07/08/2013

prism, snowden and the US cloud (microsoft, google, facebook,....)

in this discussion you have to clearly distinquish three things

1. The interception and backup of all your communications and actions on or through the installations by the companies themselves for your service or theirs (backup, analysis,....)

For example even if you destroy pictures on Facebook, they still keep somewhere a copy so that if you reload the picture it takes less time (they say)

The advantage for the intelligence and police services is that they can have information that you think you have deleted whenever they have a global warrant for all information concerning you.

2. The interception and backup of all communications during some limited time by intelligence agencies

It is the wild wet dream of any intelligence operation to intercept all the internet communications for a long time and to be able to backsearch whenever something happened to be able to reconstruct all the communications those people had and to have a clear view of all the people involved in the planning. With the crushing prices of the cloud infrastructure this becomes affordable for any big country.

3. The interception and backup of all communications for as long as possible or necessary by intelligence agencies as long as they had some keywords in them (38.000 keywords are used by the NSA)

Another reason is that even if they are encrypted at some time the encryption keys may become public or broken which would make it posible to read all the communications that were sent with these keys (making a time-selfdestruct mechanism the next necessary securityfunction)

This means for any firm or institutuion that the following things have to be taken into consideration

* never place information in the external cloud (cloud is just a technique of using and installing servers, it doesn't mean that those necessarily have to be outside of your network - many services now also offer internal cloud services you set up inside your network) that on paper would normally never leave the office because it is too sensitive (and in fact never digitalize or network information that is the core of your business or institution)

* never place information in the international cloud that should be protected by national laws and that by placing  in another country would pose too many legal problems if there is an incident (you know your natonal law, your national courts and your national police and intelligence agencies)

* look at encryption and data leakage prevention, double authentification and layered security with regular security audits if you have information that is essential and should be adequately protected

what does that mean for cloud services

* office 365 is not always a good idea (they will probably have to transmit information to US authorities even if the information is hosted in Europe)

* google and other webbased US firm services (like yahoo, hotmail and others) are not meant to be secure and private business or confidential services and should not be used as such

* cloudservices will have to diversify and include double authentification (which in fact makes it very difficult for other persons to access the information)

Permalink | |  Print |  Facebook | | | | Pin it! |

Post a comment