The former National Security Agency technical director told the RSA Conference he doesn’t trust cloud services and bluntly admonished vendors for leaving software vulnerabilities unpatched sometimes for years.

Speaking for himself and not the agency, Brian Snow says that cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he says.

Snow was speaking as a member of the annual cryptographers panel at RSA Conference. Another panelist said he doesn’t trust clouds either, but his reluctance was based upon worry about what NSA might be up to.

Adi Shamir a computer science professor at Israel’s Weizmann Institute of Science and also the “S” in the RSA encryption algorithm, warned against trusting cloud computing services for the same reason he suspects the confidentiality of transmissions over telecom networks and the Internet. He says the phone systems are secure, but that major crossroads in their networks are tapped by the NSA. “There’s a pipe out of the back of an office at AT&T in San Francisco to NSA,” he said.

Government access to assets entrusted to public cloud providers will be similar, he says. He suspects in some cases cloud providers will be companies influenced by government spy agencies, similar to the way Crypto AG security gear gave the NSA backdoor access to encrypted messages sent by foreign governments that had bought the gear. “Please don’t use Cloud AG,” he said.

On another topic, Snow said many commercial applications and security products contain known flaws or shortcomings that users accept without understanding them or analysing them thoroughly. That trust is similar to the trust investors had in unsound Wall Street derivative investment products, he said. Just as the country’s financial markets melted down last year, he said network security could face a “trust-bubble meltdown”.

He alluded to a 17-year-old Microsoft vulnerability that went unpatched. Fixing such problems before they are exploited gives vendors a commercial advantage, so they should do so. “Fix vulnerabilities before you first smell an attack,” he said. “End of message.”

Also during the panel, Snow acknowledged that cryptographers for the NSA have been losing ground to their counterparts in universities and commercial security vendors for 20 years but still maintain the upper hand in the sophistication of their crypto schemes and in their ability to decrypt.

“I do believe NSA is still ahead, but not by much – a handful of years,” said Snow, the former technical director for the agency. “I think we’ve got the edge still.”

He said that in the 1980s there was a huge gap between what the NSA could do and what commercial encryption technology was capable of. “Now we are very close together and moving very slowly forward in a mature field,” Snow said.

The NSA has a deep staff of Ph.D. mathematicians and other cryptographic experts to work on securing traffic and breaking codes, and also has another key advantage. “We cheat. We get to read what [academics] publish. We do not publish what we research,” he said.

Whitfield Diffie – the Diffie in Diffie-Hellman key exchange – said the NSA lead might have to do with the fact that some cryptography problems are out of bounds for academics, such as nuclear command and control platforms.

“It would be illegal, expensive and frustrating to do,” said Diffie, who sat on the cryptographers’ panel. Any work done privately would be immediately be classified and the researchers would be unable to discuss it publicly or claim credit, he said.

Plus the demands of commercial cryptography don’t allow for the thoroughness of refinement that is the hallmark of NSA work, he said. There are practical issues – such as developing products quickly that can be sold to business as valuable assets – that NSA doesn’t face.

Snow’s claim of NSA superiority seemed to rankle. He noted that when the titles of papers in NSA technical journals were declassified up to 1983, there were none that included public key encryption. “That demonstrates that NSA was behind,” Shamir said.

But Snow said that perhaps the topic was written about, only under another name. When technologies are developed separately in parallel, the developers don’t necessarily use the same terms for them, he said.

There’s a definite buzz of concern about cloud computing security as companies try to figure out when, how and whether they’re going to use public (as opposed to private or internal) cloud services. Companies want to know that cloud service providers will protect their information, and service-level agreements and SaS 70 audits may not offer them enough reassurance.

Not surprisingly, companies want to reduce risks and offset loss of control. And how best to do that was a hot topic at this week’s RSA Security Conference, as companies try to figure out how to bridge the gap between their reluctance to relinquish control over information security and the limited visibility cloud providers allow into their security architecture.

Perhaps the main issue is transparency, as providers can offer strong assurances — but not the kind of accountability — an enterprise can demand.

There was heated debate in one RSA session, as Eran Feigenbaum, director of security for Google Apps, said that cloud computing was being held to a standard that didn’t exist inside the enterprise, what he called “euphoric security states.” The panelists, including Feigenbaum, pushed for a standards-based approach to security that would meet the rigors posed by corporate governance and regulatory requirements.

Absent such standards, Feigenbaum noted that Google received SaS 70 certification and shares the audit results on its security controls with customers. Google is also now seeking certification to comply with the Federal Information Security Management Act (FISMA).

“The problem I have with SaS 70,” said Michelle Dennedy, Oracle vice president, “is that unless we make it like the 27000 series or publish the parameters of FISMA, the third party attestation for one is an apple, the third-party attestation for another provider is a cumquat.” She urged greater transparency, suggesting that “while cloud providers can’t reveal their entire security architecture, they can use vectors of the ISO 27002 standard to reveal as much as they can.”

Jim Reavis, co-founder and director of the Cloud Security Alliance, which has has issued a security guidance document (download PDF) for best practices, said the issue of transparency undercuts the question of whether information is any more or less secure in the public cloud than within the enterprise.

“The issue is that since we can’t prove [that the cloud is less secure] — and don’t have the compliance regimen we need to have done — we will require more transparency from cloud providers,” Reavis said.

Security pros are feeling the crunch. Even as companies push the potential cost savings in the cloud, IT departments worry about their ability to effectively mitigate risk or gain sufficient transparency into a cloud provider’s security.

As one conference attendee put it: “The execs and finance folks are banging the gong go to the cloud, go to the cloud. [But] I would not trust my private data or my high-impact business data to contracts.”

It was not all fear and loathing in San Francisco, however. Amid the uncertainty and hand-wringing, analyst Rich Mogull, CEO of Securosis, and Chris Hoff, Cisco Systems’ director of cloud and virtualization solutions, argues that cloud computing is a rare opportunity to redefine security around the informationThey call it “information centricity.”

“You should be delighted by disruptive innovation,” said Mogull. “It’s an opportunity.”

Hoff and Mogull argue that technology could soon allow companies to build security around the data itself, wherever it moves, protected based on its intrinsic value and the context in which it is used. For example, quarterly financial results are highly sensitive before they are released, but not once the quarterly report has been published.

“You have to adapt what you do and how, operationally, you may not be able to do what you do now,” Mogull said.

The information-centric approach requires understanding about how information flows, and how to apply the appropriate controls based on the context in which it’s used.

A combination of technologies — data labels, encryption, enterprise digital rights management, data leakage prevention and identity and access control — are close to the point, they said, where data can be classified at the point of creation and evaluated and re-evaluated wherever it flows. The result: Concern over whether data is within the enterprise or in a public cloud would lose a lot of its sting.

The key is to be ready to anticipate change, they said.

“It’s not about perfectly predicting the future,” said Hoff, “but looking at the indicators and correcting course before it’s too late. You have to know what to put on the radar, what to embrace.”

Original article from Computer World by Neil Roiter – a freelance writer who has covered technology and security issues, most recently for TechTarget.

Thoughts about Cloud computing