Plain-speaking: Data Privacy vs. Data Security — Espionage in the Cloud Age
When it comes to data privacy, data security and espionage, there are myths and obscurities to consider. Over and over, false truths continuously circulate, especially within the context of the cloud. Vendors shamelessly take advantage of customer insecurities by using incorrect information in their PR or marketing activities.
Causing confusions and hoaxes
Headlines like „Oracle invests in Germany for data security reasons“ are just one of many examples of information misinterpreted by the media. However, the ones who should know better — the vendors — are doing nothing to provide better clarity. On the contrary, the fears and concerns of the users are used without mercy to make business. For example, Oracle’s country manager Jürgen Kunz justifies both new German data centers by stating that “In Germany data security is a particularly sensitive topic.” The NSA card is easy to play these days by just saying, “… that Oracle, as a US company, stays connected to the German market.”
However, the location has nothing to do with data security and the NSA scandal. If intelligence is getting access to the data in a data center in Germany, the US, Switzerland or Australia, this has very little to do with the country itself. If the cloud provider sticks to its own global policies for data center security on the physical as well as the virtual level, a data center regardless of the location should overall provide the same level of security. Storing data in Germany is no guarantee for a higher level of security. A data center in the US, UK or Spain is just as secure as a data center in Germany.
The confusion. When it comes to security, two different terms are frequently being mixed: data security and data privacy.
What is data security
Data security means the implementation of all technical and organizational procedures in order to ensure confidentiality, availability and integrity for all IT systems.
Public cloud providers by far offer better security than a small business is able to achieve. This is due to the investments that cloud providers are making to build and maintain their cloud infrastructures. In addition, they employ staff with the right mix of skills and have created appropriate organizational structures. For this reason, they are annually investing billions of US dollars. There are only few companies outside of the IT industry that are able to achieve the same level of IT security.
What is data privacy
Data privacy is about the protection of personal rights and privacy during the data processing.
This topic leads to the biggest headaches for most companies, due to the fact that the legislative authority can’t take it easy. This means that a customer has to audit the cloud provider in compliance with the local federal data protection act. In this case, it is advisable to use the expert report of a public auditor since it is time and resource consuming for a public cloud provider to be audited by each of its customers.
Data privacy is a very important topic; after all, it is about a sensitive dataset. However, it is essentially a topic of legal interest that must be ensured by data security procedures.
The NSA is a false pretense. Espionage is ubiquitous.
Espionage is ubiquitous. Yes, even in countries like Germany. Although one should not forget that each company could have a potential Edward Snowden in its home. The employee still feels comfortable but what happens when he receives a more attractive offer or the culture in the team or the company changes? Insider threat presents a much greater danger than external attackers or intelligence. The former hacker Kevin Mitnick describes in his book “The Art of Deception” how he got all the information in order to prepare his attacks by simply browsing the trash of his victims and using techniques of social engineering. In his cases it was more about the manipulation of people and extensive research instead of the capturing of IT systems.
A German data center as a protection against the espionage of friendly countries is and will stay a myth. When there’s a will, there’s a way. When an attacker wants to get the data it is only about the criminal energy he is willing to undertake and the funds he is able to invest. If the technical challenges are too high, there is still the human factor as an option — and a human is generally “purchasable”.
The cloud is the scapegoat!
The cloud is not the issue. To use espionage as an excuse for not using cloud services is too easy. Bottom line, in the times before the cloud, the age of outsourcing, it was also possible to spy. And the intelligence did it. Despite the contracts with their customers, providers were also able to secretly give data to the intelligence.
If espionage had been in the focus during the age of outsourcing as it is today, outsourcing would have been demonized by now. Today’s discussions are a relevant product of the political situation in which the lack of trust characterizes the formerly established economic, military and intelligence partnerships.
Due to the amount of data that cloud providers are hoarding and merging, today they have become more attractive. Nevertheless, for an outsider to get access to a data center takes a lot of effort. Andrew Blum describes in his book „Tube: Behind The Scenes At The Internet“ that because of the high connectivity to other countries (e.g. the data from Tokyo to Stockholm or data from London to Paris), one of the first Internet hubs „MAE-East“ (1992) had quickly become an objective of the US espionage. No wonder, since MAE-East was the de-facto way into the Internet. Bottom line is, intelligence does not need to make a footstep into one single provider data center — it simply needs to hijack a connectivity hub to eavesdrop the data lines.
The so-called “Schengen-Routing” is discussed in this context. The idea is to let the data traffic stay in Europe as data are transferred only between hosts in Europe. Theoretically, this sounds like an interesting idea. In practice it is totally unfeasible. When using cloud services from US providers the data are routed through the US. If an email from a German provider’s account is sent to an account managed by a US provider, the data need to leave Europe. In addition, for many years we have been living in a fully interconnected world where data are exchanged globally. And there is no way back.
A more serious issue is the market power and the clear innovation leadership of the US when compared to Europe and Germany. The availability and competitiveness of German and other European cloud services is still limited. The result is that many companies have to use cloud services from US providers. Searching for a solution only on the network layer is useless, unless competitive cloud services, infrastructure and platforms of European providers are available. Until then, only data encryption helps in order to avoid intelligence and other criminals from accessing the data.
It is imperative that European and German providers develop and market innovative and attractive cloud services, because a German or European data center on its own has little to do with a higher data security. It just offers the benefit of the German/ European data privacy standard to fulfill the regulatory framework.
Originally published at analystpov.com.