2014 cloud computing: Toward 0 Trust security mode

The exposure of the NSA's secret file to steal data in June 2013 has rekindled concerns about the security of corporate data stored on the cloud.

But the exposure of the NSA surveillance program will not cause some companies to be afraid of data disclosure no longer using hosting services, instead, it facilitates enterprise users and cloud service providers to reform their internal security and privacy policies and enhance cloud data security, something that businesses and suppliers have long overdue to do.

When Snowden first leaked the NSA surveillance program to the media, industry analysts had expected that the leak would make a big difference to cloud computing deployments.

In August 2013, for example, the information Technology and Innovation Foundation (ITIF) said the exposure of the NSA surveillance program would cause us cloud computing providers to lose 10% to 20% of their overseas market share, or that they would lose $35 billion trillion in potential sales by 2016.

ITIF's minimum estimate of the impact of NSA surveillance leaks on US cloud computing companies (in 1 billion USD)

ITIF's top estimate of the impact of the NSA's surveillance leaks on US cloud computing companies (in 1 billion US dollars)

The Cloud Security Alliance (CSA), another industry group, has also predicted the impact of this concern on U.S. cloud service providers, based on concerns among European companies about U.S. government data collection.

About six months later, the impact of the NSA monitoring project exposure was followed, but not as serious as expected.

Despite reports that US cloud service providers have been unsalable overseas, some experts predict that the Snowden leaks will have little impact on the long-term sales of US cloud service providers. Because the commercial benefits of using cloud services will gradually eliminate the fear of corporate oversight of the US government.

At the same time, as the NSA monitors project details, companies are increasingly aware of cloud data security and will rise to a high level in 2014.

The Snowden leaks also made it clear how small companies are in controlling the data stored in the cloud. Richard Stiennon, head of the consulting firm It-harvest, said: "There will be a fundamental shift in the cloud computing landscape of the 0 Trust security model, which will enable companies to strengthen cloud security measures to enable enterprise data to be transferred from Enterprise to cloud, or from the cloud download to the enterprise medium all links, as far as possible to avoid any gaps, resulting in the enterprise data leakage. ”

Corporate security officials are preparing to improve the cloud security of their businesses and start with several key aspects, including data encryption, key and data ownership, regionalization and increased government transparency, analysts said.

Data encryption

Data encryption has been a cause of great concern since the crash. Major cloud service providers, such as Microsoft, Yahoo and Google, have end-to-end encryption settings for their managed and managed user data.

For example, Google Cloud storage now enables automatic encryption of new data written to disk, and this server-side encryption will soon be used to store old data on Google's cloud to secure all data.

Since the release of the NSA surveillance program, Microsoft has announced its new plan to strengthen the encryption of services offered by Microsoft, including Outlook.com, Office 365, SkyDrive and Windows Azure.

By the end of 2014, Microsoft wanted to find an appropriate way to encrypt data transmitted between users and Microsoft's data centers, while also encrypting data transmitted between its data centers.

Microsoft says it wants to encrypt all the data stored on Microsoft's cloud like Google.

Other cloud service providers, such as Dropbox, Sonic.net and SpiderOak, have also announced that they will implement similar data encryption projects and provide 2048-bit key-length services, while using the "perfect forwarding secrecy" approach for future data encryption.

Experts say these approaches are critical to protecting data security between enterprise users and data suppliers.

Information in the NSA encrypted file shows that the NSA is trying to weaken the encryption algorithm and connect to the cloud service provider's data center through a fibre link to obtain user data.

Key Management and data ownership

The controversial relationship between the US government and Lavabit has given rise to a high degree of emphasis on key management and data ownership, Lavabit is a secure e-mail service provider that the U.S. government has asked the cloud service company for a data key.

