NSA surveillance doesn’t undermine cloud computing
Henderson, 4/9/15 (Nicole, “Impact of NSA Surveillance on US Cloud Providers Not as Bad as We Thought: Forrester” 4/9, http://www.thewhir.com/web-hosting-news/impact-nsa-surveillance-us-cloud-providers-not-bad-thought-forrester
It’s been two years since Edward Snowden leaked details of the NSA’s PRISM surveillance program, and although analysts predicted an exodus from US-based cloud and hosting services in response to the revelations, it hasn’t exactly worked out that way, a new report finds.
Forrester released a new report last week that suggests concerns around international customers severing ties with US-based hosting and cloud companies “were overblown.”
“Lost revenue from spending on cloud services and platforms comes to just over $500 million between 2014 and 2016. While significant, these impacts are far less than speculated, as more companies reported taking control of security and encryption instead of walking away from US providers,” Forrester’s principal analyst serving security and risk professionals Edward Ferrara said in a blog post.
Snowden recently told a crowd of cloud and hosting providers that use of encryption is growing, and encrypted traffic has doubled since 2013.
In 2013, Forrester predicted that US cloud providers cloud lose up to $180 billion in business by 2016 due to concerns around the scope of NSA’s PRISM program.
According to NextGov, Forrester finds that 26 percent of enterprises based in Asia Pacific, Canada, Europe and Latin America have stopped or reduced their spending with US-based firms for Internet-based services. Thirty-four percent said these concerns were related to fears of US surveillance, while others said they want to support businesses in their own country, or data sovereignty rules prevent them from storing data abroad.
Forrester surveyed more than 3,000 businesses between June and July 2014.
More than half of respondents said that they did not trust US-based outsourcers to handle sensitive information, with only 8 percent reporting to trust their company’s intellectual property with a US-based outsourced company.
Ninety-percent of decision-makers have taken steps to encrypt their data, according to the report.
Cloud computing not feasible – security hurdles
Xiao and Chen 15 – *professor at the Department of Software Engineering at Hainan Software Profession Institute AND **Assistant Professor in Operations Management at New York University, PhD (Ziqian and Jingyou, Cloud Computing Security Issues and Countermeasures, Proceedings of the 4th International Conference on Computer Engineering and Networks p. 731-737, 2015, http://link.springer.com/chapter/10.1007/978-3-319-11104-9_85)//JJ
Cloud Computing Security Challenges
New Risks Brought by Virtual Technologies
Virtualization brings new risks mainly in the virtual machine being abused, the virtual machine escape, and multi-tenant isolation between the failures of security policy migration of virtual machines.
Shared Data Security Environment
Under the cloud service model, users are very worried about whether the data stored in the service provider will be compromised, tampered, or lost. Man-made threats facing the user data mainly come from service providers, hackers, malicious neighboring tenants, and subsequent tenants.
Cloud Platform Application Security
There are some application security problems existing in Cloud Computing Services, no matter Saas, Paas or Iaas, mainly including three categories. The first one is the malicious program review. The second one is the application interface security. The third one is code and test safety.
Authentication and Access Control in the Cloud Service Model
Under the cloud service model, user authentication and access control face new challenges, for example, the authentication and authorization of massive users, the rational division of access rights, and the management of accounts, passwords, and keys. In dealing with massive users’ changeable business and their identification, the cloud service providers need to fully automate users’ authentication and access management.
Cloud computing improvements now – new tech and legal measures
Rubinstein and Hoboken 14 – *Senior Fellow at the Information Law Institute (ILI) and NYU School of Law, AND **Microsoft Research Fellow in the Information Law Institute at New York University, PhD from the University of Amsterdam (Ira and Joris Van, PRIVACY AND SECURITY IN THE CLOUD: SOME REALISM ABOUT TECHNICAL SOLUTIONS TO TRANSNATIONAL SURVEILLANCE IN THE POST- SNOWDEN ERA, 66 Maine L. Rev. 488, September 2014, http://ssrn.com/abstract=2443604)//JJ
High-security demanding customers such as government agencies and corporate and organizational users with particularly strict demands for information security are likely to drive these market responses.214 Customers will insist upon better guarantees of security and confidentiality and may refuse to do business with popular, U.S.-based cloud services subject to far-reaching government surveillance powers. Indeed, they may be barred from doing so under new proposals in Europe and elsewhere requiring their citizens to rely on local cloud services.215 In the market for individual users of cloud resources, there may generally be an increasing demand for better security and privacy safeguards as a result of the widely discussed examples of mass surveillance of online interactions and communication. In addition, law and regulation may increasingly require that certain types of disproportionate lawful access to cloud data be excluded if cloud providers want unrestricted access to the market.
Are these measures likely to be effective against intelligence agencies with the skills and resources of NSA or GCHQ? The answer depends on a variety of factors, which will be discussed further in this Section. One thing is clear: the range of technical solutions described in Part III is not binary, and recent announcements of ‘NSA-proof’ services seem highly oversimplified.
A better way of framing this topic is to ask a series of more nuanced questions as follows: First, can technological and organizational design of services help to protect against backdoor access of data in the cloud? Second, and related, can the cloud industry help to prevent bulk and dragnet access to the data of their customers? Third, to what extent can the technical and organizational design of cloud services help to shape lawful access dynamics, such as where and how lawful access takes place (i.e., which entity and in which geographical location)? And, finally, to what extent can government agencies armed with surveillance orders counter the design choices of industry players when new technologies undermine lawful access to data in the cloud the government is seeking?
Based on the analysis outlined herein, the first question should be answered positively. As cloud services roll out new security and encryption measures with the goal of preventing bulk data collection by surreptitious means, this will undoubtedly interfere with large scale intelligence gathering, such as the interception of client-server and server-server data streams. Firms like Google, Microsoft, Yahoo, and Facebook have already begun to implement well-established techniques such as TLS/SSL and perfect forward secrecy, just as various security organizations have begun to review how they develop cryptographic standards.216 At the end of the day, the protection against backdoor access is also a matter of resources, however. Certain technological solutions may prevent effective bulk collection through specific intelligence programs, but intelligence agencies could in turn deploy targeted intelligence operations to undo some of these protections implemented by cloud services.
The second question, which concerns the possibility of cloud firms preventing dragnet surveillance, cannot generally be answered affirmatively. Technological design may have some impact on front-door collection but where surveillance regimes like Section 702 of the FAA authorize large scale transnational surveillance directed at cloud services, industry has limited options. It may oppose orders in court, or it may take a public stance to the effect that certain types of lawful access should not be legally permissible under current statutes and strive for legal reforms that would enhance the privacy interests of cloud customers.218
The third question must be answered positively also, at least in theory. Technological and organizational design of services can help to shape lawful access dynamics and could be used precisely to do so. While few cloud services have actively implemented privacy-preserving encryption protocols, there is reason to believe that this is changing. As discussed in the previous section, both the cloud industry and the Internet security engineering community have taken the first steps towards implementing technical and organizational measures to shape the lawful access dynamics induced by the use of their services and further innovations may be anticipated. The extent to which local jurisdictions may force multinational cloud service providers to comply with domestic laws notwithstanding these new security measures remains a particularly hotly debated issue.