Why you shouldn’t trust cloud service providers

Simply stated, you can’t trust the employees of cloud service providers. Frankly, I don’t think we can really trust our own employees anymore either, but at least our capability to monitor them is far greater. Early on we had warnings of the problem of just anyone having access to secure data when Google Engineers got caught stalking Google customers through their access. Their getting caught and our finding out about it was pretty remote. I’ve seen, over the years, crimes ranging from theft to sabotage that result in the employee’s termination when caught, but never result in any external report.

We currently exist in a world where nation states like China and Russia are aggressively probing data repositories and these cyber spy organizations aren’t particularly secure either, suggesting where the states go criminals will follow. The easiest way in remains getting access to an employee’s credentials or getting the employee to pull the information like Snowden did.  

[ Related: There Are No Secrets: Edward Snowden’s Big Revelations ]

Given the massive value put on this information and the tools a state could use to either phish or coerce an employee to provide access to it, I believe it’s time to seriously start thinking about reviewing cloud services and ranking them based on whether they can protect your data from themselves.  

Protecting data from governments

One of the clear areas being attacked are communications servers. This is particularly visible at the moment with the disclosure that Hilary Clinton, the Democratic candidate for U.S. President, used a private email server, and that this server was likely compromised because it wasn’t adequately protected. Given the Snowden disclosures it is as yet not clear whether this information would have been effectively more secure inside the government. (It strikes me with some irony that given the government leaks, it is possible her email server could have been made more secure than the government solution, but that clearly wasn’t done).

Communications have broad exposures that can cripple a company or a country if they are made available to those without the authority to view them. IT employees either inside or working for a cloud service provider should never have the authority to broadly view communications and yet, as we learned from the Snowden breach, this is far from where we are today.

Ideally, the communication should be encrypted adequately (per policy or law) at the source and only decrypted by the people authorized to view the correspondence. Certainly with a cloud provider the encryption should occur and be adequate to protect the package when it leaves the company and remain encrypted and inaccessible until it returns.

At no time should a cloud service provider either accidently or on purpose be able to successfully read a secure file in their care.

Analytics is a problem

The big problem as I see it is analytics and compliance. The firm itself needs to be able to analyze the secure information both to catch and identify illegal activities going on inside the company and to effectively respond to legitimate discovery/access requests. If this can’t be done the firm could be forced to either remove the security or create a permanent back door for access either of which would eliminate any value connected to the encryption in the first place.

This suggests two approaches, one where the service resides in the cloud in encrypted form but inside the company in a form that can be analyzed. Or, one where the service resides completely in a secure virtual pod that only the firm can access but providing the headroom needed to both serve the communications requirement and whatever analytics and reporting function are required by policy and law.

In fact, as I think about it, the pod/container approach should likely exist in the company as well to better protect against internal illicit activities.   And once contained in a virtual pod moving it between cloud service providers or even between on and off premise should be relatively easy.

It goes without saying that all of this should be wrapped with some kind of access control and assurance offering because no container is secure if the folks that are accessing it can’t be monitored and assured.  

It’s time to rethink security

You shouldn’t have to trust an employee at a cloud service provider.   Given the current environment even assuring your own people is problematic, but a given the attractiveness as a target and the attack surface of a cloud provider there really is no practical way to assure their employees (and, if you can’t assure their employees you can’t assure their security).

So, instead, focus on making sure no one can access your confidential information without authorization regardless of whether it resides inside or outside the company. Then assure that those authorizations are tightly managed and monitored, and then maybe you can argue, for now, that your security over that information is adequate.

At least with this approach you can focus on the availability, performance and price of a cloud provider and be a tad less concerned with what is happening to the information that they are holding for you. Though, granted, this alone may not protect you from laws preventing certain types of information crossing national borders.  

This all reminds me why I am so glad I’m not a CIO.   The worry would have killed me by now.