Data privacy and security in the post-snowden era

Transcription

1 Data privacy and security in the post-snowden era Matthew D. Sarrel, CISSP August 22, 2014 This report is underwritten by Verne Global.

2 TABLE OF CONTENTS Executive summary... 3 Situational analysis... 4 Governments protect and threaten customer data privacy... 7 Iceland is a data haven Conclusion and key takeaways Appendix: security checklist for selecting data-center services About the author About Gigaom Research Data Privacy and Security in the Post Snowden Era 2

3 Executive summary Recent revelations of spying by the U.S. National Security Agency (N.S.A.) as well as by the U.K. and French governments indicate that not every cloud is safe and secure. Companies in countries with strict regulations governing sensitive data must find a geographic location that is legally viable for compliance within their data protection laws. Iceland, through the combination of the Icelandic Modern Media Initiative (IMMI) regulations and status as an European Economic Area (E.E.A.) state, is uniquely positioned as a data privacy haven, so E.U. companies that are serious about protecting corporate intellectual property and customer data should evaluate cloud-hosting providers located there. Key takeaways: Legal data exposure as a result of the U.S. PATRIOT Act combined with illegal data exposure as a result of N.S.A. spying has created a legal environment in which E.U. companies can no longer consider hosting customer data and corporate intellectual property at U.S. cloud providers that are located within the U.S. or in other geographies with weak user privacy laws beyond U.S. borders. Countries within the E.U., such as the U.K. and France, are also guilty of unauthorized data access and spying and are therefore inappropriate countries to host data. Companies headquartered in the E.U. are required under Directive 95/46/EU to protect sensitive customer data, which they cannot accomplish in the environments created by the U.S. PATRIOT Act and government spying. Iceland, with its IMMI regulations and status as an E.A.A. state, is one of the few valid choices for hosting cloud-based data in compliance with Directive 95/46/EU. Data Privacy and Security in the Post Snowden Era 3

4 Situational analysis With CIOs enjoying the flexibility, agility, nimbleness, and lower human and capital costs associated with public clouds, cloud computing has entered its mainstream adoption phase. Cloud adoption is fueled by many corporate, cultural, and economic factors such as: Cost cutting in times of economic uncertainty Scaling up or down (resource elasticity) Time savings Data-center simplification A need to use IT resources and personnel efficiently With the hardware procurement times in most organizations upwards of three months, cloud-based infrastructure is an attractive alternative because it is readily available and easy to deploy, thereby saving time and money. Furthermore, IT planners like the control and flexibility of build-it-yourself and do-ityourself (DIY) when they are enabled through the cloud because they require fewer resources. These factors save resources and expensive technical expertise that organizations can better utilize elsewhere. In October 2013, NTT Communications Security published a report based on a survey of 700+ IT decision makers at organizations with 500+ employees in the U.S./Canada, U.K., Germany, Nordics, Singapore, Japan, and Hong Kong. The survey, conducted in May and June 2013, found that more than 87 percent of North American businesses had already moved, or were looking to move, their services and data into the cloud within the next two years. According to the survey, 60 percent of European companies and 34 percent of Nordic companies agreed. Furthermore, 98 percent of those North American businesses using the cloud have been using it for six months or longer versus 79 percent in Europe. Corporate intellectual property (IP) is a key differentiator and value proposition. The 2013 edition of the World Intellectual Property Organization s IP Facts and Figures provides statistics about four types of industrial property: patents, utility models, trademarks, and industrial designs. Each year, the World Intellectual Property Organization conducts a survey of approximately 150 national and regional IP offices around the world. The estimated 2.35 million patent applications filed worldwide in 2012 represent growth of 9.2 percent over This is the highest rate of growth recorded in 18 years. Data Privacy and Security in the Post Snowden Era 4

5 Figure 1. Source: WIPO 2013 Organizations are rightly concerned about any outside source snooping through their data because leaking valuable corporate IP of any kind is detrimental to an enterprise. In the post-snowden era, the importance of data security and data privacy as the key decision criteria in selecting a cloud infrastructure provider has been magnified. Data Privacy and Security in the Post Snowden Era 5

