As they start to move ever-increasing quantities of data onto the cloud, international organisations of all sizes are looking for the most effective ways of safeguarding confidential data in the face of growing cyber security challenges.
The insurer Lloyds estimates that attacks by cyber criminals already costs businesses roughly $400 billion a year, with some industry estimates predicting that this figure will quadruple by 2019. But, in addition to the mushrooming threat from criminals, organisations that do business overseas are increasingly concerned that confidential data such as that which relates to their customers and corporate IP may be compromised in other ways.
There is also now a growing concern that state actors in some national jurisdictions are becoming increasingly interested in accessing sensitive data stored on servers located inside their national boundaries. Some countries such as China, which is known to have literally regiments of hackers seeking out sensitive data, already have a reputation for cyber espionage. Earlier this year, the US Justice Department referred to China's alleged hacking of its corporations as the "Great Brain Robbery" with large-scale cyber espionage of military and trade secrets. The US believes that China's industrial espionage is effectively stealing billions of dollars from its economy as well as potentially costing millions of jobs.
Companies doing business in the US are also at risk
But there is now also growing evidence that companies doing businesses in locations such as the US also risk seeing confidential data being compromised. For example, the notoriously secretive United States Intelligence Surveillance Court, often referred to as the “FISA court” (since it was created by the Foreign Intelligence Surveillance Act of 1978), oversees requests for surveillance warrants inside the United States by law enforcement and intelligence agencies. The FISA court operates behind closed doors, and there are many signs, including specific revelations in the Edward Snowden leak, that indicate that the court has significantly broadened its interpretation of FISA after the September 11th attacks to expand government surveillance powers within the United States.
Even state-of-the-art encryption is no defence against the full power of the law unless the data owner has sole control of the encryption keys. The US government, for example, can simply demand, under threat of draconian fines or even the imprisonment of senior executives, that the Cloud Service Provider decrypt and hand over the data. According to documents that were only declassified in 2014, Yahoo was threatened with fines of US$250,000 a day if it refused to comply with a previous US government demand that it provide real-time access to customer emails in 2007. According to Reuters, in 2015 Yahoo secretly built a custom software program to search all of its customers' incoming emails for specific information provided by U.S. intelligence officials in order to comply with a classified U.S. government demand, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or the Federal Bureau of Investigation (FBI).
Last year, Microsoft said that it was suing the US government over the right to tell its users when federal agencies want access to private data. Microsoft holds that keeping access requests secret is against the US constitution and that 5,624 requests for data were made over an 18-month period, almost half with a court order obliging the IT giant to keep the demands secret.
"People do not give up their rights when they move their private information from physical storage to the cloud," said Microsoft, adding that it felt the government "exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations".
In December, Google published a series of letters dated from 2010-2015 in which the Federal Bureau of Investigation (FBI) secretly requested subscriber information specific accounts. All eight of the orders were justified under Executive Order 12333, a controversial Reagan-era decree that is used to authorise a significant proportion of domestic web surveillance.
What happened with Yahoo, Google and Microsoft is a wake-up call for all organisations who do business in the US. It should also be borne in mind that by complying with one national jurisdiction, such as that in the US, a company with international operations may find itself contravening data protection laws in other countries such as Switzerland, unless it uses encryption key technologies to ring fence data in all the national jurisdictions where it operates. The US government has already wielded its surveillance powers so heavily that some international agencies have already taken steps to prevent official spying into their data and monitoring of all their emails in an effort to avoid blind subpoenas generated by the US. Although such organisations are reluctant to raise their heads above the parapet when it comes to dealing with the challenge of over-intrusive US surveillance, there is a growing body of industry evidence that international organisations are now taking steps to ring-fence sensitive data not only by moving servers off US soil but also by ensuring that separate encryption keys are used to protect data held in non-US jurisdictions from American surveillance.
According to the chief information officer of an international organisation devoted to the preservation of individual freedoms which recently took steps to encrypt its data in this way: "The organisation could not migrate its corporate email to the cloud with the possibility of the US Government accessing it without our knowledge."
An international UN agency has also found it necessary to deploy encryption security in all the countries across the world where it operates and across all its 10,000 email boxes. Its reason for doing this is to protect data in those geographies where the US has no jurisdiction. By owning separate encryption keys to all the countries where it is active, the agency can ring fence its sensitive data in each geography. Should the US government demand access to its data, it can safeguard sensitive information in all its servers located outside the US.
Organisations in the commercial sector who also do not wish to be named are now ring-fencing their data in a similar fashion. A US-based consumer banking giant that controls over $10 billion of assets, says that it sees control of its own encryption as crucial to safeguarding data so that no- one can have access to sensitive data and emails without their specific consent.
Cyber security landscape can become cluttered and confused
But, as organisations rush to migrate applications such as email, financial data and customer details onto the cloud, software as a service (SaaS) can become increasingly insecure. While some applications such as Microsoft Office 365 do have accompanying security features, these can be difficult to deploy consistently if, as is increasingly the case, Office 365 is used alongside many other cloud-based applications from different vendors. The cyber security landscape then becomes increasingly cluttered and confused and correspondingly more complex and porous.
According to international research organisation Gartner: "SaaS applications offer an increasing level of security and control functionality. However, they are mostly under the control of vendors, offer minimal transparency, and offer no customisation. To add to the complexity, many enterprises often have at least 200 and up to 1,000 SaaS applications in use."
Gartner concludes: "At the end of the day, CISOs need to pick their battles and decide where time and resources are best spent when dealing with the risk context of this SaaS-scape."
It is, therefore, recommended that companies bring all their cloud security under one umbrella, ideally using as few providers as possible for their encryption and cloud cyber security needs. This will also ensure simplicity of use, making encryption procedures and security protocols that can easily be understood and followed by members of staff operating outside the IT department.
It is only by using truly comprehensive and easy-to-grasp cloud cyber security when storing applications on the cloud that organisations of all types can safeguard mission critical and confidential data and be able to protect themselves and their clients from growing cyber crime and state-led surveillance.
John Holland, executive, Vaultive
Image source: Shutterstock/alexskopje