - 14 IaaS Built-in Crypto Offerings
• Physical location w/ stronger laws • US isn’t that bad – for US Citizens • Switzerland – but even the Swiss cave (2011) • Privacy = Constitutional fundamental right (Argentina, Brazil, S. Africa) • Confidentiality • Don’t use built-in/default keys – EVER • Essentially consenting to corporate key escrow service for the government • Forgoing the capability of using key destruction for digital file shredding/retention • Own key servers • Separate instance (iffy – aka: server side encryption) • Hosted w/ another provider (okay - ) • On corporate premises (better – aka: client side encryption) • Physical control of crypto material (best - gov implementations aka: HSM/Type 1) Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 15 So what can cloud practitioners do about it
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 16 Privacy Protection by Country Privacy Heat map – heatmap.forrestertools.com/
• Key management • Non-government sponsored algorithms • AES  Twofish/Threefish. • ECC NIST Curves  Curve25519 or Curve1174 • Sharing Keys • Double blind encryption (ease of use v. security): Symantec, ProofPoint, Google • split custodian/keys, k of m • Other techniques • Homomorphic encryption Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 17 So what can cloud practitioners do about it These are all still susceptible to brute force attacks and crypto implementation subversion
• Server Side • Client Side on-premise • HSM CSA 2013 Congress EU Cloud: Protectionism or Reality - 18 Reference Architectures AWS references throughout, though should be applicable to other environments. Check out re:Invent SEC304 for further details.
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 19 Server Side Encryption
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 20 Client Side Encryption
Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 21 Case Study: Netflix & HSM
• Conclusions • Bunk? Valid concerns? • Skip the FUD, implement the best practices • You’ll never be as efficient at RBAC/separation of duties/physical access • Security in depth – think Safe measurements • Weekly revelations - final release of presentation may be found: https://www.cippguide.org/csa-congress/ • Jon-Michael C. Brook • jbrook@cippguide.org • @jonmichaelbrook • http://www.linkedin.com/in/jonmichaelcbrook CSA 2013 Congress EU Cloud: Protectionism or Reality - 22 Coda

Recommended

A Case Study on Issues and Violations on Information Technology
A Case Study on Issues and Violations on Information TechnologyA Case Study on Issues and Violations on Information Technology
A Case Study on Issues and Violations on Information TechnologyLaguna State Polytechnic University
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Praveenkumar Hosangadi
 
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greene
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greeneA smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greene
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greenebmcmenemy
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
Big Data & Privacy
Big Data & PrivacyBig Data & Privacy
Big Data & PrivacyAbzetdin Adamov
 
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.Rushabh Shah
 
Digital Law Powerpoint
Digital Law PowerpointDigital Law Powerpoint
Digital Law Powerpointlydneat
 

Recommended

A Case Study on Issues and Violations on Information Technology
A Case Study on Issues and Violations on Information TechnologyA Case Study on Issues and Violations on Information Technology
A Case Study on Issues and Violations on Information TechnologyLaguna State Polytechnic University
 
Better to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityBetter to Ask Permission? Best Practices for Privacy and Security
Better to Ask Permission? Best Practices for Privacy and SecurityEric Kavanagh
 
Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Big data contains valuable information - Protect It!
Big data contains valuable information - Protect It!Praveenkumar Hosangadi
 
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greene
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greeneA smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greene
A smarter, more secure io t gartner iam summit uk 2015 - netiq - travis greenebmcmenemy
 
Privacy, Drones, and IoT
Privacy, Drones, and IoTPrivacy, Drones, and IoT
Privacy, Drones, and IoTLAURA VIVET
 
Big Data & Privacy
Big Data & PrivacyBig Data & Privacy
Big Data & PrivacyAbzetdin Adamov
 
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.
LAW PPT-LAWS IN DIGITAL AGE/SOCIAL MEDIA.Rushabh Shah
 
Digital Law Powerpoint
Digital Law PowerpointDigital Law Powerpoint
Digital Law Powerpointlydneat
 
An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of GovernmentsRobbie Mitchell
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Individual and Technology
Individual and TechnologyIndividual and Technology
Individual and TechnologyMr Shipp
 
Law w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liabilityLaw w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liabilityJoão Rufino de Sales
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersNicole Black
 
Big Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision MakingBig Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision MakingAbzetdin Adamov
 
