avoiding us cloud providers: eu protectionism or valid ... · vote on single law draft resolution...

Avoiding US Cloud Providers:

EU Protectionism or Valid

Concerns

2013 Cloud Security Alliance Congress

Session 12

December 4, 2013

Jon-Michael C. BrookCloud, Security & Privacy Principal

• Protectionism• “[T]he economic policy of restraining trade between states through methods such as tariffs on

imported goods, restrictive quotas, and a variety of other government regulations designed to allow (according to proponents) "fair competition" between imports and goods and service produced domestically.” - wikipedia

• Examples• Historically, most famous for US – American Revolutionary War

• Stamp Act, Tea Act -> Boston tea party

• US – Sugar cane: Brazil far more efficient in producing than sugar beets• Protect the sugar industry in US, offer credits/tax incentives AND put tariffs on imports

• India – Local subsidiaries only

• Arguments simply don’t hold up – Fledgling industries, national importance• Typically lead to stagnant economies and little motivation for innovation• Milton Friedman/Paul Krugman: Free trade “…has a ripple effect throughout the

economy.”• Alan Greenspan: Protectionism leads “…to an atrophy of our competitive ability. ... If

the protectionist route is followed, newer, more efficient industries will have less scope to expand, and overall output and economic welfare will suffer.”

Cloud Security Alliance 2013 Congress EU Cloud: Protectionism or Reality - 2

Tariffs & Protectionism

• Viviane Reding - European Commissioner for Justice, Fundamental Rights and Citizenship

Jan 2012 – reform proposal of the EU's 1995 data protection directive rules:

• "strengthen online privacy rights and boost Europe's digital

economy".

• "A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3bn a year.”

• "The initiative will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs, and innovation in Europe."


What EU Cloud?

Vote on single law draft resolution May 2014

• “For the private sector, such European clouds could become also attractive as they could advertise, ‘These are European clouds, so your personal data is safe.” – Vivian Reding

• “The questions raised around the United States’ FISA act have focused the minds of Europeans keen to share, but only with those they chose. TeamDrive has confirmed that European cloud users want to have data stored under the EU banner, away from the prying eyes of the US government.” – TeamDrive

• “[W]e comply with the highest German European data privacy standards. And that is important when you consider the furor around the issue of unauthorised access in some third countries that don’t offer the same level of security. But we can deliver CLOUD SERVICES ‘MADE IN GERMANY’ – around the world.” – T-systems


FUD & Protectionism

• PATRIOT Act - Allows cryptographic material access requests• US citizens some protections• No protections for non-US citizens

• §215 Allows access to customer records in BULK – non-content meta data • Voluntarily disclosed to a 3rd party - Supreme Ct ruling• Requires Court Order for more• Customer data not a business record• Requires Search Warrant

• Google, Yahoo, Microsoft, Apple• Obama – Criminal, yes; Civil - Unknown• Never tried to get foreign data

• FISA Amendments Act – 50 USC § 1881A• Foreign Intelligence – Potential Attacks, Sabotage/Terrorism, Clandestine Intel• Info must pertain to a foreign power or foreign territory; Not a foreign citizen• Not Business Intelligence - Canada clipped in October NYT release surrounding Brazil

mining, US Merkel surveillance on Dollar purchase/sells


At Issue

• 4th Amendment• Warrantless search and seizure

• Electronic Communications Privacy Act (ECPA) 1986• Extend Wiretap statute

• No voluntary disclosures of customer data by providers

• Amended by • Communications Assistance to Law Enforcement Act (CALEA) 1994, PATRIOT Act 2001,

PATRIOT Reauthorization 2006

• Federal Intelligence Surveillance Act (FISA) 1978• Judicial Approval Regime

• No data retention requirements

• Amended 1998


US Laws & Privacy Protections

Laws always behind technology and require judicial interpretation

• Full day symposium by CSA Legal Council at 2013 RSA Summit• US much more respectful of citizen’s privacy

• EU General• Voluntary service provider disclosures• EU Data Retention Directive – 6 months to 2 years

• Countries• UK

• TEMPORA - "Mastering the Internet" and "Global Telecoms Exploitation"

• France• Non-judicial wiretapping, connections inside France and between France and other countries are all monitored,

even for scientific and economic data

• Deutschland • G10 act, intelligence services may monitor and record telecommunications without a court order if they are

investigating serious crime, terrorism or threat against their national security.

• Federal Trojan – do need court order w/o notification to CSP.

• Spain• No warrant required


Glass Houses - EU Monitoring Laws

US better protects from Gov intercept, EU couldn’t meet US legal standards

but European citizens (officials?) less suspicious of EU Government/abuses

• Originally, talk included much different crypto discussion• Cryptography major protection mechanism for Cloud

• Multi-tenancy reliance on no cross-talk/hypervisor monitoring

• Minimal evidence that cryptographic algorithms are flawed or embedded with backdoors

• No historical evidence NSA corrupted underlying crypto algorithms/methodologies• 1970’s DES S-box suggestions from NSA actually strengthened algorithm

• Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES.“

• Clipper chip – Agency learning experience? Government key escrow experiment• Now, essentially key escrow by CSPs

• ToS: In June 2011, a Microsoft executive admitted at the Office 365 launch in London, under the Patriot Act, the company could be made to turn over information stored overseas to US authorities without seeking consent or even providing prior notice to the data owner.

• Usage Agreements - iCloud, AWS, Mozy, Box, etc.. will turn over keys/data w/ warrant


Snowden Revelations

Reliance on any one technology…

• Underlying mathematics sound• Crypto shelf life - Moore’s law and key material length• Slowly chip away at the key space to limit brute force search

• Implementation problems• PRISM still unknown/fuzzy as to what hand NSA had – 3 choices?

1. Discovered flaws w/o disclosure2. Contacted by manufacturer and asked to stay silent (as w/ DES) 3. Strong armed flaws into products

• RNG• Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG)

• Schneier – Original standard specification included “default” seed values

• Mozilla RNG flaw

• ECC• Elliptic Curves & variables chosen are suboptimal (formula, prime, cofactor)

CSA 2013 Congress EU Cloud: Protectionism or Reality - 9

Algorithmic Issues?

US DoD uses the same algorithms for Top Secret data

• Who uses what?

• Principal expectation - bad crypto implementations

• PKCS#11 – RSA, also known as “cryptoki”

• Microsoft CAPI – API used by IIS, CA, also available in .NET

• Microsoft CNG API – next gen crypto API available for Vista onwards, IIS, ADCS et al

• OpenSSL crypto

• JCE/JCA – Java API


Cryptographic Implementations

• 5 NIST tenants – biggest issues

• Metering – administrative access

• Elasticity – moving targets

• Self service

• Broad Network Access – plenty of connectivity

• Resource Pooling - Multi-tenancy, co-mingled data, scattered locations


CSP vs Enterprise - unique challenges

Don’t Trust Administrators, Wider pipes, Everything together

• Physical protections –

• Assumption: best practices implemented by CSPs, not really a Gov issue directly, but could be used by Gov – think telco providers and wiring closet drops for warrantless wiretapping

• Role Based Access Controls

• System Administrators segmented from hardware administrators

• Identity and Access Management (IdAM)

• Pre Snowden

• Heavy dose of cryptography w/ a side of key management

• Processes and procedures may be implemented by ANY CSP.

• Standard best practices – should be in place in data centers already


CSP Protection Mechanisms

• Built-in cloud crypto services:

• Encryption for data in motion – no-brainer – lock in web browser, SSL/TLS certificates protect against Man in the Middle attacks

• Encryption for data at rest – keys held by ISP, readily turned over by CSPs as per ToS

• SaaS:

• email – Gmail, Yahoo, Live…

• Exceptions: Silent circle, Hushmail, Lavabit – paper key disclosure

• picture – Flickr, Instagram, Photobucket, …

• office – Office365, Zoho, Google Drive, …

• backup – Carbonite, Mozy, iDrive, Norton Backup…

• …

• Object systems: iCloud, Dropbox, Box, S3, SkyDrive, Google Drive…

• Exceptions: Jungle Drive, Spider Oak, Symantec Zone


Principally encryption

• Amazon AWS

• GovCloud – SSL termination on FIPS 140-2 level 3 hardware devices

• HSM – Hardware Security Module access (2013)

• HSMs built into Intel hardware for >8 years now

• Direct access to underlying CPU services

• Other Providers to follow/allow hosting

• Microsoft Azure

• Google Compute Engine

• Force

• Rackspace

• Saavis

• VMWare vCloud Hybrid Services


IaaS Built-in Crypto Offerings

• Physical location w/ stronger laws

• US isn’t that bad – for US Citizens

• Switzerland – but even the Swiss cave (2011)

• Privacy = Constitutional fundamental right (Argentina, Brazil, S. Africa)

• Confidentiality

• Don’t use built-in/default keys – EVER

• Essentially consenting to corporate key escrow service for the government

• Forgoing the capability of using key destruction for digital file shredding/retention

• Own key servers

• Separate instance (iffy – aka: server side encryption)

• Hosted w/ another provider (okay - )

• On corporate premises (better – aka: client side encryption)

• Physical control of crypto material (best - gov implementations aka: HSM/Type 1)


So what can cloud practitioners do about it


Privacy Protection by Country

Privacy Heat map – heatmap.forrestertools.com/

• Key management

• Non-government sponsored algorithms

• AES � Twofish/Threefish.

• ECC NIST Curves � Curve25519 or Curve1174

• Sharing Keys

• Double blind encryption (ease of use v. security): Symantec, ProofPoint, Google

• split custodian/keys, k of m

• Other techniques

• Homomorphic encryption


So what can cloud practitioners do about it

These are all still susceptible to brute force attacks and crypto

implementation subversion

• Server Side

• Client Side on-premise

• HSM


Reference Architectures

AWS references throughout, though should be applicable to other

environments. Check out re:Invent SEC304 for further details.


Server Side Encryption


Client Side Encryption


Case Study: Netflix & HSM

• Weekly revelations - final release of presentation may be found:

https://www.cippguide.org/csa-congress/

Jon-Michael C. Brook

• [email protected]

• @jonmichaelbrook

• http://www.linkedin.com/in/jonmichaelcbrook


Resources

avoiding us cloud providers: eu protectionism or valid ... · vote on single law draft resolution...

Documents