Former NSA CIO won’t back cloud

The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Cloud AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analysing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much – a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

The NSA has a deep staff of Ph.D. mathematicians and other cryptographic experts to work on securing traffic and breaking codes, and also has another key advantage. “We cheat. We get to read what [academics] publish. We do not publish what we research,” he said.

Whitfield Diffie – the Diffie in Diffie-Hellman key exchange – said the NSA lead might have to do with the fact that some cryptography problems are out of bounds for academics, such as nuclear command and control platforms.

“It would be illegal, expensive and frustrating to do,” said Diffie, who sat on the cryptographers’ panel. Any work done privately would be immediately be classified and the researchers would be unable to discuss it publicly or claim credit, he said.

Plus the demands of commercial cryptography don’t allow for the thoroughness of refinement that is the hallmark of NSA work, he said. There are practical issues – such as developing products quickly that can be sold to business as valuable assets – that NSA doesn’t face.

Snow’s claim of NSA superiority seemed to rankle. He noted that when the titles of papers in NSA technical journals were declassified up to 1983, there were none that included public key encryption. “That demonstrates that NSA was behind,” Shamir said.

But Snow said that perhaps the topic was written about, only under another name. When technologies are developed separately in parallel, the developers don’t necessarily use the same terms for them, he said.

Cloud security – How to balance cost vs loss of control over data

There’s a definite buzz of concern about cloud computing security as companies try to figure out when, how and whether they’re going to use public (as opposed to private or internal) cloud services. Companies want to know that cloud service providers will protect their information, and service-level agreements and SaS 70 audits may not offer them enough reassurance.

Not surprisingly, companies want to reduce risks and offset loss of control. And how best to do that was a hot topic at this week’s RSA Security Conference, as companies try to figure out how to bridge the gap between their reluctance to relinquish control over information security and the limited visibility cloud providers allow into their security architecture.

Perhaps the main issue is transparency, as providers can offer strong assurances — but not the kind of accountability — an enterprise can demand.

There was heated debate in one RSA session, as Eran Feigenbaum, director of security for Google Apps, said that cloud computing was being held to a standard that didn’t exist inside the enterprise, what he called “euphoric security states.” The panelists, including Feigenbaum, pushed for a standards-based approach to security that would meet the rigors posed by corporate governance and regulatory requirements.

Absent such standards, Feigenbaum noted that Google received SaS 70 certification and shares the audit results on its security controls with customers. Google is also now seeking certification to comply with the Federal Information Security Management Act (FISMA).

“The problem I have with SaS 70,” said Michelle Dennedy, Oracle vice president, “is that unless we make it like the 27000 series or publish the parameters of FISMA, the third party attestation for one is an apple, the third-party attestation for another provider is a cumquat.” She urged greater transparency, suggesting that “while cloud providers can’t reveal their entire security architecture, they can use vectors of the ISO 27002 standard to reveal as much as they can.”

Jim Reavis, co-founder and director of the Cloud Security Alliance, which has has issued a security guidance document (download PDF) for best practices, said the issue of transparency undercuts the question of whether information is any more or less secure in the public cloud than within the enterprise.

“The issue is that since we can’t prove [that the cloud is less secure] — and don’t have the compliance regimen we need to have done — we will require more transparency from cloud providers,” Reavis said.

Security pros are feeling the crunch. Even as companies push the potential cost savings in the cloud, IT departments worry about their ability to effectively mitigate risk or gain sufficient transparency into a cloud provider’s security.

As one conference attendee put it: “The execs and finance folks are banging the gong go to the cloud, go to the cloud. [But] I would not trust my private data or my high-impact business data to contracts.”

It was not all fear and loathing in San Francisco, however. Amid the uncertainty and hand-wringing, analyst Rich Mogull, CEO of Securosis, and Chris Hoff, Cisco Systems’ director of cloud and virtualization solutions, argues that cloud computing is a rare opportunity to redefine security around the informationThey call it “information centricity.”