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC
 
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...APNIC
 
All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018The Drum
 
Digital law
Digital lawDigital law
Digital lawAlieyn_
 
Digital law powerpoint
Digital law powerpointDigital law powerpoint
Digital law powerpointDLRUDO01
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next BattlegroundSensePost
 
Web 2.0 and surveillance slides
Web 2.0 and surveillance slidesWeb 2.0 and surveillance slides
Web 2.0 and surveillance slidesBenjamin Twum-ampofo
 
PechaWeb 2.0 and surveillance
PechaWeb 2.0 and surveillancePechaWeb 2.0 and surveillance
PechaWeb 2.0 and surveillanceBenjamin Twum-ampofo
 
Artificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump yearsArtificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump yearsAdam Thierer
 
World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...Jan Löffler
 
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the CloudAlliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the CloudSparkrock
 

More Related Content

What's hot

An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of GovernmentsRobbie Mitchell
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management Endcode_org
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference Endcode_org
 
Individual and Technology
Individual and TechnologyIndividual and Technology
Individual and TechnologyMr Shipp
 
Law w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liabilityLaw w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liabilityJoão Rufino de Sales
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk Endcode_org
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debateDavid Strom
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyShiva Bissessar
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersNicole Black
 
Big Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision MakingBig Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision MakingAbzetdin Adamov
 
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC
 
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...APNIC
 
All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018The Drum
 
Digital law
Digital lawDigital law
Digital lawAlieyn_
 
Digital law powerpoint
Digital law powerpointDigital law powerpoint
Digital law powerpointDLRUDO01
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next BattlegroundSensePost
 
Artificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump yearsArtificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump yearsAdam Thierer
 

What's hot (20)

An Internet of Governments
An Internet of GovernmentsAn Internet of Governments
An Internet of Governments
 
Data Protection & Risk Management
Data Protection & Risk Management Data Protection & Risk Management
Data Protection & Risk Management
 
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
Trivadis TechEvent 2016 Big Data Privacy and Security Fundamentals by Florian...
 
Cyber Banking Conference
Cyber Banking Conference Cyber Banking Conference
Cyber Banking Conference
 
Individual and Technology
Individual and TechnologyIndividual and Technology
Individual and Technology
 
Law w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liabilityLaw w04-global cybersecurity-laws_regulations_and_liability
Law w04-global cybersecurity-laws_regulations_and_liability
 
Social Media & Legal Risk
Social Media & Legal Risk Social Media & Legal Risk
Social Media & Legal Risk
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Achieving Caribbean Cybersecuirty
Achieving Caribbean CybersecuirtyAchieving Caribbean Cybersecuirty
Achieving Caribbean Cybersecuirty
 
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for LawyersIowa Weighs in on Ethics of Cloud Computing for Lawyers
Iowa Weighs in on Ethics of Cloud Computing for Lawyers
 
Big Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision MakingBig Data Ecosystem for Data-Driven Decision Making
Big Data Ecosystem for Data-Driven Decision Making
 
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
 
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
2nd ICANN APAC-TWNIC Engagement Forum: Internet Governance: Trends and Opport...
 
All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018All You Need To Know About Data Law Changes in 2018
All You Need To Know About Data Law Changes in 2018
 
Digital law
Digital lawDigital law
Digital law
 
Digital law powerpoint
Digital law powerpointDigital law powerpoint
Digital law powerpoint
 
Online Privacy, the next Battleground
Online Privacy, the next BattlegroundOnline Privacy, the next Battleground
Online Privacy, the next Battleground
 
Web 2.0 and surveillance slides
Web 2.0 and surveillance slidesWeb 2.0 and surveillance slides
Web 2.0 and surveillance slides
 
PechaWeb 2.0 and surveillance
PechaWeb 2.0 and surveillancePechaWeb 2.0 and surveillance
PechaWeb 2.0 and surveillance
 
Artificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump yearsArtificial intelligence governance in the Obama & Trump years
Artificial intelligence governance in the Obama & Trump years
 

Viewers also liked

World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...Jan Löffler
 
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the CloudAlliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the CloudSparkrock
 
Enter Cloud Suite at CEBIT Hannover
Enter Cloud Suite at CEBIT HannoverEnter Cloud Suite at CEBIT Hannover
Enter Cloud Suite at CEBIT HannoverMariano Cunietti
 
DevOps - Una rivoluzione culturale
DevOps - Una rivoluzione culturaleDevOps - Una rivoluzione culturale
DevOps - Una rivoluzione culturaleMariano Cunietti
 
Presentation World Hosting Days
Presentation World Hosting DaysPresentation World Hosting Days
Presentation World Hosting DaysUnivention GmbH
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesMariano Cunietti
 
Nuxeo EP 5 - A Seam Case Study
Nuxeo EP 5 - A Seam Case StudyNuxeo EP 5 - A Seam Case Study
Nuxeo EP 5 - A Seam Case StudyStefane Fermigier
 
Cloud computing & lamp applications
Cloud computing & lamp applicationsCloud computing & lamp applications
Cloud computing & lamp applicationsCorley S.r.l.
 
