Spooks Are Looking For Skeletons In The Closet

Sorry to interrupt your busy day but does anyone know anything about Cloud security?

It’s the question that has been asked since off-site data storage was first contemplated. Sticking data up in the ether solves a lot of problems but what are the legal/governance implications?

If it were a question asked by Stephen Fry on TV programme QI, Alan Jones would hold up his little paddle with “Nobody Knows” written on it. I defy anyone to muddle through the conflicting edicts of the US and the EU and to come up with some cast-iron, incontrovertible truth.

Fishing in someone else’s pond

On the west of the great pond, we have the American authorities who claim access to any data held by US companies anywhere in the world – even if the data does not belong to the company. Heading East, we have the EU which effectively says that data is sacrosanct and should not be stored where anyone else can gain access to it.

It’s the EU Giants versus the US Patriots. The “land of  the free” against the – er – United States. Mere business professionals have to somehow marry the two legal policies: faced with a plethora of US Cloud vendors with names like Amazon, Rackspace or Microsoft versus the EU companies like – hang on while I do a Google search – well, never mind, you probably won’t recognise the names.

The answer of course is to encrypt your data before committing it to a cloud storage system, keeping the keys carefully locked away on terra firma. That’ll fix ‘em. Now, we have the storage sorted, let’s move on to the applications. Ah, just a minute.

Seems we have our data encrypted and an application that wants to use the data – who would have guessed?

So, the keys go up in the Cloud and the cloud of mystery becomes one with a silver lining for the US authorities. The problem with encryption in the cloud is that data won’t work with applications unless it is decrypted. This makes the data vulnerable as it is decrypted, which is arguably a risk worth taking, but it also means that the keys have to be used where they can be snatched by the authorities.

I have no doubt that the FBI, CIA or any other US protection service would not use their powers for US commercial gain – but the US business armlock may be weakening as the Chinese flex their new-found financial and commercial muscles. Which also raises the aside of what would happen if a Chinese company acquired your cloud provider. It’s not happened yet, but it almost certainly will.

Anyway, the US will fight to keep its role and a future administration might not be so selective about who can access the Cloud-stored data. It would be a rich source of intelligence for industrial espionage – which is precisely why the EU is trying to block such moves.

When security is discussed, the talk tends to pin itself around the periphery of the company. Now the Cloud is part of that the edges have been adjusted accordingly. The “thing” that the cloud vendors do not willingly discuss, unless asked, is who has access. A typical answer is that no-one – not even our staff – has direct access to your information. And nobody sees the spook in the corner of the server room.