News from several weeks ago but I am just catching up ‘Ex-Googler Allegedly Spied on User E-Mails, Chats’
Reading the details reveal that Google recently reported on two non-related incidents of Google employees gone bad. In one case the allegations suggest a Google employee got into email accounts of several minors. According to another reports on the same incident Google did not find the issue themselves but rather got notifications from the parents of these minors and started the investigation reactively. Scary and series issue.
This also reminds me the conversations around the Google-China incident from a while ago, where according to some, parts of the hacking was traced back to the Google insiders serving the Chinese hacking organization and were accessing data about civil rights activists again directly without leaving traces of wrong doing. Scary and series issue for the second time.
The common theme among these isolated incidents is that internal employees with super-user or administrative permissions used these permissions to bypass the internal security and auditing mechanisms of the online services and gained access to private or business sensitive information directly. Google stated that they have discovered few gaps in their security framework and will fix these gaps but there seems to be something more fundamental here.
The basic dynamics is that Google is storing enormous amounts of data about almost every person and every organization world wide. To the most part this information is stored within the Google infrastructure not encrypted and accessible to as little as possible number of employees. Access to this mountain of information is priceless for lots of different reasons. And so while Google is a wonderful organization with outstanding set of employees, the temptation of wrong doing is huge. Incidents of individual employee turning bad happened in the past and will probably happen again because the temptation is so big and privileged users somehow always find the next vulnerability to exploit. This is by no means unique to Google and in fact we should assume that similar incidents happens all the time to every major cloud services provider.
Does it mean that the cloud is not safe and that private or sensitive information should not be stored there?
The answer is that not all hope is lost and there are very specific developments that have the potential to dramatically change the fundamental dynamics. The two well known and proven strategies that will help in mitigating the threat are Encryption and Separation of Duties.
The concept is to encrypt data to protect against miss-use and to enforce separation of duties between the application and the encryption engine. In such a scenario, there is one provider that owns the application and a second provider that owns the responsibility to encrypt data for the application. Administrators of the application provider have access only to the encrypted data, while administrators of the encryption provider have access only to the encryption key. The only party that has access to both the encrypted data and the encryption key is the customer. Individuals on the application side or on the encryption side can no longer have access to the data without the second provider.
This is not science fiction and we are already witnessing limited scope implementations of these principles. For example, this week Akamai announced a new service to implement such separation for credit card numbers (See more at New Payment Tokenization Service Unveiled for the Akamai Cloud), while Navajo systems and other smaller vendors are trying to provide this separation by means of encryption “near the browser” and transparent completely to the application provider.