Jean-Paul Smets - Free Cloud Alliance
Jean-Paul Smets - Free Cloud AllianceJean-Paul Smets - Free Cloud Alliance
Jean-Paul Smets - Free Cloud AllianceStefane Fermigier
 
Customer Stories Submission Process for Cloud Alliance Partners
Customer Stories Submission Process for Cloud Alliance Partners Customer Stories Submission Process for Cloud Alliance Partners
Customer Stories Submission Process for Cloud Alliance Partners Salesforce Partners
 

Viewers also liked (12)

World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...World Hosting Days - More than just a control panel - reveal the power of Web...
World Hosting Days - More than just a control panel - reveal the power of Web...
 
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the CloudAlliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
Alliance 2017 - How to Plan a Pain-Free Upgrade or Transition to the Cloud
 
Enter Cloud Suite at CEBIT Hannover
Enter Cloud Suite at CEBIT HannoverEnter Cloud Suite at CEBIT Hannover
Enter Cloud Suite at CEBIT Hannover
 
DevOps - Una rivoluzione culturale
DevOps - Una rivoluzione culturaleDevOps - Una rivoluzione culturale
DevOps - Una rivoluzione culturale
 
Presentation World Hosting Days
Presentation World Hosting DaysPresentation World Hosting Days
Presentation World Hosting Days
 
Cloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU BuxellesCloud Team Alliance @ EU Buxelles
Cloud Team Alliance @ EU Buxelles
 
Nuxeo EP 5 - A Seam Case Study
Nuxeo EP 5 - A Seam Case StudyNuxeo EP 5 - A Seam Case Study
Nuxeo EP 5 - A Seam Case Study
 
Cloud computing & lamp applications
Cloud computing & lamp applicationsCloud computing & lamp applications
Cloud computing & lamp applications
 
Jean-Paul Smets - Free Cloud Alliance
Jean-Paul Smets - Free Cloud AllianceJean-Paul Smets - Free Cloud Alliance
Jean-Paul Smets - Free Cloud Alliance
 
Customer Stories Submission Process for Cloud Alliance Partners
Customer Stories Submission Process for Cloud Alliance Partners Customer Stories Submission Process for Cloud Alliance Partners
Customer Stories Submission Process for Cloud Alliance Partners
 
Star alliance
Star allianceStar alliance
Star alliance
 
Star Alliance
Star AllianceStar Alliance
Star Alliance
 

Similar to 2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers

Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Andrew Hammond
 
The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDResilient Systems
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionSean Whalen
 
Recent developments and future challenges in privacy
Recent developments and future challenges in privacyRecent developments and future challenges in privacy
Recent developments and future challenges in privacyPECB
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsResilient Systems
 
Cloud Computing and the Public Sector
Cloud Computing and the Public SectorCloud Computing and the Public Sector
Cloud Computing and the Public SectorMHCCloud
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSmart Assessment
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesPraveen Vackayil
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationHinne Hettema
 
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...Cengage Learning
 
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptxCRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptxNune SrinivasRao
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful EnterpriseEric Kavanagh
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarCipherCloud
 
This Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentThis Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentJustin Grammens
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsJeff Katz
 

Similar to 2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers (20)

Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...Have the Bad Guys Won the Cyber security War...
Have the Bad Guys Won the Cyber security War...
 
Quant & Crypto Gold
Quant & Crypto GoldQuant & Crypto Gold
Quant & Crypto Gold
 
The Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUDThe Patriot Act and Cloud Security - Busting the European FUD
The Patriot Act and Cloud Security - Busting the European FUD
 
Lofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and EncryptionLofty Ideals: The Nature of Clouds and Encryption
Lofty Ideals: The Nature of Clouds and Encryption
 
Recent developments and future challenges in privacy
Recent developments and future challenges in privacyRecent developments and future challenges in privacy
Recent developments and future challenges in privacy
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Cloud Computing and the Public Sector
Cloud Computing and the Public SectorCloud Computing and the Public Sector
Cloud Computing and the Public Sector
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
 
Cybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generationCybersecurity Strategies - time for the next generation
Cybersecurity Strategies - time for the next generation
 
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
E-Discovery: How do Litigation Hold, BYOD, and Privacy Affect You? - Course T...
 
