Strong words for the government came out of Microsoft recently, with Brad Smith, the company’s general counsel and EVP of Legal & Corporate Affairs using the official Microsoft blog to call out government snooping as an “advanced persistent threat” comparable to “sophisticated malware and cyber attacks.” Smith expressed alarm at continuing “allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.”
How does Microsoft plan to address this threat? For one, by encrypting traffic that flows between the data centers on its internal network, according to ZDnet. This is a direct response to news of the NSA’s “Muscular” Project, which directly intercepts data from the private networks of some of the world’s largest cloud providers, as we previously discussed on this blog. Protecting data center traffic is particularly vital for Microsoft’s enterprise customers, who may have sensitive information stored in the company’s cloud applications, including Outlook.com, Office 365, and SkyDrive.
Microsoft plans to apply encryption by default to both content moving between customers and the Microsoft cloud, and content moving within Microsoft data centers. And Microsoft plans to do it fast. “Many of our services already benefit from strong encryption,” Smith wrote, while the company is “accelerating plans to provide encryption” wherever it hasn’t already been applied.
This is a significant step that will likely help protect both Microsoft’s and customers’ best interests, especially given the potential staggering cost of NSA snooping, but is it enough? Are the measures Smith discusses still under the umbrella of the “online security measures”?
All cloud providers including Microsoft should encrypt their customers’ data, even when it’s flowing internally between the cloud providers’ data centers. But, as we’ve pointed out here on more than one occasion, entrusting encryption to your cloud service provider (CSP) simply isn’t enough to ensure cloud data protection, especially from government intrusion.
– Encryption keys stored by the same CSP that stores your data are easier for government agencies to acquire. It’s like locking your car but hiding your key on a tire instead of taking it with you.
– The multi-tenant nature of CSP architectures creates the possibility of inadvertent disclosure of your data if another customer’s data is accessed.
What it adds up to is a loss of control. Again, cloud providers like Microsoft absolutely should encrypt data, but you can’t rely on their encryption alone to keep your cloud data protected and private. Truly reliable cloud data protection demands that your enterprise retain exclusive access to, and control of, encryption keys. That way, no one, not even government agencies, can decrypt your enterprise’s sensitive information without going through your enterprise.
CipherCloud | @ciphercloud | www.ciphercloud.com
CipherCloud, the leader in cloud information protection, enables organizations to securely adopt cloud applications by overcoming data privacy, residency, security, and regulatory compliance risks. CipherCloud delivers an open platform with comprehensive security controls including encryption, tokenization, cloud data loss prevention, cloud malware detection, and activity monitoring. CipherCloud’s ground breaking technology protects sensitive information in real time, before it is sent to the cloud, while preserving application usability and functionality.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.