Tag: PRISM

Categories
Analysis

Survey: Your trust in the Cloud. Europe is the safe haven. End-to-end encryption creates trust.

After the revelations about PRISM I had started a small anonymous survey on the current confidence in the cloud, to see how the scandal has changed on the personal relationship to the cloud. The significance of the result is more or less a success. The participation was anything but representative. With at least 1499 visits the interest in the survey was relatively large. A participation of 53 attendees is then rather sobering. Thus, the survey is not representative, but at least shows a trend. In this context I would like to thank Open-Xchange and Marlon Wurmitzer of GigaOM for the support.

The survey

The survey consisted of nine questions and was publicly hosted on twtpoll. It exclusively asked questions about trust in the cloud and how this can possibly be strengthened. In addition, the intermediate results were publicly available at each time. The survey was distributed in German and English speaking countries on the social networks (Twitter, Facebook, Google Plus) and the business networks XING and LinkedIn because this issue affects not a specific target audience, but has an impact on all of us. This led on twtpoll to 1,442 views across the web and 57 views of mobile devices and ended with 53 respondents.

The survey should not be considered as representative for this reason, but shows a tendency.

The survey results

Despite the PRISM scandal the confidence in the cloud is still present. 42 percent continue to have a high confidence, 8 percent even a very high level of confidence. For 15 percent the confidence in the cloud is very low; 21 percent appreciate the confidence is low. Another 15 percent are neutral towards the cloud.

The confidence in the current cloud provider is balanced. 30 percent of respondents still have a high level of confidence, 19 percent even a very high level of trust in their providers. This compares to 15 percent each, which have a low or very low confidence. 21 percent are undecided.

The impact on the confidence in the cloud by PRISM leads to no surprise. Only 9 percent see no affect for them; 8 percent a little. 32 percent are neutral. However, 38 percent of the participants are strongly influenced by the PRISM revelations and 13 percent most intensive.

62 percent of the participants used services of cloud provider, which are accused of supporting PRISM. 38 percent are at other providers.

As to be expected, PRISM has also affected the reputation of the cloud provider. For 36 percent the revelations have strongly influenced the confidence, for 13 percent even very strong. However, even 32 percent are neutral. For 11 percent the revelations have only a slight influence. For 8 percent is no influence at all.

Despite of PRISM 58 percent want to continue to use cloud services. 42 percent have already played with the idea to leave the cloud due to the incidents.

A clear sign goes to the provider when it comes to the topic of openness. 43 percent (very high) and 26 percent (high) expect an unconditional openness of the cloud provider. 25 percent are undecided. For only 2 percent (low) and 4 percent (very low) it does not matter.

74 percent see in a 100 percent end-to-end encryption the ability to increase confidence in the cloud. 26 percent think it as no potential.

The question of the most secure/ trusted region revealed no surprises. With 92 percent Europe counts after the PRISM revelations as the top region in the world. Africa received 4 percent, North America and Asia-Pacific each 2 percent. For South America was not voted.

Comment

Even if the revelations about PRISM to cause indignation at the first moment and still continue to provide for uncertainty, the economic life must go on. The tendency of the survey shows that confidence in the cloud has not suffered too much. But at this point it must be said: Cling together, swing together! We all have not precipitate into the cloud ruin overnight. The crux is that the world is increasingly interconnected using cloud technologies and the cloud thus serves as a focal point of modern communications and collaboration infrastructure.

For that reason we can not go back many steps. A hardliner might naturally terminate all digital and analog communication with immediate effect. Whether that is promising is doubtful, because the dependency has become too large and the modern corporate existence is determined by the digital communication.

The sometimes high number of neutral responses to the trust may have to do with that we all has always played the thought in the subconscious, that we are observed in our communication. Due to the current revelations we have it now in black and white. The extent of surveillance, meanwhile also of the disclosure of TEMPORA by the British Secret Service, has surprised. Related to TEMPORA, hence the survey result for Europe as a trusted region is disputable. But against surveillance at strategic intersections in the internetalso the cloud providers themselves are powerless.

