The Edward Snowden fallout continues, with revelations last week of the NSA’s MUSCULAR project. MUSCULAR apparently exceeds the scope of even the NSA’s PRISM project by bypassing most existing data collection oversight to directly intercept data from Google’s and Yahoo’s private fiber networks.
In conjunction with the UK’s Government Communications Headquarters (GCHQ), MUSCULAR collected and processed over 181 million records during just one 30-day period. The Washington Post’s Barton Gellman and Ashkan Soltani call it “an unusually aggressive use of NSA tradecraft against flagship American companies.” The implications for the enterprise are certainly alarming.
Why alarming? The way that MUSCULAR gathers data, according to the leaked documents, is by tapping directly into Google and Yahoo internal networks, bypassing perimeter security and accessing data in the clear. The project “effectively defeat[s] the SSL encryption [Google and Yahoo] used to protect customers’ Web connections to the cloud providers, giving the agency’s network filtering and data mining tools unfettered access to the content passing over the network,” according to Sean Gallagher at Ars Technica. Additionally, MUSCULAR has a cascading impact for other cloud providers that are leveraging the affected datacenters for data backup.
So what lessons do these revelations offer to enterprises that are considering cloud adoption?
The leaked NSA documents reveal the agency’s mastery of common encryption flows and techniques to bypass them. A sketch in a “Google Cloud Exploitation” NSA presentation slide shows (with a smiley face that reportedly enraged some Google engineers) exactly where SSL encryption is added and removed when data moves among Google’s data centers and how, therefore, the NSA can access data in the clear. Google and Yahoo both deny knowledge of the snooping, but neither are their encryption strategies enough to protect user data from NSA eyes.
What can help? Encryption key management
To make sure your enterprise’s sensitive internal and customer data remains private and under your control, you must not only encrypt it before it ever leaves your premises for the cloud, but you must retain exclusive control of the encryption keys. That way, even if the government intercepts your data somewhere along the line, agencies will be unable to read or do anything with that data without your enterprise’s expressed cooperation.
With every new revelation about government spying and attempts to bypass the protections that enterprises have put into place to secure their data, it becomes clearer that enterprise key control, a major component of CipherCloud’s Cloud Information Protection platform, is extraordinarily important. Edward Snowden and the NSA are proving our approach right.