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptxCRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
CRYPTOGRAPHY AND NETWORK SECURITY ppt by me.pptx
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise Mind Your Business: Why Privacy Matters to the Successful Enterprise
Mind Your Business: Why Privacy Matters to the Successful Enterprise
 
Data Sovereignty
Data SovereigntyData Sovereignty
Data Sovereignty
 
Sovereignty in Cyberspace
Sovereignty in CyberspaceSovereignty in Cyberspace
Sovereignty in Cyberspace
 
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: WebinarUnderstanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
 
This Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is DifferentThis Time, It’s Personal: Why Security and the IoT Is Different
This Time, It’s Personal: Why Security and the IoT Is Different
 
Privacy and Security in the Internet of Things
Privacy and Security in the Internet of ThingsPrivacy and Security in the Internet of Things
Privacy and Security in the Internet of Things
 
Ethical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on ComputingEthical Issues and Relevant Laws on Computing
Ethical Issues and Relevant Laws on Computing
 

2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers

  • 1. Avoiding US Cloud Providers: EU Protectionism or Valid Concerns 2013 Cloud Security Alliance Congress Session 12 December 4, 2013 Jon-Michael C. Brook Cloud, Security & Privacy Principal
  • 2. • Protectionism • “[T]he economic policy of restraining trade between states through methods such as tariffs on imported goods, restrictive quotas, and a variety of other government regulations designed to allow (according to proponents) "fair competition" between imports and goods and service produced domestically.” - wikipedia • Examples • Historically, most famous for US – American Revolutionary War • Stamp Act, Tea Act -> Boston tea party • US – Sugar cane: Brazil far more efficient in producing than sugar beets • Protect the sugar industry in US, offer credits/tax incentives AND put tariffs on imports • India – Local subsidiaries only • Arguments simply don’t hold up – Fledgling industries, national importance • Typically lead to stagnant economies and little motivation for innovation • Milton Friedman/Paul Krugman: Free trade “…has a ripple effect throughout the economy.” • Alan Greenspan: Protectionism leads “…to an atrophy of our competitive ability. ... If the protectionist route is followed, newer, more efficient industries will have less scope to expand, and overall output and economic welfare will suffer.” Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 2 Tariffs & Protectionism
  • 3. • Viviane Reding - European Commissioner for Justice, Fundamental Rights and Citizenship Jan 2012 – reform proposal of the EU's 1995 data protection directive rules: • "strengthen online privacy rights and boost Europe's digital economy". • "A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3bn a year.” • "The initiative will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs, and innovation in Europe." Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 3 What EU Cloud? Vote on single law draft resolution May 2014
  • 4. • “For the private sector, such European clouds could become also attractive as they could advertise, ‘These are European clouds, so your personal data is safe.” – Vivian Reding • “The questions raised around the United States’ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” – TeamDrive • “[W]e comply with the highest German European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don’t offer the same level of security. But we can deliver CLOUD SERVICES ‘MADE IN GERMANY’ – around the world.” – T-systems Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 4 FUD & Protectionism
  • 5. • PATRIOT Act - Allows cryptographic material access requests • US citizens some protections • No protections for non-US citizens • §215 Allows access to customer records in BULK – non-content meta data • Voluntarily disclosed to a 3rd party - Supreme Ct ruling • Requires Court Order for more • Customer data not a business record • Requires Search Warrant • Google, Yahoo, Microsoft, Apple • Obama – Criminal, yes; Civil - Unknown • Never tried to get foreign data • FISA Amendments Act – 50 USC § 1881A • Foreign Intelligence – Potential Attacks, Sabotage/Terrorism, Clandestine Intel • Info must pertain to a foreign power or foreign territory; Not a foreign citizen • Not Business Intelligence - Canada clipped in October NYT release surrounding Brazil mining, US Merkel surveillance on Dollar purchase/sells Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 5 At Issue