Bottom line the economic-(life) has to go on. But at all the revelations one can see, that we can not rely on governments, from which regulations and securities are repeatedly required. On the contrary, even these have evinced interest to read data along. And one we must always bear in mind again. How should laws and rules help, when they are broken again and again by the highest authority.

Companies and users must therefore now assume more responsibility, take the reins in their hands, and provide the broadest sense for their desired security (end-to-end encryption) itself. Numerous solutions from the open source but also from the professional sector help to achieve the objectives. Provider of cloud and IT solutions are now challenged to show more openness as they may want to do.

Graphics on the survey results

1. How is your current trust in the cloud in general?

2. How is your current trust in the cloud provider of your choice?

3. How does the PRISM uncoverings influence your trust in the cloud?

4. Is your current cloud provider one of the accused?

5. How does the PRISM uncoverings influence your trust in the cloud provider of your choice?

6. Did you already think about to leave the cloud e.g. your cloud provider due to the PRISM uncoverings?

7. How important is the unconditional openness of your provider in times of PRISM and surveillance?

8. Do you think a 100% end-to-end encryption without any access and other opportunities of third parties can strengthen the trust?

9. In your mind which world region is the safest/ trustworthiest to store data in?

Categories
Analysis

How to protect a companies data from surveillance in the cloud?

With PRISM the U.S. government has further increased the uncertainty among Internet users and companies, and therefore strengthened the loss of confidence in U.S. vendors enormously. After the Patriot Act, which was often cited as the main argument against the use of cloud solutions from US-based providers, the surveillance by the NSA be the final straw. From a business perspective, under these present circumstances, the decision can only be to opt out of a cloud provider in the United States, even if it has a subsidiary with a location and a data center in Europe or Germany. That I already pointed out in this article. Nevertheless, the economic life must go on, which can also work with the cloud. However, here is a need for pay attention to the technical security, which is discussed in this article.

Affected parties

This whole issue is not necessarily just for companies but for every user of actively communicating in the cloud and shares and synchronized its data. Although the issue of data protection can not be neglected in this context. For companies it is usually still more at stake when internal company information is intercepted or voice and video communication is observed. At this point it must be mentioned that this has nothing to do primarily with the cloud. Data communication was operated long before cloud infrastructures and services. However, the cloud leads to an increasingly interconnection, and act as a focal point of modern communications and collaboration infrastructure in the future.

The current security situation

The PRISM scandal shows the full extent of the possibilities that allows U.S. security agencies, unimpeded and regardlessly access the global data communication. For this, the U.S. government officially use the “National Security Letter (NSL)” of the U.S. Patriot Act and the “Foreign Intelligence Surveillance Act (FISA).” Due to these anti-terror laws, the U.S. vendor firms and their subsidiaries abroad are obliged to provide further details about requested information.

As part of the PRISM revelations it is also speculated about supposed interfaces, “copy-rooms” or backdoors at the providers with which third parties can directly and freely tap the data. However, the provider opposed this vehemently.

U.S. vendors. I’m good, thanks?

While choosing a cloud provider* different segments are considered that can be roughly divided into technical and organizational areas. In this case the technical area is reflecting the technical security and the organizational the legal security.

The organizational security is to be treated with caution. The Patriot Act opens the U.S. security agencies legally the doors if there is a suspected case. How far this remains within the legal framework, meanwhile many to doubt. At this point, trust is essential.

Technologically the data centers of cloud providers can be classified as safe. The effort and investment which are operated by the vendors cannot be provide by a normal company. But again, 100% safety can never be guaranteed. If possible, the user should also use its own security mechanisms. Furthermore, the rumors about government hits by the NSA should not be ignored.

