Security and cloud sales suffering post-Snowden
The need to protect data is putting European organisations off cloud, according to attendees at a major security conference
Security experts today confirmed some in the channel community's worst fears: post-Snowden, organisations are locking down their IT, treating cloud services with distrust, and even avoiding investing in new technologies as a result of security and privacy issues.
In a delegate roundtable at Black Hat Europe 2014 this morning, called Defence Post-Snowden and led by Black Hat and Defcon founder Jeff Moss, security professionals working for a range of European and international organisations confirmed that their protection, prevention and mitigation strategies have become more conservative since the Snowden data leaks.
"Yes," said one industry attendee. "We trusted our internal connectivity more although the internet was the Wild West. Now, we're treating internal connectivity as suspect as well and we have increased our monitoring activities."
Most delegates agreed that their organisations are taking more interest in data and information security since Snowden's revelations about global National Security Agency and GCHQ surveillance – with some of the focus coming increasingly from the C-suite executives that had previously remained out of technical security discussions.
For several, though, the result had been "a step back and away" from cloud computing and SaaS solutions in all their various forms as the security that organisations desire is either difficult to deliver or simply too costly. And that meant a step back from the idea of having the "latest and greatest" technology, in many cases, they said.
Another delegate quipped – winning a ripple of laughter from many of the other 100 attendees: "There is no such thing as cloud: there is just other people's computers."
Most agreed that the best approach is still to lock down and limit the ability of all applications and devices to release unencrypted data over the internet. Even virtual machines must be encrypted if data contained and transported thereby is to remain protected, according to Moss.
Several security specialists said the IT systems of their executives, when travelling abroad, are locked down or limited in various ways – perhaps minimising the number of apps, SSL ciphers, and more or simply "burned" – completely destroyed – on return from a business trip, particularly to places such as China.
This was not simply paranoia, as one revealed. "We always find stuff [when executives return from China]: [For example] through the Great Firewall they do different things that downgrade your SSL to a lower level of encryption that they can break. So a lot of people end up running different versions of SSL, so it's easier to inject something," he said.
"So they still have a lock, but it's not the same level of security. We run into this a lot and we find different types of malware and things on the server. Usually what they are doing is just monitoring; we haven't found anyone actually taking control or anything, but that doesn't mean it is not happening."
The names of Cisco and Google came up repeatedly in the discussion as examples of vendors whose products customers now feel, post-Snowden, they cannot trust.
With Cisco, the issue of hardware backdoors was to the fore, and with Google, the problems with guaranteeing information security.
Mobility and remote working both exacerbated the security problems that organisations were experiencing, most agreed.
What was needed, all agreed, is new, innovative technologies that are keeping up with the needs of organisations to protect and secure data and information. But unless an organisation builds it itself, there is little sign of vendors meeting the challenge, several agreed.
For more on this story see the next issue of CRN