  • 6. • 4th Amendment • Warrantless search and seizure • Electronic Communications Privacy Act (ECPA) 1986 • Extend Wiretap statute • No voluntary disclosures of customer data by providers • Amended by • Communications Assistance to Law Enforcement Act (CALEA) 1994, PATRIOT Act 2001, PATRIOT Reauthorization 2006 • Federal Intelligence Surveillance Act (FISA) 1978 • Judicial Approval Regime • No data retention requirements • Amended 1998 Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 6 US Laws & Privacy Protections Laws always behind technology and require judicial interpretation
  • 7. • Full day symposium by CSA Legal Council at 2013 RSA Summit • US much more respectful of citizen’s privacy • EU General • Voluntary service provider disclosures • EU Data Retention Directive – 6 months to 2 years • Countries • UK • TEMPORA - "Mastering the Internet" and "Global Telecoms Exploitation" • France • Non-judicial wiretapping, connections inside France and between France and other countries are all monitored, even for scientific and economic data • Deutschland • G10 act, intelligence services may monitor and record telecommunications without a court order if they are investigating serious crime, terrorism or threat against their national security. • Federal Trojan – do need court order w/o notification to CSP. • Spain • No warrant required Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 7 Glass Houses - EU Monitoring Laws US better protects from Gov intercept, EU couldn’t meet US legal standards but European citizens (officials?) less suspicious of EU Government/abuses
  • 8. • Originally, talk included much different crypto discussion • Cryptography major protection mechanism for Cloud • Multi-tenancy reliance on no cross-talk/hypervisor monitoring • Minimal evidence that cryptographic algorithms are flawed or embedded with backdoors • No historical evidence NSA corrupted underlying crypto algorithms/methodologies • 1970’s DES S-box suggestions from NSA actually strengthened algorithm • Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES.“ • Clipper chip – Agency learning experience? Government key escrow experiment • Now, essentially key escrow by CSPs • ToS: In June 2011, a Microsoft executive admitted at the Office 365 launch in London, under the Patriot Act, the company could be made to turn over information stored overseas to US authorities without seeking consent or even providing prior notice to the data owner. • Usage Agreements - iCloud, AWS, Mozy, Box, etc.. will turn over keys/data w/ warrant Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 8 Snowden Revelations Reliance on any one technology…
  • 9. • Underlying mathematics sound • Crypto shelf life - Moore’s law and key material length • Slowly chip away at the key space to limit brute force search • Implementation problems • PRISM still unknown/fuzzy as to what hand NSA had – 3 choices? 1. Discovered flaws w/o disclosure 2. Contacted by manufacturer and asked to stay silent (as w/ DES) 3. Strong armed flaws into products • RNG • Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) • Schneier – Original standard specification included “default” seed values • Mozilla RNG flaw • ECC • Elliptic Curves & variables chosen are suboptimal (formula, prime, cofactor) CSA 2013 Congress EU Cloud: Protectionism or Reality - 9 Algorithmic Issues? US DoD uses the same algorithms for Top Secret data
  • 10. • Who uses what? • Principal expectation - bad crypto implementations • PKCS#11 – RSA, also known as “cryptoki” • Microsoft CAPI – API used by IIS, CA, also available in .NET • Microsoft CNG API – next gen crypto API available for Vista onwards, IIS, ADCS et al • OpenSSL crypto • JCE/JCA – Java API CSA 2013 Congress EU Cloud: Protectionism or Reality - 10 Cryptographic Implementations
  • 11. • 5 NIST tenants – biggest issues • Metering – administrative access • Elasticity – moving targets • Self service • Broad Network Access – plenty of connectivity • Resource Pooling - Multi-tenancy, co-mingled data, scattered locations CSA 2013 Congress EU Cloud: Protectionism or Reality - 11 CSP vs Enterprise - unique challenges Don’t Trust Administrators, Wider pipes, Everything together
