The U.S. Senate extended the 2008 Foreign Intelligence Surveillance Amendments Act or FISAA late last year, extending it for another five years. Very few Europeans noticed, or if they noticed, paid much attention. They should have.
The USA PATRIOT Act — and yes, you’re supposed to SHOUT it in all upper case because it’s a contrived acronym — already gives the U.S. Government the power to not only demand that cloud providers give up customer data, but to force the provider to do so without informing the customer that their information was exposed.
FISAA gives the U.S. Government another tool to violate the privacy of people whose information was stored in the cloud. The targets don’t have to be under suspicion of any crime. Involvement in political activity is adequate. The European Parliament sees FISAA as a “much graver risk to EU data sovereignty that other laws hitherto considered by EU policy-makers”, according to their report.
“But”, you say, “I am a citizen of a European Union nation, protected by the strict privacy regulations of the E.U., and the information about me was collected by an E.U. firm and stored in a cloud data center located within the E.U.”
That doesn’t matter.
Microsoft’s U.K. managing director publicly admitted that his company would secretly comply with requests for information back in June 2011. The only real surprise was that a U.S. cloud provider admitted this publicly. Anyone paying attention to the situation already realized this.
You see, major cloud providers are largely U.S.-based corporations, and if not, they operate in the U.S. The USA PATRIOT Act and FISAA are U.S. public laws. As a would-be customer of cloud services, what can you do?
Take responsibility for protecting the confidentiality of your data.
Let’s take Amazon’s S3 storage as an example. Its greatest strength is its durability, similar to availability. “Availability” means that you can get the data right now, while “durability” means that you might have to wait a little bit but you will get it. As we discuss in Learning Tree’s Cloud Security Essentials course, you can’t rigorously prove durability (or availability), but Amazon’s design looks about as sound as possible.
Amazon came out with a software development kit for client-side encryption. It’s a good design — asymmetric key pairs stored and used only on customer-controlled end points protect “envelope keys”, each of which is specific to just one protected data object. It’s a good design, and the cloud provider sees nothing but ciphertext that it has no way of decrypting.
The market said, “Gosh, that’s a lot of work, we would have to somehow write computer programs and deal with these mysterious keys. Can’t you just do it for us?”
Amazon, not wanting to turn down any market segment, including the reckless, offered server-side encryption. All you have to do is click on a box in a web form and Amazon will do all that scary cryptography for you.
You see a checked box on a web page (and good luck convincing a cautious auditor with that!), and you have no idea how, or even if, Amazon is encrypting your data. One thing you can be certain of, however, is that it’s exposed to U.S. Government requests.
Learning Tree’s Cloud Security Essentials course shows you how to protect your own confidentiality. Done right, your secrets can be safe.