- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - The former National Security Agency technical director told the RSA Conference he doesn't trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.
Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. "You don't know what else is cuddling up next to it," he says.
The Cloud Security Survival Guide
Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn't trust clouds either, but his reluctance was based upon worry about what NSA might be up to.
Adi Shamir a computer science professor at Israel's Weizmann Institute of Science and also the "S" in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. "There's a pipe out of the back of an office at AT&T in San Francisco to NSA," he said.
Government access to assets entrusted to public cloud providers will be similar, he said. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. "Please don't use Cloud AG," he said.
On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analyzing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country's financial markets melted down last year, he said network security could face a "trust-bubble meltdown".
He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. "Fix vulnerabilities before you first smell an attack," he said. "End of message."
Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.
"I do believe NSA is still ahead, but not by much -- a handful of years," said Snow, the former technical director for the agency. "I think we've got the edge still."
He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. "Now we are very close together and moving very slowly forward in a mature field," Snow said.
The NSA has a deep staff of Ph.D. mathematicians and other cryptographic experts to work on securing traffic and breaking codes, and also has another key advantage. "We cheat. We get to read what [academics] publish. We do not publish what we research," he said.