  • 12. • Physical protections – • Assumption: best practices implemented by CSPs, not really a Gov issue directly, but could be used by Gov – think telco providers and wiring closet drops for warrantless wiretapping • Role Based Access Controls • System Administrators segmented from hardware administrators • Identity and Access Management (IdAM) • Pre Snowden • Heavy dose of cryptography w/ a side of key management • Processes and procedures may be implemented by ANY CSP. • Standard best practices – should be in place in data centers already Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 12 CSP Protection Mechanisms
  • 13. • Built-in cloud crypto services: • Encryption for data in motion – no-brainer – lock in web browser, SSL/TLS certificates protect against Man in the Middle attacks • Encryption for data at rest – keys held by ISP, readily turned over by CSPs as per ToS • SaaS: • email – Gmail, Yahoo, Live… • Exceptions: Silent circle, Hushmail, Lavabit – paper key disclosure • picture – Flickr, Instagram, Photobucket, … • office – Office365, Zoho, Google Drive, … • backup – Carbonite, Mozy, iDrive, Norton Backup… • … • Object systems: iCloud, Dropbox, Box, S3, SkyDrive, Google Drive… • Exceptions: Jungle Drive, Spider Oak, Symantec Zone Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 13 Principally encryption
  • 14. • Amazon AWS • GovCloud – SSL termination on FIPS 140-2 level 3 hardware devices • HSM – Hardware Security Module access (2013) • HSMs built into Intel hardware for >8 years now • Direct access to underlying CPU services • Other Providers to follow/allow hosting • Microsoft Azure • Google Compute Engine • Force • Rackspace • Saavis • VMWare vCloud Hybrid Services CSA 2013 Congress EU Cloud: Protectionism or Reality - 14 IaaS Built-in Crypto Offerings
  • 15. • Physical location w/ stronger laws • US isn’t that bad – for US Citizens • Switzerland – but even the Swiss cave (2011) • Privacy = Constitutional fundamental right (Argentina, Brazil, S. Africa) • Confidentiality • Don’t use built-in/default keys – EVER • Essentially consenting to corporate key escrow service for the government • Forgoing the capability of using key destruction for digital file shredding/retention • Own key servers • Separate instance (iffy – aka: server side encryption) • Hosted w/ another provider (okay - ) • On corporate premises (better – aka: client side encryption) • Physical control of crypto material (best - gov implementations aka: HSM/Type 1) Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 15 So what can cloud practitioners do about it
  • 16. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 16 Privacy Protection by Country Privacy Heat map – heatmap.forrestertools.com/
  • 17. • Key management • Non-government sponsored algorithms • AES  Twofish/Threefish. • ECC NIST Curves  Curve25519 or Curve1174 • Sharing Keys • Double blind encryption (ease of use v. security): Symantec, ProofPoint, Google • split custodian/keys, k of m • Other techniques • Homomorphic encryption Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 17 So what can cloud practitioners do about it These are all still susceptible to brute force attacks and crypto implementation subversion
  • 18. • Server Side • Client Side on-premise • HSM CSA 2013 Congress EU Cloud: Protectionism or Reality - 18 Reference Architectures AWS references throughout, though should be applicable to other environments. Check out re:Invent SEC304 for further details.
  • 19. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 19 Server Side Encryption
  • 20. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 20 Client Side Encryption
  • 21. Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 21 Case Study: Netflix & HSM
  • 22. • Conclusions • Bunk? Valid concerns? • Skip the FUD, implement the best practices • You’ll never be as efficient at RBAC/separation of duties/physical access • Security in depth – think Safe measurements • Weekly revelations - final release of presentation may be found: https://www.cippguide.org/csa-congress/ • Jon-Michael C. Brook • jbrook@cippguide.org • @jonmichaelbrook • http://www.linkedin.com/in/jonmichaelcbrook CSA 2013 Congress EU Cloud: Protectionism or Reality - 22 Coda

Editor's Notes

  1. Restraining trade through tariffs, quotas or regulations Famous, Sugar beets, India Economic pundits Friedman – opponent of protectionism Greenspan – no incentive to innovate
  2. EU Cloud benefit economy Q? Who actually heard of any EU Cloud Providers? Currently each country implements DPD; want single Law Much needed boost http://eandt.theiet.org/magazine/2013/04/regulating-the-cloud-crowd.cfm http://www.zdnet.com/bad-assumptions-about-cloud-computing-and-the-patriot-act-7000002614/ http://www.lexisnexis.com/legalnewsroom/international-law/b/commentry/archive/2013/02/26/cheap-shots-eu-privacy-the-usa-patriot-act-and-cloud-computing.aspx http://siliconangle.com/blog/2013/10/07/eu-move-to-regulate-the-cloud-could-threaten-us-firms/ http://ccskguide.org/european-cloud-computing-concerns/
  3. http://blog.teamdrive.com/2013_02_01_archive.html http://www.t-systems.com/umn/uti/796860_2/blobBinary/Complete_Edition-ps?ts_layoutId=804564 http://news.yahoo.com/swisscom-builds-swiss-cloud-spying-storm-rages-151807634--sector.html
  4. Electronic Communications Privacy Act of 1986 (ECPA) , codified at 18 U.S.C. §§ 2510–2522) was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computer. Specifically, ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the Wiretap Statute), which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA also added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act,18 U.S.C. §§ 2701-12. The ECPA also included so-called pen/trap provisions that permit the tracing of telephone communications. §§ 3121-27. The ECPA has been amended by the Communications Assistance to Law Enforcement Act (CALEA) (1994), the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008).[1] The law entitles federal agencies to subpoena 180-day-old emails.[2] http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act The Foreign Intelligence Surveillance Act (FISA) was introduced on May 18, 1977, by Senator Ted Kennedy and was signed into law by President Carter in 1978. The bill was cosponsored by nine Senators: Birch Bayh, James O. Eastland, Jake Garn, Walter Huddleston, Daniel Inouye, Charles Mathias, John L. McClellan, Gaylord Nelson, and Strom Thurmond. The FISA resulted from extensive investigations by Senate Committees into the legality of domestic intelligence activities. These investigations were led separately by Sam Ervin and Frank Church in 1978 as a response to President Richard Nixon’s usage of federal resources to spy on political and activist groups, which violates the Fourth Amendment.[4] The act was created to provide Judicial and congressional oversight of the government's covert surveillance activities of foreign entities and individuals in the United States, while maintaining the secrecy needed to protect national security. It allowed surveillance, without court order, within the United States for up to one year unless the "surveillance will acquire the contents of any communication to which a United States person is a party". If a United States person is involved, judicial authorization was required within 72 hours after surveillance begins. Generally, the statute permits electronic surveillance in two scenarios. Without a court order[edit] The President may authorize, through the Attorney General, electronic surveillance without a court order for the period of one year provided it is only for foreign intelligence information;[7] targeting foreign powers as defined by 50 U.S.C. § 1801(a)(1),(2),(3)[12] or their agents; and there is no substantial likelihood that the surveillance will acquire the contents of any communication to which a United States person is a party.[13] The Attorney General is required to make a certification of these conditions under seal to the Foreign Intelligence Surveillance Court,[14] and report on their compliance to the House Permanent Select Committee on Intelligence and the Senate Select Committee on Intelligence.[15] Since 50 U.S.C. § 1802(a)(1)(A) of this act specifically limits warrantless surveillance to foreign powers as defined by 50 U.S.C. §1801(a) (1),(2), (3) and omits the definitions contained in 50 U.S.C. §1801(a) (4),(5),(6) the act does not authorize the use of warrantless surveillance on: groups engaged in international terrorism or activities in preparation therefore; foreign-based political organizations, not substantially composed of United States persons; or entities that are directed and controlled by a foreign government or governments.[16] Under the FISA act, anyone who engages in electronic surveillance except as authorized by statute is subject to both criminal penalties[17] and civil liabilities.[18] Under 50 U.S.C. § 1811, the President may also authorize warrantless surveillance at the beginning of a war. Specifically, he may authorize such surveillance "for a period not to exceed fifteen calendar days following a declaration of war by the Congress".[19] With a court order[edit] Alternatively, the government may seek a court order permitting the surveillance using the FISA court.[20] Approval of a FISA application requires the court find probable cause that the target of the surveillance be a "foreign power" or an "agent of a foreign power", and that the places at which surveillance is requested is used or will be used by that foreign power or its agent. In addition, the court must find that the proposed surveillance meet certain "minimization requirements" for information pertaining to U.S. persons.[21] http://en.wikipedia.org/wiki/FISA
