The New York Times reported that Microsoft has collaborated with the National Security Agency (NSA)more extensively than it previously acknowledged. According to classified internal NSA newsletters that were disclosed by the former NSA contractor Edward Snowden, Microsoft has helped the NSA find ways to circumvent its encryption on its Outlook.com portal’s encrypted web chat function, and the security agency was given “pre-encryption stage” access to email on Outlook, including Hotmail email.
Add this revelation to the mounting news that Google, Yahoo!, Apple, Facebook and other cloud service providers are regularly forced to comply with National Security Letters (NSL) approved by the Foreign Intelligence Surveillance Court. An NSL compels the company in possession of the data to secretly turn it over to the U.S. government agency making the request. The company is prohibited from releasing detailed information about what data is requested or who it belongs to.
Microsoft, Google and Facebook have petitioned the government to allow these companies to be more transparent about the requests. They want to allay their customers’ fears by showing that they aren't handing over massive amounts of data to government agencies. In fact, Google already publishes a Transparency Report that shows how many user data requests were made and how many user accounts were affected.
These National Security Letters could have an even deeper impact on cloud computing than many people think. It goes far beyond revelations of private emails and social media accounts. I recently had a conversation with Steve Weis, founder and CTO of the encryption company PrivateCore. Weis paints a scenario – one that he is definitely aware of happening already – that could make many companies think twice about putting any private data in the cloud. And given the revelation about Microsoft sharing clear text data that users think is encrypted with the NSA, I have little doubt that this scenario puts companies’ cloud-based data at risk.
Weis’ scenario involves cloud infrastructure providers like Amazon and Rackspace, among others, where an enterprise customer might have some servers that are running on somebody else’s infrastructure. The customer basically rents servers but runs its own software on it. The enterprise controls the encryption keys and doesn’t give them over to the cloud service provider. The problem here is that whoever controls the physical infrastructure has a gap where they can extract the customer’s software from memory and from that, pull out the encryption keys.
“The scenario is, my business is running a server on some infrastructure that I am leasing and whatever infrastructure provider is leasing me the server might get a request to provide a snapshot of the image of the servers to a law enforcement agency. I have no idea that that has happened. I might see a system reset but otherwise I am not going to see any indication that they have captured that memory,” according to Weis. “Sometimes enterprises see servers reset on a periodic basis without explanation and the speculation is this might be that someone is trying to compromise the machine physically.”
Weis sums it up this way: If you are relying on encryption from the cloud service provider where the encryption keys are with the service provider, and if they get a lawful request for that information, they would be turning over clear text data to the authorities. If your enterprise owns the encryption keys in an infrastructure-as-a-service environment and the cloud provider gets a lawful request for information, they could be handing over the encrypted data as well as the clear text memory and then the authorities could parse that memory, get the encryption keys which would be in clear text and then unlock the encrypted data. This would happen unbeknownst to your enterprise.
“We are definitely aware of this happening, says Weis. “I have spoken to a couple of people in forensics with government agencies. They regularly conduct memory forensics in capturing servers. This is a common activity and there are quite a few tools out there for analyzing the contents of memory and extracting encryption keys from those contents.”
Ironically, government agencies also are concerned about data loss through memory dumps. “The NSA had an insider and that insider could have been a guy in their data center who plugged in a malicious device,” says Weis. “Edward Snowden went in with a USB stick and copied off data. He could just as easily have installed some hardware that would have been sitting in there, continually compromising servers.”
To prevent the accidental or intentional exposure of data via the extraction of encryption keys in memory, Weis recommends an additional layer of encryption on the content in memory. According to Weis, “Full memory encryption reduces the trust to a single component which is the CPU. This gives the enterprise a way to verify that the protective software loads up and nobody can physically extract that memory.”