6 Companies think about data security and data privacy very differently today from the way they did a couple of years ago. CIOs are curious to explore geographies and jurisdictions that can provide the greatest protection to their corporate IP. In the post-snowden era, data security and data privacy laws vary across North America and Europe. For example, when compared to many other countries, Swiss and German laws are more favorable to enterprises than to authorities. Data Privacy and Security in the Post Snowden Era 6

7 Governments protect and threaten customer data privacy Directive 95/46/EC, which is the primary data protection law in the E.U., establishes a regulatory framework for the protection of personal data. It attempts to strike a balance between securing and protecting the privacy of individuals and the free movement of personal data within the E.U. It sets strict limits on the collection and use of personal data and demands that each member state establish an independent national body responsible for the protection of that data. Data processed by E.U. entities must be under their control at all times and customers must be notified in the event of a data breach. Data must not be exposed to prying eyes, including those of government bodies. Edward Snowden highlighted this issue when he leaked information to various newspapers about the N.S.A. programs designed to intercept European telephone metadata and the existence of the PRISM and Tempora internet surveillance programs. At the time he gathered the information, he was working as a contractor for Booz Allen Hamilton, as an infrastructure analyst for the N.S.A. Although many in the security community already knew about these programs, Snowden s leaks drew greater public attention to them. The N.S.A. s wholesale data harvesting and spying, as revealed by Snowden, violates the privacy of data subjects and renders the protection of data by processors impossible. For this reason, no company headquartered in the E.U. and subject to E.U. law can satisfy the requirements of Directive 95/46/EC while hosting data in the U.S. The leaks have led the E.U. and many of its member countries to investigate their own data protection laws to determine whether permission was granted for U.S. access to local data. In most cases it was not. E.U. Vice President Neelie Kroes said that she was also concerned about the wider impact on the cloud computing industry given that most cloud providers are U.S. companies. If European cloud customers cannot trust the U.S. government or their assurances, then maybe they won t trust U.S. cloud providers either, Kroes said in July of Spying is not exclusively the purview of the U.S. government. France was also exposed for its data surveillance when newspaper Le Monde reported that the French foreign intelligence service DGSE regularly intercepts data from internet and telephone communications on a large scale. According to Le Monde, the operation is outside the law and beyond any proper supervision. French officials refused to comment on the accusations that the DGSE analyses the metadata of s and other communications Data Privacy and Security in the Post Snowden Era 7

8 revealing who is speaking to whom, when, and where. Le Monde reported that connections inside France and between France and other countries are all monitored and that while the operation is designed to uncover terrorist cells, its scale implies that anyone can be spied on at any time. BBC coverage of the Le Monde article added the U.K. spy agency GCHQ is reported to run a similarly vast data collection operation, co-operating closely with the N.S.A. Figure 2. Source: NTT Communications Largely as a response to the information leaked by Snowden, countries in Europe (both in and out of the E.U.), Asia, Australia, New Zealand, Russia, Saudi Arabia, and Brazil have initiated legislation requiring that data generated within their borders stays within their borders. When the data of one country s citizens leaves its borders, the country loses the ability to regulate the use of that data. Consequently, many countries are concerned that data privacy laws in other countries, particularly those in the U.S., don t offer the protections their citizens expect or that national leadership wants to guarantee. Data Privacy and Security in the Post Snowden Era 8

