Orlando -- Microsoft today pushed back once again against the idea that it's giving the National Security Agency (NSA) carte blanche access to its cloud-based services, an allegation that's cropped up in media reports since the revelations from former NSA contractor Edward Snowden began last June.
Adrienne Hall, Trustworthy Computing general manager at Microsoft
“We don’t provide governments with direct, unfettered access to your data,” said Adrienne Hall, general manager for trustworthy computing at Microsoft, the division that reviews and oversees security across Microsoft products and services. Speaking in a keynote address at the Cloud Security Alliance Congress, Hall sought to refute the notion that Microsoft does other than what it must under U.S. law when it gets a specific legal request related to customer data.
Hall noted that Microsoft is even suing the federal government to be able to publicly discuss just the number of requests it gets from the NSA, which today it’s not allowed to do under law. Several news stories in the past few months based on the Snowden leaks have suggested that Microsoft operates hand-in-glove with the NSA, such as helping the NSA circumvent Microsoft’s own encryption to hand over massive amounts of information.
The amount of data often mentioned in these news articles is “highly exaggerated,” said Hall. “We don’t assist government with efforts to break encryption keys. We don’t engineer backdoors into our products. … If there’s a bigger surveillance program, we’re not involved.”
“We have concerns as do our customers,” Hall acknowledged, noting that Microsoft counts about 100 cloud-based services in 90 countries, ranging from Windows Azure, Office 365, Skype, MSN, Exchange Hosted Services and Outlook.com.
There’s no escaping the fact that the Snowden revelations about how the NSA collects massive amounts of data on the Internet, ostensibly aiming for non-U.S. citizens and systems in other countries in order to ferret out information about terrorism or spy-vs-spy intelligence, has had a bombshell effect, said Jon-Michael Brook, principal in security and privacy at consultancy CIPP Guide.
Speaking during a session at the CSA Congress, Brook said the Snowden revelations are having an impact, especially in places such as Europe, where U.S.-based cloud service providers face suspicions from customers asking whether the U.S. government, via the NSA, can see the data they consign to U.S. cloud providers.
The allegations about the NSA working to subvert crypto or trying to build backdoors is “astonishing,” he said.
But Brook said the European Union itself is embarked on what he labelled a “protectionist” effort that would shut out non-European cloud service providers — especially U.S.-based ones who dominate today — through a new data-privacy law now being formulated.
He said there’s expectation that the EU will vote for a single law in the spring that would boost the role of cloud infrastructures in the EU region in order to boost Europe’s economy. He said the relatively small number of cloud-service providers there, including Swisscom and Deutsche Telekom, are “fledging” competitors in comparison to U.S.-based companies.
Brook also asserted that the way that data in many European countries, including the U.K., France, Germany and Spain, is collected for government-operated surveillance purposes and wiretaps is actually often less strict than in the U.S.
He said the European Union falls short of even the U.S. requirements in many respects, where in Germany, Deutsche Telekom can even be expected to report its own findings about customers to the German government. Brook said he finds much of the European stance on data privacy to be little more than a “marketing ploy.”
But Brook did offer advice on securing data in the cloud, suggesting that enterprise customers using cloud services make use of specialized hardware security modules (HSM) for data encryption that allow the customer — and only the customer — know and retain the encryption key.
Teresa Carlson, vice president of worldwide public sector, Amazon Web Services
The theme of hardware-based encryption for cloud services was taken up by Teresa Carlson, vice president, worldwide public sector at Amazon Web Services, in her own keynote at the Cloud Security Alliance Congress today.
In touting some of the more recent AWS security advances, Carlson spoke about how hardware security modules for encryption are available as a service called “Cloud HSM” for encrypting customer data. Mark Ryland, chief solutions architect at AWS, explained further that Cloud HSM, which has a monthly service change, works based on the SafeNet Luna devices, where the customer is the “administrator of the cryptography appliance.” AWS itself cannot access the core cryptographic service on the device and only the customer retains the private key. “On HSM, we don’t see anything,” added Carlson.
Microsoft also recently announced its “Bring Your Own Key” initiative for Azure Rights Management Service that makes use of the Thales hardware security module for encryption. Brook said he expects other cloud providers to integrate HSM into service offerings in the future as well.
Still, cloud providers continue to face a barrage of questions about how transparent they are about what they do. After the AWS keynote, a member of the audience, saying he was an auditor with a bank, wanted Carlson and Ryland to explain why AWS isn’t more open about how they share information about physical security at AWS. Carlson and Ryland indicated that the information is so sensitive, AWS is reluctant to simply make it public since attackers might exploit it, but it is shared when sales negotiations with customers are underway.
Ellen Messmer is senior editor at Network World, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org