"The cryptographic practices of cloud service providers are indeed an important way to improve cloud security, but they only do that," said Eric Chiu, president of Cloud Infrastructure management company HyTrust. ”

"Data encryption is safe only if its key management system is secure." "When the cloud service provider uses the encryption method, the user needs to be clear: if the supplier is holding the Data key, they are likely to steal the user data, or give the key to someone else if they want it," Chiu said. ”

This concern has spurred interest in finding other ways to protect cloud security by enabling enterprise users with cloud services to own their data keys and to understand key management programs when data is still, when data is used, and when it is transmitted.

A growing number of cloud computing providers, such as Vaultive, CipherCloud, TrendMicro, and hytrust, provide tools that enable enterprise users to have greater control over their own data when using cloud hosting infrastructure and services.

For example, CipherCloud provides a gateway technology that enables enterprise users to encrypt data that is transmitted and stored in the cloud. At the same time, this gateway allows businesses to store keys locally and manage encrypted data stored in the cloud.

The advent of this technology means that government departments can access data only through the owner of the data, in order to eliminate the fact that the cloud service provider is handing the key over to the government department without the knowledge of the data owner.

Security experts have been recommending durable, stable encryption to secure data in the cloud, but so far the adoption rate has been low because of the high cost and complexity of key management. But that is changing.

"Some companies need real data privacy for compliance and internal goals, and we will see these companies perform encryption and store the keys inside the enterprise," Chiu predicts. ”

Vaultive, CipherCloud, and other cloud service providers have said that as the NSA monitoring scandal has surfaced, corporate users have grown significantly in the technology they offer.

Regionalization

The Snowden leaks can also accelerate the regionalization of cloud computing services.

Concerns about managed data on servers and infrastructure clouds in the United States have led to business users, especially those who are not American, who prefer to use services from cloud services providers closer to their own businesses.

Companies in China and Asia and the Pacific, in particular, are concerned about us cloud service providers and the technology they provide since the NSA surveillance program was released, Stiennon said. Many companies are starting to choose the hosting services provided by suppliers or local vendors in other parts of the United States.

Steinnon said: "I do not like the word" Balkanization ", but now the global cloud computing providers do present a distributed phenomenon. "Over the past few years, hundreds of small public cloud service providers have sprung up and served the local market in different parts of the world." According to Stiennon, many of these suppliers will benefit from the Snowden leaks.

At the same time, large cloud service providers in the US will also set up service operations around the world to reduce shipping costs and provide better services to local users, said Gartner analyst Lawrence Pingree.

In December 2013, for example, Amazon announced that it would relocate its AWS public cloud service to China in 2014. The plan includes Amazon's installation of cloud servers in China to provide hosting services to Chinese companies.

Pingree said: "Many cloud service providers and SaaS providers are implementing regionalization to improve agility and product performance." Pingree said the high level of security concerns would accelerate the pace of use of regional data centres.

Enhanced transparency

Influenced by the Snowden leaks, the government has also been asked to increase transparency and improve people's right to know when collecting data. Google, Microsoft, Yahoo and a large number of other High-tech providers are pressing the government to allow them to disclose details of the NSA and other intelligence agencies ' requests for user data. The companies say they misunderstand the role they play in the government's theft of user data because the law prohibits them from disclosing details of the NSA's access to user data.

Executives at companies such as Google, Apple, Facebook and Microsoft have written to President Obama asking the government to reform surveillance and improve government transparency. This is unprecedented in America.

Google, Microsoft and other companies plan to provide more details about government data collection in their regular transparency reports, and say they will actively and legitimately challenge the government's request for data.

Analysts say even telecoms companies, even if they respond significantly more slowly to government data-gathering events than those cloud service providers, will have the same plans in the future.

Verizon, a telecoms company in the United States, said it would soon issue a transparency report announcing details of the law enforcement agencies asking for user data.

In a blog post, Microsoft's chief advisor, Brad Smith, wrote in December 2013 that government monitoring, together with complex malware and cyber attacks, created a "high level of sustainability threat".

In addition to some very restrictive circumstances, Microsoft will struggle with the government's demand for its cloud user data, Smith said. "We think that government departments can go directly to corporate users or government users to get information and data for each employee, just as they did when their data were not moved to the cloud, rather than through cloud service providers like us," Smith said. ”