Posts tagged gartner blog

The cryptographer’s panel at the RSA conference is always my favorite part. At this year’s conference, Ron Rivest (the R in RSA) made a comment along the lines of “One of my fears for the future is that cloud computing is a ‘dream come true’ for government intelligence agencies.” He actually used a more colorful term for ‘dream come true’ but his basic point was something I point out to Gartner clients all the time: in many countries (the US included) companies are legally (and often illegally) required to cooperate with government requests to surreptitiously monitor communications and content flowing through or stored on their systems.

There is a school of thought that true cloud computing means no care at all about the physical location of the storage. The fact that many governments can compel any company or service provider operating in their country to expose their customer’s data means for real businesses, location does matter.

Does encryption solve the problem? Only if the control of the keys is completely outside of the control of the service provider and if there is complete and guaranteed transparency into all access to the encrypted data. The reason  for that and clause: with unlimited local access to encrypted data, government funded brute force attacks are much more likely to eat into the safety margin of long key lengths. And, as Brian Snow pointed on on the cryptographers panel, unlike the commercial/academic crypto community, the government crypto community does not publicize its breakthroughs in cracking algorithms or in developing orders of magnitude faster brute force capabilities.

Does striping or scattering the data across multiple data centers in multiple countries solve the problem? Assuming (a very, very big assumption) that the cloud service provider has not made concessions to a host country that would allow access anyway, this has possibilities – but I think there are a myriad of ways to attack this approach. Encryption has been banged on for years and we know that most proprietary encryption approaches are not secure. Striping/scattering for security has not been banged on and I am positive that many, many implementations will turn out not to be secure.

What about striping/scattering encrypted bits? Well, security in depth is always more expensive but not always more secure. This approach has possibilities, but just adding more “rounds” just as often introduces new vulnerabilities rather than increasing security.

I was on a panel at RSA on tokenization, and the idea of “tokenization as a service” is where I think more promise lies. Use cloud storage for the non-sensitive data (which by volume is usually more than 99% of the storage) and keep the sensitive data at home or at least in-country. Use the cloud for what it is good at and don’t use it for what is not good at.

Full Source Gartner Blog