  5. CSA Legal Council http://www.thewhir.com/web-hosting-news/cloud-security-alliance-launches-website-for-cloud-related-legal-issues https://cloudsecurityalliance.org/research/clic/ http://en.wikipedia.org/wiki/Tempora http://www.bbc.co.uk/news/world-europe-23553837 http://www.bbc.co.uk/news/world-europe-23178284
  6. Snowden – Crypto revelations CSP – Crypto major protection – all data side by side Algorithms – NSA involvement DES Q? Who reads usage agreements? CSP Key Escrow https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html http://www.infosecurity-magazine.com/blog/2012/8/27/is-crypto-in-the-cloud-enough-/639.aspx http://arstechnica.com/apple/2012/04/apple-holds-the-master-key-when-it-comes-to-icloud-security-privacy/
  7. Limited Lifespan – GPU cracking of DES in seconds using rainbow tables PRISM choices – no disclosure, silence, flaws introduced Crypto relies on entropy for initialization ECC - Vendor avoiding NIST ciphers http://news.cnet.com/8301-1009_3-57605286-83/silent-circle-nist-encryption-standards-untrustworthy/ Breakdown of NIST ECC http://cr.yp.to/talks/2013.05.31/slides-dan+tanja-20130531-4x3.pdf Suite B Crypto AES & ECC http://www.nsa.gov/ia/programs/suiteb_cryptography/
  8. Cloud Service Providers
  9. They are bigger than Russel 2000, Forbes 50? Have to have the best practices http://en.wikipedia.org/wiki/NSA_warrantless_surveillance_controversy
  10. Lavabit – proper requests serviced, then asked for root keys Silent Circle – nuked service Automatic crypto in object systems http://www.hushmail.com/about/technology/ http://en.wikipedia.org/wiki/Lavabit http://www.infosecurity-magazine.com/blog/2012/8/27/is-crypto-in-the-cloud-enough-/639.aspx
  11. More AWS http://aws.amazon.com/compliance/#fips Azure http://www.windowsazure.com/en-us/support/legal/security-overview/ http://msdn.microsoft.com/en-us/magazine/ee291586.aspx 3rd Party Product key management http://townsendsecurity.com/products/encryption-key-management-for-Microsoft-Azure securely downloads the private keys into each deployed VM with the private key being non-exportable http://www.globalfoundationservices.com/security/documents/WindowsAzureSecurityOverview1_0Aug2010.pdf
  12. Location Laws (next slide) Swiss bank accounts Switzerland http://hothardware.com/News/US-Corporations-Look-To-Switzerland-For-Cloud-Services-After-NSA-Spying-Fallout/ http://news.yahoo.com/swisscom-builds-swiss-cloud-spying-storm-rages-151807634--sector.html http://www.mondaq.com/unitedstates/x/269842/tax+authorities/Switzerland+and+United+States+Reach+Agreement+on+Swiss+Bank http://www.forbes.com/sites/robertwood/2013/07/09/swiss-banks-reveal-americans-u-k-deal-sputters-and-germany-embraces-fatca/ Worldwide Privacy Laws http://www.whitecase.com/files/Publication/633ca7b2-2f5f-4783-bb58-6046741e6787/Presentation/PublicationAttachment/e08ff2d5-ec2f-45ba-9a49-6c0c2846542f/Countries%20At%20A%20Glance%20-%20Data%20Privacy%20-%20October%202007.pdf Key Servers Separate Instance Third Party Hosted http://web.townsendsecurity.com/bid/63737/Protecting-Your-Data-in-the-Microsoft-Windows-Azure-Cloud http://talkincloud.com/cloud-companies/keynexus-debuts-remote-key-encryption-management-aws http://www.prnewswire.com/news-releases/aws-customers-can-enforce-control-and-maintain-compliance-with-safenet-cloud-based-encryption-and-secure-key-management-230003341.html On Corporate Premises HSM Hybrid w/ AWS - SafeNet https://aws.amazon.com/cloudhsm/ HSM w/ Azure - Thales http://www.thales-esecurity.com/msrms/cloud Physical Control
  13. Non-Gov Algorithms http://silentcircle.wordpress.com/2013/09/30/nncs/ 3rd Party key storage http://www.ciphercloud.com/cloud-encryption.aspx Double Blind Crypto http://en.wikipedia.org/wiki/Blinding_(cryptography) http://www.proofpoint.com/datasheets/email-archiving/DS-Proofpoint-DoubleBlind-Key-Architecture.pdf http://www.legaltechnology.com/latest-news/data-security-in-the-snowden-era-1-double-blind-encryption/ http://www.google.com/patents/US5638445 http://www.bit.com.au/News/325432,norton-zone-like-dropbox-with-one-key-difference.aspx Key Splitting/ Custodians http://users.telenet.be/d.rijmenants/en/secretsplitting.htm https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet K of M http://en.wikipedia.org/wiki/Publius_Publishing_System Homomorphic http://www.americanscientist.org/issues/pub/2012/5/alice-and-bob-in-cipherspace/1 http://www.networkcomputing.com/cloud-computing/porticor-beefs-up-cloud-security-with-sp/240012638
  14. HSM – FIPS 140-2 - tamper evident/resistant