When cloud software providers claim their solution is secure, watch for these 9 red flags
23-November | Written by Eric Gold
Costly data breaches are on the rise and the shift to remote work has created urgency for organizations to find secure software solutions to protect sensitive data. The challenge for organizations is that many cloud software providers solicit business by making marketing claims that their solutions are “secure” or use “encryption” – without accurately qualifying these broad statements.
Examples of software providers operating in the cloud include practice management, accounting, document management, file sharing, payroll, healthcare, CRM, client portal, and electronic signature solutions. Unfortunately, the majority of these providers do not specialize in cybersecurity. Instead, they focus on ease-of-use features which include sharing data or workflow automation. The provider may not be transparent to its customers about the security trade-offs that they have made to prioritize ease-of-use.
As an example, The United States Federal Trade Commission (FTC) recently announced a settlement with Zoom, after the FTC alleged that Zoom engaged in “a series of deceptive and unfair practices that undermined the security of its users,” in part by Zoom claiming that their encryption was stronger than it actually was. At the peek of the COVID pandemic, Zoom claimed that their video calls were protected by end-to-end encryption which would make it virtually impossible for anyone to listen in, including Zoom itself. As it turned out, Zoom was not implementing end-to-end encryption but, in fact, had access to their user’s encryption keys, a much lower level of security than they promised. This incident illustrates why it is critical not to assume that your software provider’s encryption claims are true as it could lead to a costly data breach.
Pay attention to evolving Canadian and American electronic privacy laws
Evolving Canadian and American electronic privacy laws are often misunderstood or ignored by software providers and associations that may govern organizations. For example, the USA Clarifying Lawful Overseas Use of Data Act introduced in 2018 (CLOUD Act) may provide the US government jurisdiction over data stored on providers’ servers – even if the servers are physically located in Canada. More recently, a new and more aggressive bill, Lawful Access to Encrypted Data Act, has been proposed in Congress which would force US software providers to install a mandatory backdoor to allow the American government to access sensitive communications in the pursuit of criminal or terrorist activity.
In November 2020, Canada’s federal government introduced Bill C-11 which will enact the Consumer Privacy Protection Act (CPPA). This new privacy legislation will introduce major changes regarding how Canadian organizations may collect, use, disclose and retain personal information. The new law also includes a fundamental shift in enforcement that makes it much easier for the Privacy Commissioner of Canada (OPC) to issue heavy fines for non-compliance. Organizations will face enhanced scrutiny on how they process personal information and will be required to comply with new privacy obligations to better protect an individual’s sensitive information.
More than ever, organizations need to be wary of not only a provider’s security claims but the privacy legislation governing their client’s data. Otherwise, if a data breach occurs, the organization may be subjected to heavy fines, lose trust, or suffer loss of reputation.
Red flags to watch for when selecting a “secure” cloud software provider.
To better evaluate the security risks associated with a provider, be mindful of the below list of red flags.
1. Any reference to “military grade”, “bank grade”, “enterprise grade” or AES encryption.
A claim of “military grade”, “bank grade”, or “enterprise grade” encryption is generally a tactic designed to impress potential customers on the quality of the encryption – without any further explanation on the implementation details. Often, these providers are referring to the security of the data centre that hosts their servers (i.e., the location of the cloud provider’s computers), not the actual cloud provider’s application itself (the software, e.g., Zoom, that they provide). Such references are problematic and misleading.
Some providers will also claim that they use 256-bit Advanced Encryption Standard (AES) to further emphasize the strength of their encryption. However, if the provider is simply implementing disk or file system encryption on their servers, it only provides protection when the provider’s computer servers are not in operation. If an attacker gains access to the computer in operation, the attacker will have access to all data. If a provider claims that their software application is encrypting and decrypting data that is stored on their servers, the provider must also explain how they are managing and protecting your encryption keys. Management of the encryption keys is critical for security. For example, is there only one master key used to encrypt all of your data? If so, then if this master key gets compromised, an attacker has access to all of your data. A master key is an example of a very weak encryption key management scheme. Therefore, it is critical to inquire how your keys are being managed, protected, and how granular the encryption keys are, i.e. is there a unique encryption key generated for every, customer, user, or file stored on their system. More granularity is critical for a higher level of protection.
The provider should also make it clear if sensitive data is ever stored on their system disk storage unencrypted, even for a short period of time. Such unencrypted storage is quite common if the provider offers virus checking of files which means that they have access to the contents of your files since access is required for virus checking. Virus checking of files constitutes a backdoor and is a security hole.
2. “Secure” system – but suffers from “key-under-the-mat” syndrome.
The claim of a “secure” system while promoting robust 256-bit Advanced Encryption Standard (AES) encryption which is an encryption cipher chosen by the U.S. government to protect classified information. This standard is meaningless if the provider has access to your encryption keys so that they can unlock your sensitive data. The misleading security level is equivalent to a person installing a strong lock on the front door of their house but then hiding the key under the front door mat. This situation is referred to as “key-under-the-mat-syndrome,” which is commonly deployed in most cloud-based solutions.
3. “Secure” system – but does not encrypt data stored on servers.
