How to keep the feds from snooping on your cloud data

A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government requests access.

And in recent years there have been a lot of those government requests for access from storage-as-a-service providers.

For example, Google regularly receives requests from governments and courts around the world to hand over user data. Last year, it received 21,389 government requests for information affecting 33,634 user accounts. Sixty-six percent of the time, Google said it provided at least some data in response.

During the same period, Microsoft received 70,665 requests affecting 122,015 accounts -- more than three times as many requests for information disclosure as Google. Only 2.2% of those requests resulted in Microsoft turning over of actual content; 1,558 accounts were affected. Another 79.8% of the requests resulted in disclosure of subscriber or transactional information affecting 56,388 accounts.

Newly disclosed information, however, has added to public sensitivity around government intrusion.

Freedom of Information Act requests by the American Civil Liberties Union revealed last week that the U.S. government claims the right to read personal online data without warrants. "It is the case everywhere in the world that governments seem to believe that if data is recorded and available, they should be able to access it," said Jay Heiser, an analyst with research firm Gartner. "It's not unique to the U.S., although the United States brags about it to a unique degree."

New documents obtained by the ACLU from the FBI and U.S. attorneys' offices revealed startling realities around the government's email surveillance practices. Last month, the ACLU also obtained documents showing that the IRS does not always get a court order to read citizens' emails.

Locking the feds and thieves out

So should consumers add security to their cloud storage repositories to keep their data even more secure from prying providers and government snoops? Absolutely, says Heiser.

That's because many data breaches involve frustrated service provider employees who see treasure-troves of data as a way to make a quick buck. "There are repeated stories ... of rogue employees who collect data to sell to credit card fraudsters," Heiser said. "It is an issue with provider staff morale."

Apart from downloading freeware, such as TruCrypt, and encrypting every folder or file before it's uploaded to the cloud, new automated tools are emerging that handle the job of cloud storage security more seamlessly.

SafeNet, for example, just launched a beta of SafeMonk, which adds a secure encryption log-in to Dropbox. Essentially, the data you store in Dropbox can't even be accessed by Dropbox itself because users get to keep the encryption keys.

Ironically, SafeNet also happens to be one of the largest suppliers of encryption technology to the U.S. government.

SafeMonk, which will be available for download at the end of this month, works by creating a dedicated encrypted folder in your Dropbox account. The service also allows users to share files by offering others an RSA public key password and will eventually offer businesses administrative oversight so admins can monitor traffic and restrict corporate data access.

SafeMonk is free to consumers, who can download the software and start encrypting and sharing Dropbox files at no cost. For business customers, SafeMonk plans to charge for its service once it is available, though prices have not yet been set.

Chris Ensey, who runs the security division of Dunbar Armored, an armored transportation service, has been beta testing SafeMonk, largely in a bid to thwart to malware and cybercriminals.

He was able to take part in the initial beta testing because he worked for SafeNet last summer, before SafeMonk was created.

Ensey and his wife used the cloud encryption tool during a recent refinancing of their house. Initially, the security-sensitive Ensey passed along sensitive financial data to his mortgage broker using a USB thumb drive, something that turned into a laborious process. With SafeMonk, the couple could securely share files quickly.

"At some point you get worried that email isn't something that is very secure. Anything you put in there is being indexed by Google," he said, referring to Gmail. "I like having more control over that.

"And [my wife] doesn't even realize it's there. It's transparent," he continued. "This product is really pretty approachable. I just point to a folder and tell her anything you put in this will be protected."

Ensey also said he'd like to see the tool expanded for mobile and Android OS use.

Other options

SafeNet is not alone in offering a virtual padlock for cloud-based data stores. Vendors such as Boxcryptor, Sookasa, TrustedSafe and PKWare with its Viivo offering, are also going after the same market, according Heiser. So is CipherCloud, which is expected to offer consumer cloud encryption protection.

Willy Leichter, senior director of product marketing for CipherCloud, said virtual padlocks for cloud storage is a nascent but "hot" area for his company, especially in light of the increase in government requests to vendors for access to customer data.

Through its CipherCloud Platform, the company currently offers cloud data encryption and data loss prevention (DLP) tools for businesses. CipherCloud recently announced a partnership with cloud storage and content-sharing service Box.com, offering both encryption and DLP to users.

While Leichter said CipherCloud's cloud encryption business is "growing rapidly," he would not expound on whether his company plans to begin selling a consumer-class product anytime soon.

Businesses are acutely sensitive to government information requests because they're also beholden to privacy laws, such as HIPAA and the Gramm-Leach-Bliley Act. So, in highly regulated industries, such as financial services and healthcare, businesses must strike a balance between government oversight and consumer privacy.

"They feel they can't comply with local privacy laws and have their data subject to Patriot Act. We allow them to encrypt their data in the cloud and they keep the encryption keys," he said.

The U.S. Electronic Communications Privacy Act of 1986 came along in the early days of the Internet. The act did not require government investigators to obtain a search warrant for requesting access to emails and messages that are stored in online repositories.

In 2001, the Patriot Act further added to the authority of the federal government to search records under its "Library Records" provision, offering a wide range of personal material into which it could delve.

"You can argue that people shouldn't try to skirt around the Patriot Act, but they're also trying to comply with data privacy issues," Leichter said. "When some government agency requires information disclosure, most organizations I know would like to make that decision themselves and not have the cloud provider make it for them."

This article, How to keep the feds from snooping on your cloud data, was originally published at Computerworld.com.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is lmearian@computerworld.com.

See more by Lucas Mearian on Computerworld.com.

Read more about cloud security in Computerworld's Cloud Security Topic Center.