9 Many enterprises use the cloud to ensure they will have a data-center presence in all the locations where they do business as well as for geographic diversity that can aid disaster recovery (DR). But if data generated in one country is required to stay in that country, then the cloud provider must be able to provide a guarantee that such data does in fact never leave that country. This points to a solution that involves multiple clouds in multiple countries, which is not the easiest system to build and maintain. Additionally, due diligence can be difficult from the other side of the planet, and the data custody practices of cloud providers in emerging markets like Eastern Europe and Latin America are not very easy to assess. Assessing the interaction between the data-center provider and the local government is crucial. If a government issues subpoenas or warrants for data, will the service provider hand it over? If not, will the service provider adhere to the idea that while they house the data, they are not in custody of it, so the enterprise must comply? In the U.S., cloud providers are not required by law to notify their customers if they allow access to the authorities responding to a subpoena. Therefore most don t. The Information Technology and Innovation Foundation (ITIF), a technology think tank, projected in August 2013 that U.S. cloud-computing providers would eventually lose 20 percent of the foreign market to competitors. In dollar terms, it projected losses as high as $35 billion by Apprehension over the security of the sensitive data stored in the cloud has caused many businesses to avoid storing data in cloud services within the U.S. In a survey of 300 U.K. and Canadian businesses commissioned by PEER 1 Hosting and published in January 2014, twenty-five percent of those surveyed stated that they would move their company data outside of the U.S. due to N.S.A.-related privacy and security concerns. In addition, 82 percent indicated that privacy laws are a top concern when choosing where to host their data and 81 percent want to know exactly where their data is being hosted. Nearly 70 percent of respondents agree they would sacrifice performance to ensure data sovereignty. Clearly, data privacy and security concerns were heightened following the revelation of data spying programs by the N.S.A. and other organizations around the world. Customers are now demanding that hosting and cloud providers offer them control over the locations where they store their customer data, ensuring that they can guarantee security and privacy over data while maintaining regulatory compliance. Data Privacy and Security in the Post Snowden Era 9

10 Iceland is a data haven Over the past five years, due to the Icelandic Modern Media Initiative (IMMI), which is currently a project of the International Modern Media Institute, Iceland has become a data haven with the most progressive internet laws in the world. The origins of the IMMI go back to 2009 and an incident involving Wikileaks: In August 2009, Kaupþing Bank succeeded in obtaining a court order gagging Iceland s national broadcaster, RÚV, from broadcasting a risk analysis report showing the bank's substantial exposure to debt default risk. This information had been leaked by a whistleblower to WikiLeaks and remained available on the WikiLeaks site; faced with an injunction minutes before broadcast the channel ran with a screen grab of the WikiLeaks site instead of the scheduled piece on the bank. Citizens of Iceland felt outraged that RÚV was prevented from broadcasting news of relevance. Therefore, WikiLeaks has been credited with inspiring the Icelandic Modern Media Initiative, a bill meant to reclaim Iceland's 2007 Reporters Without Borders (Reporters sans frontières) ranking as first in the world for free speech. It aims to enact a range of protections for sources, journalists, and publishers. Birgitta Jónsdóttir, a former volunteer for WikiLeaks and member of the Icelandic parliament, is the chief sponsor of the proposal. It is particularly important that the IMMI protects intermediaries such as ISPs and telecommunications carriers from prosecution. In addition, the law provides protections from foreign judgments that violate Icelandic freedom of expression protection. This legislation means that no company in Iceland is required by Icelandic law to disclose information for legal reasons alone. One of the explicit aims of this legislation is to prevent the misuse of data by foreign intelligence services such as the N.S.A. In addition, the PATRIOT Act is only applicable to American companies housing data in Iceland. The PATRIOT Act allows U.S. intelligence and investigation services to access cloud data stored by U.S. companies wherever it is hosted regardless of geographic location. The law also includes a gag order to prevent target companies from learning and disclosing that their data has been accessed. This means that a U.S.-based or U.S.-controlled cloud provider is required to turn over a company s data and cannot tell them that they did so. This violates both the IMMI and Directive 95/46/EU. Data Privacy and Security in the Post Snowden Era 10