The claim of a “secure” system, while at the same time not encrypting data stored on its servers is quite common with some cloud-based solutions. The main purpose of such solutions is to automate workflows and share data.
Automation and sharing makes encrypting data stored on servers very difficult. Often these providers will rely on network firewalls which are designed to prevent unauthorized access to or from customer networks. This approach is a very weak form of protection because if a hacker or rogue employee gains access to a customer’s servers inside their network, they get access to sensitive data.
4. Provider allows password self-resets.
If a provider’s software allows users to perform a password self-reset and the user subsequently obtains immediate access to your data, the provider has a “backdoor”. A backdoor means that the provider, and any of their rogue employees, has complete access to your data – a significant security hole. In other words, if the provider can provide you with immediate access to your data after the self-reset, the provider has access to your encryption keys and can unlock your data. If so, you should disclose this fact to your client. For higher and better security, providers should encrypt their encryption keys with the user’s password and, if the user loses their password, the provider should invalidate their encryption keys and, thus, prevent any access to the user’s data. In the case of a lost password, to prevent the permanent loss of access to a user’s data, a good provider should have the capability to repair invalidated encryption keys.
5. American providers state that their servers are physically located in Canada.
Even when USA-based providers have servers physically located in Canada, the US government may still access data stored on these servers. Examples include cloud storage providers such as Microsoft, Amazon, and Apple. The CLOUD Act provides the USA government with the necessary legal means to subpoena (demand by law) data stored on the servers of providers, including the servers of American providers physically located in Canada.
Therefore, any provider using American cloud storage should make this risk clear to potential customers. If a provider claims otherwise, customers should ask for a letter from the provider’s legal department or law firm to validate the provider’s declaration of exemption from the CLOUD Act.
6. Provider promotes ease-of-use by circumventing client user authentication.
Some providers offer the capability for their users to share sensitive documents with others – without explaining the security risks – by emailing a link, that just requires the link to be clicked on by the recipient to download the document. If the link does not require the receiver to be authenticated (such as by entering a personal password), then the systems’ level of security is the same as the email server itself. Email on its own is not secure. In these instances, any attacker who intercepts the email will have access to the recipient’s document. Sharing of sensitive documents using email links should only be permitted if the recipient, at minimum, has to use their own private and personal unique password to unlock the document.
7. Provider promises workflow automation by integrating with other products without explaining the security trade-offs.
When a provider offers convenience and workflow automation by integrating their software with other products, it significantly increases the chance of a data breach. Each integration is equivalent to adding a new entry point to your house, thus creating more opportunities for break-ins. Another analogy is that “a chain is as strong as its weakest link.”
Integration also makes it much more difficult for a provider to encrypt data stored on their servers and often results in bypassing or sharing user credentials (e.g., a password), which creates additional security holes.
8. Provider claims that they offer ‘secure email’ but do not explain its limitations.
Many providers advertise that they offer “secure email” but do not adequately explain its limitations. Typically, these providers will offer either one-way secure email or a limited two-way system where the recipient of the email can only securely reply to the original email for a short period of time. These limitations will result in the recipient resorting to using non-secure email because the recipient cannot easily initiate secure email with the sender – which introduces a significant security hole.
9. Provider makes security certification and compliance claims without providing any details on applicability and how and when they were achieved.
Many cloud-based software providers indicate that they comply with various security standards acronyms posted on their websites such as ISO27001, SOC 2, GDPR, HIPAA, PCI DSS, FINRA. Use of the names of such standards is usually a marketing tactic designed to impress potential customers. The provider typically does not indicate whether the standards apply to the data center that hosts their servers (the location of their computers) or the actual software application itself (e.g., Zoom). Given the need for providers to constantly make changes to their software and the vast number of emerging security threats, it is extremely difficult for software applications to comply, and maintain compliance, with these standards. As an example, security threats may trigger the need for the provider to discontinue the use of a compromised encryption cipher even though the specific cipher itself is a requirement stated in the standard – which may result in the provider becoming non-compliant. The rule here is: if a provider advertises compliance, ask to be shown an auditor’s report for all such compliance certifications for both the data center and their software application.
Organizations are custodians of their clients’ sensitive data and work hard to build trust. To avoid suffering a costly data breach, loss of trust and associated liability, organizations must perform a cybersecurity risk assessment when choosing a trustworthy provider. Reputable providers are transparent with their security considerations and the cybersecurity laws that govern data. Being pro-active in choosing the right provider will facilitate compliance with current and future electronic privacy laws and benefit both the organization and its clients.
Eric Gold is the founder and CEO of e-Courier, a Canadian cybersecurity company that specializes in encrypted email, file transfer and client portals.
DISCLAIMER: Certain links on this article take you to other websites, resources or tools maintained by third parties over whom e-Courier and Cyber Business Review have no control. e-Courier and Cyber Business Review provide these links only as a convenience and is not responsible for the contents of any linked website. e-Courier and Cyber Business Review make no representations or warranties regarding, and does not endorse, any linked website, the contents thereof, the information appearing thereon or any of the products or services described thereon. Links do not imply that e-Courier and Cyber Business Review sponsors, endorses, or is affiliated or associated with the entity that owns or is responsible for any linked website.