About two U.S. phone companies confirmed reports are circulating that are talking about direct access to the communication by the NSA and strong saved rooms that are equipped with modern surveillance technologies. In this context, the provider of on-premise IT solutions should also be considered how far these are undermined.

From both terms and the current security situation, U.S. vendors should be treated with caution. This also applies to its subsidiaries in the EU. After all, they are even not able to meet at least the necessary legal safety.

But even the German secret service should not be ignored. Recent reports indicate that the “Federal Intelligence Service (BND)” will also massively expand the surveillance of the internet. This amounts to a budget of 100 million Euro, of which the federal government already released five million EUR. Compared to the NSA, the BND will not store the complete data traffic on the Internet, but only check for certain suspicious content. For this purpose he may read along up to 20 percent of the communication data between Germany and abroad, according to the G 10 Act.

Hardliners have to adjust all digital and analog communication immediately. But this will not work, because the dependency has become too large and the modern business life is determined by the communication. Therefore, despite surveillance, other legal ways must be found to ensure secure communication and data transmission.

* In this context a cloud provider can be a service provider or a provider of private cloud or IT hardware and software solutions.

Requirements for secure cloud services and IT solutions

First, it must be clearly stated that there is no universal remedy. The risk shall be made ​​by the user, who is not aware of the dangerous situation or who has stolen corporate data on purpose. Regardless of this, the PRISM findings lead to a new safety assessment in the IT sector. And it is hoped that this also increases the security awareness of users.

Companies can obtain support from cloud services and IT solutions, which have made ​​the issue of an unconditional security to be part of their leitmotif from the beginning. Under present circumstances these providers should preferred be from Europe or Germany.

Even if there are already first reports of implications and influences by the U.S. government and U.S. providers to the European Commission, which have prevented an “Anti-FISA” clause in the EU data protection reform, exist no similar laws such as the U.S. Patriot Act, or FISA in Europe.

Therefore also European and German IT vendors, which are not subject to the Patriot Act and not infiltrated by the state, can help U.S. users to operate their secure data communication.

Criteria for vendor selection

On the subject of security it is always about trust. This trust a provider only achieved through openness, by giving its customers a technologically look in the cards. IT vendors are often in the criticism to be sealed and do not provide information on their proprietary security protocols. This is partly because there are also provider willing to talk about it and make no secret. Thus, it is important to find this kind of provider.

In addition to the subjective issue of trust, it is in particular the implemented security, which plays a very important role. Here it should be ensured that the provider uses current encryption mechanisms. This includes:

  • Advanced Encryption Standard – AES 256 to encrypt the data.
  • Diffie-Hellman und RSA 3072 for key exchange.
  • Message Digest 5/6 – MD5/MD6 for the hash function.

Furthermore, the importance of end-to-end encryption of all communication takes is getting stronger. This means that the whole process, which a user passes through the solution, is encrypted continuously from the beginning to the end. This includes inter alia:

  • The user registration
  • The Login
  • The data transfer (send/receive)
  • Transfer of key pairs (public/private key)
  • The storage location on the server
  • The storage location on the local device
  • The session while a document is edited

In this context it is very important to understand that the private key which is used to access the data and the system only may exclusively be owned by the user. And is only stored encrypted on the local system of the user. The vendor may have no ways to restore this private key and never get access to the stored data. Caution: There are cloud storage provider that can restore both the private key, as can also obtain access to the data of the user.

Furthermore, there are vendor which discuss the control over the own data. This is indeed true. However, sooner or later it is inevitably to communicate externally and then a hard end-to-end encryption is essential.

Management advisory

In this context, I would like to mention TeamDrive, which I have analyzed recently. The German file sharing and synchronization solution for businesses is awarded with the Data Protection Seal of the “Independent Centre for Privacy Protection Schleswig-Holstein (ULD)” and is a Gartner “Cool Vendor in Privacy” 2013. From time to time TeamDrive is described as proprietary and closed in the media. I can not confirm this. For my analysis TeamDrive willingly gave me extensive information (partly under NDA). Even the self developed protocol will be disclosed on request for an audit.

More information on selecting a secure share, sync and collaboration solution

I want to point out my security comparison between TeamDrive and ownCloud, in which I compared both security architectures. The comparison also provides further clues to consider when choosing a secure share, sync and collaboration solution.

Categories
Analysis

Survey: How is your current trust in the cloud?

After the revelations on PRISM I have started a small anonymous survey to see what is the current situation with the confidence in the cloud and how the scandal has changed on the personal relationship to the cloud.

The questions

  • How is your current trust in the cloud in general?
  • How is your current trust in the cloud provider of your choice?
  • How does the PRISM uncoverings influence your trust in the cloud?
  • Is your current cloud provider one of the accused?
  • How does the PRISM uncoverings influence your trust in the cloud provider of your choice?
  • Did you already think about to leave the cloud e.g. your cloud provider due to the PRISM uncoverings?
  • How important is the unconditional openness of your provider in times of PRISM and surveillance?
  • Do you think a 100% end-to-end encryption without any access and other opportunities of third parties can strengthen the trust?
  • In your mind which world region is the safest/ trustworthiest to store data in?

To participate in the survey please choose this way:

Your trust in the Cloud! – After the PRISM uncoverings how is your trust in the cloud?

Categories
Comment

PRISM plays into German and European cloud computing providers hands

The U.S. government and above all PRISM has done the U.S. cloud computing providers a bad turn. First discussions now kindle if the public cloud market is moribund. Not by a long shot. On the contrary, European and German cloud computing providers play this scandal into the hands and will ensure that the European cloud computing market will grow stronger in the future than predicted. Because the trust in the United States and its vendors, the U.S. government massively destroyed itself and thus have them on its conscience, whereby companies, today, have to look for alternatives.

We’ve all known it

There have always been suspicions and concerns of companies to store their data in a public cloud of a U.S. provider. Here, the Patriot Act was the focus of discussion in the Q&A sessions or panels after presentations or moderations that I have kept. With PRISM the discussion now reached its peak and confirm, unfortunately, those who have always used eavesdropping by the United States and other countries as an argument.

David Lithicum has already thanked the NSA for the murder of the cloud. I argue with a step back and say that the NSA “would be” responsible for the death of U.S. cloud providers. If it comes to, that remains to be seen. Human decisions are not always rational nature.

Notwithstanding the above, the public cloud is not completely death. Even before the announcement of the PRISM scandal, companies had the task to classify their data according to business critical and public. This now needs to be further strengthen, because completely abandon the public cloud would be wrong.

Bye Bye USA! Welcome Europe und Germany

As I wrote above, I see less death of the cloud itself, but much more to come the death of U.S. providers. Hence I include those who have their locations and data centers here in Europe or Germany. Because the trust is so heavily destroyed that all declarations and appeasement end in smoke in no time.

The fact is that U.S. providers and their subsidiary companies are subordinate to the Patriot Act and therefore also the “Foreign Intelligence Surveillance Act (FISA)”, which requires them to provide information about requested information. The provider currently trying to actively strengthen themselves by claiming more responsibility from the U.S. government, to keep at least the rest of trust what is left behind. This is commendable but also necessary. Nevertheless, the discussion about the supposed interfaces, “copy-rooms” or backdoors at the vendors, with which third parties can freely tap the data, left a very bad aftertaste.

This should now encourage more European and German cloud providers. After all, not to be subject to the U.S. influence should played out as an even greater competitive advantage than ever. These include inter alia the location of the data center, the legal framework, the contract, but also the technical security (end-to-end encryption).

Depending on how the U.S. government will react in the next time, it will be exciting to see how U.S. provider will behave on the European market. So far, there are always 100% subsidiaries of the large U.S. companies that are here locally only as an offshoot and are fully subordinated to the mother in the United States.

Even though I do not advocate a pure “Euro-Cloud” neither a “German Cloud”. But, under these current circumstances, there can only be a European solution. Viviane Reding, EU Commissioner for Justice, is now needed to enforce an unconditional privacy regulation for Europe, which European companies strengthens against the U.S. companies from this point in the competition.

The courage of the providers is required

It appears, that there will be no second Amazon, Google, Microsoft or Salesforce from Europe or even Germany. The large ones, especially T-Systems and SAP strengthen their current cloud business and giving companies a real alternative to U.S. providers. Even bright spots of startups are sporadic seen on the horizon. What is missing are inter alia real and good infrastructure-as-a-service (IaaS) offerings of young companies who do not only have infrastructure resources in their portfolio, but rely on services similar to Amazon. The problem with IaaS are the high capital requirements that are necessary for it to ensure massive scalability and more.

Other startups who are offering for example platform-as-a-service (PaaS), in many cases, set in the background on the infrastructure of Amazon – U.S. provider. But here have providers such as T-Systems the duty not to focus exclusively on enterprises and also allow developers to build their ideas and solutions on a cloud infrastructure in Germany and Europe through the “Amazon Way”. There is still a lack of a real(!) German-European alternatives to Amazon Web Services, Google, Microsoft and Salesforce!

How should companies behave now?

Among all these aspects one have to advise companies, to look for a provider that is located in a country that guarantees the required legal conditions for the company itself regarding data protection and information security. And that can currently only be a provider from Europe or Germany. Incidentally, that was even before PRISM. Furthermore, companies themselves have the duty to classify their data and to evaluate mission-critical information at a much higher level of protection than less important and publicly available information.

How it actually looks at U.S. companies is hard to say. After all, 56 percent of the U.S. population find the eavesdropping of telephone calls as acceptable. Europeans, and especially the Germans, will see that from a different angle. In particular, we Germans will not accept a Stasi 2.0, which instead of rely on the spies from the ranks (neighbors, friends, parents, children, etc.), on machines and services.

Categories
Comment

PRISM: Even the University of Furtwangen is planning interfaces for cloud monitoring in Germany

PRISM is the latest buzzword. That similar should happen in Germany too, causes to worry. Despite that this interview was published in the German Manager Magazin, it seems to be a little lost in the rest of the German media landscape, unfortunately. Because in Germany we are also on the way to integrate interfaces for monitoring cloud solutions. Developed and promoted by the University of Furtwangen!

Third-party organizations should be able to check data streams

In an interview with the Manager Magazin under the apparently innocuous title “SAFETY IN CLOUD COMPUTING – “The customer come off second best” says Professor Christoph Reich of the computer science department at the University of Furtwangen and director of its cloud research center: “We want to define interfaces that third party organizations get the opportunity to review the data streams.

This statement was in response to the question of how it can be technically realized that some kind of accountability chain to be set up that works across vendors. This has the background, that the property can be transferred, so that personal data are particularly well protected. For this reason, these accountability chain must not break if another provider comes into play.

So far so good. However, it will be exciting. In the subsequent question by the Manager Magazin:

Would also the federal government be a potential customer? German law enforcement agencies even ask for a single interface to monitor cloud communications data in real time.

Professor Reich answers:

In principle this is going in this direction. But a judicially actionable verifiability looks very different. If you want to record evidential data, you need special memory for that, these are very expensive. We want to give customers the opportunity to get visualized where their data are.

Regardless that the University of Furtwangen do not have this “special memory”, but certainly a government organization. And as long as the interfaces are available, the data can be captured and stored at a third location.

Cloud computing lives from the trust

I already wrote about it three years ago “Cloud computing is a question of trust, availability and security“. The University of Furtwangen would also like to create more trust in the cloud with their “surveillance project”.

I just wonder how to continue building confidence, if you want to integrate interfaces for the potential (government) monitoring of data streams in cloud solutions?