How to keep the feds from snooping on your cloud data

Virtual padlocks can keep storage providers -- and the government -- from accessing data in the cloud

A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government requests access.

And in recent years there have been a lot of those government requests for access from storage-as-a-service providers.

For example, Google regularly receives requests from governments and courts around the world to hand over user data. Last year, it received 21,389 government requests for information affecting 33,634 user accounts. Sixty-six percent of the time, Google said it provided at least some data in response.

During the same period, Microsoft received 70,665 requests affecting 122,015 accounts -- more than three times as many requests for information disclosure as Google. Only 2.2% of those requests resulted in Microsoft turning over of actual content; 1,558 accounts were affected. Another 79.8% of the requests resulted in disclosure of subscriber or transactional information affecting 56,388 accounts.

Newly disclosed information, however, has added to public sensitivity around government intrusion.

Freedom of Information Act requests by the American Civil Liberties Union revealed last week that the U.S. government claims the right to read personal online data without warrants. "It is the case everywhere in the world that governments seem to believe that if data is recorded and available, they should be able to access it," said Jay Heiser, an analyst with research firm Gartner. "It's not unique to the U.S., although the United States brags about it to a unique degree."

New documents obtained by the ACLU from the FBI and U.S. attorneys' offices revealed startling realities around the government's email surveillance practices. Last month, the ACLU also obtained documents showing that the IRS does not always get a court order to read citizens' emails.

Locking the feds and thieves out

So should consumers add security to their cloud storage repositories to keep their data even more secure from prying providers and government snoops? Absolutely, says Heiser.

That's because many data breaches involve frustrated service provider employees who see treasure-troves of data as a way to make a quick buck. "There are repeated stories ... of rogue employees who collect data to sell to credit card fraudsters," Heiser said. "It is an issue with provider staff morale."

Apart from downloading freeware, such as TruCrypt, and encrypting every folder or file before it's uploaded to the cloud, new automated tools are emerging that handle the job of cloud storage security more seamlessly.

SafeNet Labs, for example, just launched a beta of SafeMonk, which adds a secure encryption log-in to Dropbox. Essentially, the data you store in Dropbox can't even be accessed by Dropbox itself because users get to keep the encryption keys.

Ironically, SafeNet, which started SafeNet Labs as a technology incubator, also happens to be one of the largest suppliers of encryption technology to the U.S. government.

SafeMonk, which will be available for download at the end of this month, works by creating a dedicated encrypted folder in your Dropbox account. The service also allows users to share files by offering others an RSA public key password and will eventually offer businesses administrative oversight so admins can monitor traffic and restrict corporate data access.

SafeMonk is free to consumers, who can download the software and start encrypting and sharing Dropbox files at no cost. For business customers, SafeMonk plans to charge for its service once it is available, though prices have not yet been set.

Chris Ensey, who runs the security division of Dunbar Armored, an armored transportation service, has been beta testing SafeMonk, largely in a bid to thwart to malware and cybercriminals.

He was able to take part in the initial beta testing because he worked for SafeNet last summer, before SafeMonk was created.

1 2 Page
FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies