Concern is growing among security vendors about the tangible negative effects of U.S. government surveillance efforts,...
which have become particularly problematic for cloud growth.
With the recent Safe Harbor agreement being ruled invalid by a European Union court, as well as the ongoing criticism of encryption by the FBI, cloud providers have found themselves between a rock and a hard place. While they're trying to reassure customers and users that their data is safe in the cloud, experts said, cloud providers are struggling against growing privacy concerns and continued efforts from law enforcement to lower the barrier of protection around that data.
"I think they're scared to death of being accused of Big Brother-type privacy violations," said Art Coviello, former chairman of RSA Security, in an interview with SearchSecurity.
Meanwhile, cloud security vendors are striving to keep customer data safe from prying eyes, without running afoul of law enforcement. But those efforts have been complicated by the European Court of Justice's ruling that the Safe Harbor agreement, which enables U.S.-based companies to transfer the data of European citizens overseas to the U.S., did not adequately protect European users from U.S. government surveillance.
The ruling has serious implications for companies that use the cloud to store data for global customer bases across international borders. And it has left cloud security vendors scrambling to protect data of customers already concerned about the NSA revelations from Edward Snowden.
"Outside the U.S., in places like Europe and Asia, we've seen a reluctance to go to the cloud because of data residency concerns and the 'Snowden effect,'" said Willy Leichter, global director of cloud security at CipherCloud Inc., a cloud access security broker (CASB) headquartered in San Jose, Calif.
Cloud security vendors are trying to counter those concerns with improved data governance and more granular policy controls. "Data residency is definitely a concern," said Rajiv Gupta, CEO of Skyhigh Networks, based in Campbell, Calif. "Before it leaves a specific country or region, data has to have policies applied to it."
For example, Gupta said, German companies that may be concerned about privacy issues in the U.S. can inspect traffic through Skyhigh's CASB platform before it goes to Microsoft's OneDrive cloud and is potentially stored in a U.S. data center. Another option, Gupta said, is encrypting the data sent to cloud providers and keeping the keys with the customer in Germany.
But that option is frowned upon by the U.S. government -- particularly the FBI, which has been pushing for technology companies to hold customer encryption keys in escrow and hand them over to authorities during investigations. During the recent 2015 IoT Security Conference in Boston, FBI CISO Arlette Hart spoke about the dangers of encryption for law enforcement.
"You look at encryption," Hart said during her keynote. "You say 'Encryption saves me, and keeps my privacy, and makes sure nobody else can get my information.' But encryption is also used by the bad people in order to make sure their communications … are not able to be interdicted by law enforcement."
Nevertheless, cloud security vendors are still emphasizing the importance of encryption for maximum protection of data in the cloud. Krishna Narayanaswamy, co-founder and chief scientist at Netskope, a CASB based in Los Altos, Calif., said customers need to vet service providers and vendors to see which ones can offer the best protection.
"All cloud providers and [software as a service] vendors are not equally secure," Narayanaswamy said. "Customers should look at those vendors that have good cloud security controls and policies, encrypt data, and protect the encryption keys."
Coviello said that while rising concerns over data privacy and security may hurt cloud growth in the short term, he's confident the private sector will keep improving data protection measures and encourage continued cloud adoption.
"Nothing seems to stop the march of technology," he said. "I don't ever see a major event completely stopping the growth of cloud."
Security experts says it's time to rethink cloud data privacy protection