Posted by: Ken Harthun
Cloud Computing, Encryption, Internet, Privacy, Security best practice
Got this announcement this morning from Sophos about a lecture at the New South Wales branch forum of the Australian Computer Society (ACS). That’s a bit out of my way, so I couldn’t attend, but here’s the gist:
The topic is Privacy and security in the cloud – is there any?
The Cloud - whatever that is - isn't new, whatever the marketing material may imply. But the scale of many modern-day cloud-oriented services is simply enormous. And since those services are run by experts, they readily promise to deliver the "holy trinity" of computer security - confidentiality, integrity and availability.
But do they? Will they? Can they? This thought-provoking presentation will help you advise your colleagues, your friends and your family how to embrace the benefits of the cloud whilst steering clear of the major risks.
This ties in nicely with something I have talked about before in a recent post, “Beware Cloud Data Storage–Pre-encrypt.”
Steve Gibson of the Security Now! podcast recently coined a term, “pre-egression encryption,” which worked out to the acronym, PEE. Not elegant, but it makes sense (he has since adopted the acronym PIE – pre-Internet encryption, coined by a listener). In other words, trust no one’s encryption: encrypt it yourself using your own secret key before you send anything to the cloud. Steve references an incident with DropBox in Security Now! episode 302:
…like Dropbox, are very user-friendly, and they say, oh, we encrypt. We use SSL 256 encryption so that all of your data is safe as it’s coming to us. The problem is, they encrypt it, and then they decrypt it at the other end. So they’re storing it, or they have it, at least, in an unencrypted state. In the case of Dropbox, they then would encrypt it for storage. But they encrypted it for storage. They have the key that was used. The only way any of this stuff is safe is if you do the encryption before it goes out on the wire, and that key never leaves your control. In which case we’re using the cloud as a big opaque storage container in the sky.
The bottom line is that you can trust no one with your security and privacy in the cloud. Before you send any data to the cloud, encrypt it with a key that is known only to you and completely under your control.
Assume that cloud security and privacy don’t exist.