carloscastilla - Fotolia

Government surveillance, cloud growth at an impasse

The negative effects of U.S. government surveillance have put cloud providers in a tough spot and left security vendors scrambling for better privacy protections.

Concern is growing among security vendors about the tangible negative effects of U.S. government surveillance efforts, which have become particularly problematic for cloud growth.

With the recent Safe Harbor agreement being ruled invalid by a European Union court, as well as the ongoing criticism of encryption by the FBI, cloud providers have found themselves between a rock and a hard place. While they're trying to reassure customers and users that their data is safe in the cloud, experts said, cloud providers are struggling against growing privacy concerns and continued efforts from law enforcement to lower the barrier of protection around that data.

"I think they're scared to death of being accused of Big Brother-type privacy violations," said Art Coviello, former chairman of RSA Security, in an interview with SearchSecurity.

Coviello, who has experienced such accusations at RSA, spoke at the recent Privacy. Security. Risk. 2015 conference in Las Vegas and argued that the United States' worldwide approach to cybersecurity and privacy policy "is just absurd," criticizing the National Security Agency's online surveillance efforts and the FBI's stance on encryption.

Meanwhile, cloud security vendors are striving to keep customer data safe from prying eyes, without running afoul of law enforcement. But those efforts have been complicated by the European Court of Justice's ruling that the Safe Harbor agreement, which enables U.S.-based companies to transfer the data of European citizens overseas to the U.S., did not adequately protect European users from U.S. government surveillance.

The ruling has serious implications for companies that use the cloud to store data for global customer bases across international borders. And it has left cloud security vendors scrambling to protect data of customers already concerned about the NSA revelations from Edward Snowden.

"Outside the U.S., in places like Europe and Asia, we've seen a reluctance to go to the cloud because of data residency concerns and the 'Snowden effect,'" said Willy Leichter, global director of cloud security at CipherCloud Inc., a cloud access security broker (CASB) headquartered in San Jose, Calif.

Cloud security vendors are trying to counter those concerns with improved data governance and more granular policy controls. "Data residency is definitely a concern," said Rajiv Gupta, CEO of Skyhigh Networks, based in Campbell, Calif. "Before it leaves a specific country or region, data has to have policies applied to it."

For example, Gupta said, German companies that may be concerned about privacy issues in the U.S. can inspect traffic through Skyhigh's CASB platform before it goes to Microsoft's OneDrive cloud and is potentially stored in a U.S. data center. Another option, Gupta said, is encrypting the data sent to cloud providers and keeping the keys with the customer in Germany.

But that option is frowned upon by the U.S. government -- particularly the FBI, which has been pushing for technology companies to hold customer encryption keys in escrow and hand them over to authorities during investigations. During the recent 2015 IoT Security Conference in Boston, FBI CISO Arlette Hart spoke about the dangers of encryption for law enforcement.

"You look at encryption," Hart said during her keynote. "You say 'Encryption saves me, and keeps my privacy, and makes sure nobody else can get my information.' But encryption is also used by the bad people in order to make sure their communications … are not able to be interdicted by law enforcement."

Nevertheless, cloud security vendors are still emphasizing the importance of encryption for maximum protection of data in the cloud. Krishna Narayanaswamy, co-founder and chief scientist at Netskope, a CASB based in Los Altos, Calif., said customers need to vet service providers and vendors to see which ones can offer the best protection.

"All cloud providers and [software as a service] vendors are not equally secure," Narayanaswamy said. "Customers should look at those vendors that have good cloud security controls and policies, encrypt data, and protect the encryption keys."

Coviello said that while rising concerns over data privacy and security may hurt cloud growth in the short term, he's confident the private sector will keep improving data protection measures and encourage continued cloud adoption.

"Nothing seems to stop the march of technology," he said. "I don't ever see a major event completely stopping the growth of cloud."

Next Steps

Security experts says it's time to rethink cloud data privacy protection

Find out why Art Coviello slammed the FBI's encryption key escrow plan

Learn about the effect of the Safe Harbor agreement ruling on cloud vendors

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices