Don't panic! Mega cloud biz group says NSA just one among many threats Enterprises are being told to not abandon the cloud out of fear of possible threats to their data security posed by US government snoops. The Open Data Center Alliance (ODCA) has advised big companies the benefits of cloud – escaping their legacy IT – far outweigh risks of the National Security Agency pilfering their secrets …
This post is, perhaps, correct in some sense but there are a few questions worth considering.
First, is there a reason to care whether an NSA (or CSEC, GCHQ, ASD, GCSB or, indeed, any other signals intelligence agency) would care about your business or would be in position to harm you or a business you operate? While that might seem too much like "if you have nothing to hide you have nothing to fear", it is part of the task of evaluating risk. In the US, illegally obtained evidence is likely to be excluded by a judge, and that would, possibly with additional legal arguments probably extend to information obtained using warrants issued based on illegally obtained communication intelligence. The other Five Eyes nations, and most others we generally think of as democratic probably are similar.
Second, is data you hold a target for criminals wishing to exploit it (Target, for instance), or competitors? For both questions, what is the probable cost in recovery efforts or lost business? Are there other risks to evaluate?
Third, will changing to a different provider or doing the work in house reduce exposure overall, and at what cost? What are the appropriate mitigations, such as link or disk encryption?
The answers will vary, depending on numerous details, but for most people, and most businesses, most of the time, action by one's own government is unlikely to be the most important risk. My own preference is to store all of my data on my equipment, on my premises, under my direct control; and except for google backup of my cell phone, which contains no data I think important, I do that. But II do it more to try to protect the personal credit and other personal financial information than to guard against the government (in my case, the FBI or NSA).
Why, you're absolutely right!
Why, in 2008, the US DoD networks were able to ignore cloud attacks.
By actioning other vulnerabilities to over one billion dollars on first response, the second response (due to your thinking pattern) was classified, but more.
In the civilian world, the cost ends up confidential, but an onus enough to bear significant expenditures in protecting.
Under your candle, everything will be compromised, hence isn't worthy of protection.
The *reality* is, one monitors, then proceeds on a value based computation of a plan.
Rather than jump into a bear trap, leaping for some rabbit.
Or be Target II...
If you know where your data is kept/processed and hosted, it's called managed hosting
If you don't know where your data is kept/processed, and that data includes employee or customer records, to comply with the data protection laws you've got no business using it in the first place
I was honestly thought there was going to be something about Mega from the title. I know mega.co.nz runs on trust in their code, but considering the founder got illegally raided by the US it would seem he has motive to produce good code.
I like the idea of my data in the cloud not being completely transparent to the companies running the cloud service.
I suppose if I wanted to attack Mega I'd work on getting the private key in the SSL and subverting the software sent to a client with a man in the middle attack.
If I can think my way through a possible attack on the most secure public service I know, it really doesn't say much for the integrity of cloud infrastructure.
I was honestly thought there was going to be something about Mega from the title. I know mega.co.nz runs on trust in their code, but considering the founder got illegally raided by the US it would seem he has motive to produce good code.
Two answers here:
1 - code quality is entirely irrelevant if he operates in a jurisdiction where officials can pretty much walk in whenever they want (aka the USA)
2 - he may write as good a code as he wants - unless it (and the companies' processes) has been screened by an independent 3rd party with the capabilities to do a good job of it I would not trust it anyway. That is not a personal thing, that is a general principle to apply to cloud hosting. *NEVER* trust someone who has a financial interest in giving you only good news..
"If you know where your data is kept/processed and hosted, it's called managed hosting
If you don't know where your data is kept/processed, and that data includes employee or customer records, to comply with the data protection laws you've got no business using it in the first place"
Damm right.
We are also f**ked ...
If your data is held on a Server owned by a company that has a US presence of any kind then YOUR data is subject to the Patriot Act.
I'd even go so far as to say that even if you OWN your own servers but have them hosted by a company with an American presence the Feds are not going to let a little thing like Server ownership matter for even 1 nano second.
They really don't like just about anyone in the rest of the world. There are more than a few Amerikans who'd like to see the middle east (apart from Israel), North Africa and a good deal of Europe laid to waste so they they could say 'Job Done'.
Even that bureaucratic moloch, the EU, is waking up to the fact that the US Patriot Act is evil and the so-called Safe Harbor isn't safe at all.
Dropping the phrase "it's not only Snowden" a couple of times does nothing to change that. Likewise however many scenarios they want to paint in their <whatever colour> paper.
Do the cloud guys fund 100% of this "open" alliance BTW?
I'll just take a breather now.
This post has been deleted by its author
"However, Mueller reckoned, concern about keeping your data secure from the NSA is little different to keeping it out of the hands of others, for example hackers."
Sure, barring the extra-legal shenanigans, dodgy laws, court orders, secret courts, gagging orders and "just because we can and have a budget the size of a small planet"s.
There is one point that is being missed, here. When it comes to NSA, USian companies can use cloud coz Patriot Act means they already have it up the backside. For the rest of us, we should under no circumstances use a cloud to store sensitive data.
The main point of the NSA dragnet is to gather industrial intelligence for USian corporations. So you should not so much fear customer details being leaked by the NSA, that won't happen, but sensitive documents detailing future products etc should under no circumstances end up in a cloud - these will certainly end up on the table of your biggest US competitors.
Unless the cloud provider can guarantee that you and only you can access the admin interface and is willing to foot the bill if 3rdparty gains access of it, you should not use the cloud ... under no circumstances.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