“You should be delighted by disruptive innovation,” said Mogull. “It’s an opportunity.”

Hoff and Mogull argue that technology could soon allow companies to build security around the data itself, wherever it moves, protected based on its intrinsic value and the context in which it is used. For example, quarterly financial results are highly sensitive before they are released, but not once the quarterly report has been published.

“You have to adapt what you do and how, operationally, you may not be able to do what you do now,” Mogull said.

The information-centric approach requires understanding about how information flows, and how to apply the appropriate controls based on the context in which it’s used.

A combination of technologies — data labels, encryption, enterprise digital rights management, data leakage prevention and identity and access control — are close to the point, they said, where data can be classified at the point of creation and evaluated and re-evaluated wherever it flows. The result: Concern over whether data is within the enterprise or in a public cloud would lose a lot of its sting.

The key is to be ready to anticipate change, they said.

“It’s not about perfectly predicting the future,” said Hoff, “but looking at the indicators and correcting course before it’s too late. You have to know what to put on the radar, what to embrace.”

Original article from Computer World by Neil Roiter a freelance writer who has covered technology and security issues, most recently for TechTarget.

Cloud Computing

Cloud computing: Love it or hate it?
Computerworld News about 4 hours ago
IT executives on both sides of the cloud computing debate explain what they like, or don’t like, about the hosted technology.
Top 15 Tech Events of the Decade
The Industry Standard about 13 hours ago
For the ten-year span that started in 2000, turbulence was the name of the game in high tech. Fortunes were made and lost, everyday users took con…
Connections: Applications Mobility Amazon Cisco Dell EMC Google HP IBM Microsoft Oracle SaaS United States
Vital IT management technologies for 2010
Computerworld UK’s Roundup about 14 hours ago
As more companies expand virtualisation deployments and consider cloud computing, the average IT environment will grow ever more complex. For enter…
Vendors that Survived the Recession: 2009 Dire Predictions Revisited
The Channel Insider about 21 hours ago
At the beginning of the year, Channel Insider readers predicted that the “Great Recession of 2009” would cause the demise of 12 well-known IT vendo…
Connections: Virtualization Cisco EMC Google IBM Microsoft VMware
Labs Outlook 2010: Server Virtualization Will Hit a Wall
eWeek Retail about 23 hours ago
Recession-battered companies that are already highly efficient will hold server virtualization adoption steady in 2010. This prediction could be pr…
Connections: Virtualization Microsoft VMware Gartner
Labs Outlook 2010: The Future Is Bright for HTML 5 and Tablets, but Perhaps Not for Cloud Computing
eWeek Grid/Utility Computing about 23 hours ago
The future looks bright for HTML 5, as more browsers and Web apps take advantage of its capabilities, and tablets, which will get a push from major…
Connections: Google
Amazon Hit With DDoS Attack
InformationWeek 2009-12-28
The storage and computing cloud services, S3 and EC2, respectively, were briefly affected Wednesday.
Connections: Storage Amazon EC2 S3
Social media marketing: 5 must-read books
The Industry Standard 2009-12-28
When the Internet arrived for mass public consumption in the mid-’90s, a whole new world of advertising to and communicating with customers and po…
Connections: Mobility Economics IBM Open Source United States
10 big cloud trends for 2010 2009-12-28
Cloud computing is clearly worming its way into the enterprise, but more as a testing and development environment than as a platform for critical b…
Google: All Your Government Data Are Belong to Us
Google Watch 2009-12-28
If you’re a fan of Google-is-getting-too-powerful-for-its-own-good conspiracies, this piece by independent security specialist Sherri Davidoff on …
Connections: Google Microsoft Government Life Sciences China United States
IBM Backs an OS for the ‘Private Cloud’
Tech Review Top Stories 2009-12-28
It hopes the operating system will entice companies to use cloud computing technologies.
Connections: IBM Private Clouds