11 Furthermore, Iceland benefits from an E.U. status as a commissioned data processor, which means that the usual requirement when carrying out cross-border data transfers to check that the country in which the data processor is located ensures an adequate level of protection is no longer applicable. Companies located in Iceland seeking to process E.U. possessed data must undergo an audit of their technical and organization security measures and provide appropriate security guarantees. As part of the E.A.A., Iceland, along with Liechtenstein and Norway, is guaranteed free movement of goods, services, capital, and labor including data. Directive 95/46/EU applies to E.U. data housed in Iceland and regulations there are consistent with the data-protection legislation in E.U. member countries. The IMMI is comparable to data protection laws throughout the E.U., so data housed in Iceland must be treated no differently from data housed in any country within the E.U. Data Privacy and Security in the Post Snowden Era 11

12 Conclusion and key takeaways While cloud computing is on the rise in North America and Europe, serious threats to data privacy and the security of corporate intellectual property exist. These threats are not only the result of illegal activities engaged in by hackers. Perhaps the greatest threats to customer data and corporate IP are those posed by governments and their warrants, subpoenas, and espionage. Trust in the U.S. government has been deeply eroded as a result of the Snowden revelations of N.S.A. spying. Companies that must avoid potential exposure to government spying and adhere to E.U. data privacy regulations can neither consider hosting sensitive data within the geographic boundaries of the U.S. nor can they host it at U.S.-owned cloud providers located outside U.S. borders. For these businesses, IMMI regulations and Iceland s status as an E.E.A. state make it an ideal location for hosting customer data and corporate IP. The combination of legal data exposure as a result of the U.S. PATRIOT Act and illegal data exposure as a result of N.S.A. spying has created an environment where E.U. companies can no longer consider hosting customer data and corporate intellectual property at U.S. cloud providers located within and beyond the borders of the U.S. Countries within the E.U., such as the U.K. and France, are also guilty of unauthorized data access and spying and are therefore also inappropriate countries to host data. Iceland, with the IMMI regulations and status as an EAA state, is one of the few valid choices for hosting cloud-based data in compliance with E.U. Directive 95/46/EU. Data Privacy and Security in the Post Snowden Era 12

13 Appendix: security checklist for selecting datacenter services Here is a checklist that organizations can use when they are selecting data-center services and testing data security and privacy. Is your company headquartered in the E.U. or otherwise subject to Data Protection Directive 95/46/EC? Is your company legally required to store data in the country or region in which it was generated? Is the service provider located in or owned by a U.S.-based company, and therefore subject to the PATRIOT act? Is the service provider located in a country that is known to have engaged in data intercepts or to have cooperated with U.S. PATRIOT Act surveillance? If it operates in or with E.U. countries, has the service provider earned the status of commissioned data processor?" If a government issues a subpoena or warrant for company data, will the service provider hand it over without permission of the company? If a service provider turns over company data to a government, will it notify the company that such a transfer has occurred? What level of detail will they provide? Data Privacy and Security in the Post Snowden Era 13

14 About Matt Sarrel Matthew David Sarrel is currently Executive Director of Sarrel Group, an editorial services, product test lab, and information technology consulting company with offices in New York City and San Francisco. He is a Contributing Editor for PC Magazine as well as a Frequent Contributor for the Internet.com family of sites. He is also a technical writer and game/product reviewer. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as Vice President of Engineering and IS Manager at two internet startups and almost 10 years providing IT solutions in medical research settings, beginning his career as a network administrator and ultimately serving as Director of IT for the New Jersey Medical School National Tuberculosis Center and CIO for the HIV Educational Exchange for Healthcare Workers in Vietnam project. About Gigaom Research Gigaom Research gives you insider access to expert industry insights on emerging markets. Focused on delivering highly relevant and timely research to the people who need it most, our analysis, reports, and original research come from the most respected voices in the industry. Whether you re beginning to learn about a new market or are an industry insider, Gigaom Research addresses the need for relevant, illuminating insights into the industry s most dynamic markets. VisitU.S.at:research.gigaom.com Giga Omni Media, Inc. All Rights Reserved. This publication may be used only as expressly permitted by license from Gigaom and may not be accessed, used, copied, distributed, published, sold, publicly displayed, or otherwise exploited without the express prior written permission of Gigaom. For licensing information, please contact us. Data Privacy and Security in the Post Snowden Era 14