How can someone legally access your data in the cloud [without you knowing]?
2-Jul | Written by Jean Loup P. G. Le Roux • Founder • I&I Strategy • Montreal, QC
Information Security teams and CISOs have to deal with a million different problems every day. We tend to assume that these dangers would be the result of unscrupulous actors working with the support of an illicit infrastructure or because of internal negligence, whether intentional or accidental. But what about the legal route?
More and more companies are making the shift to cloud services to secure their valuable data.
Now, all your crown jewels are hosted in third-party-owned systems, which are multi-tenant for the most part (who still pays for dedicated hardware in 2020 anyway?) and you rest assured that you have done what you could to future-proof your data hosting. Here’s a bit of bad news, however: someone could legally access your precious customer or proprietary data in the cloud without your consent, and without you knowing.
Naturally, there are just about a million ways in which cloud platforms (SaaS, IaaS, or PaaS) can be breached, and organizations conducting threat modelling will usually be aware of some of the risks associated with embracing cloud services. But we’re going to focus on a few sub-cases here, specifically from a legal perspective, that are almost never talked about because they’re way below the radar for most of us.
How Third Parties Can Potentially Access Data the Legal Way Through Jurisdiction
Let’s start with something you are probably familiar with - the good old US Patriot Act. For years now, there have been concerns among cloud services users of the massive potential for invasive spying and abuse by the US government and agencies that this Act, and specifically the provision in section 215 provides.
As many European cloud services providers liked to point out, this isn’t just the concern of those with servers in the US either. Why?
Because of these jurisdictional implications:
Escaping the grasp of US jurisdiction is a tight balancing act for a cloud services provider, as they have to make sure that they (or their parent company, if applicable) don’t have any operations in the US. There are few service providers today who would fit that bill.
Many countries have treaties that allow the sharing of data, such as the mutual legal assistance treaty (MLAT) between the US and various other countries. Then, of course, you also have to take into consideration that the US isn’t the only country with legal avenues of obtaining private or confidential information in the name of national security; some even permit authority figures to obtain information without judicial supervision, such as the National Defence Act in Canada.
There is a fundamental difference between data residency (where the data is geographically) and data sovereignty (which entity owns or controls the data). Residency alone doesn’t guarantee anything if cloud companies are foreign-owned and are subject to their home country’s laws. In today’s world, the challenge is more about control rather than location.
Now, we’d all like to believe that government agencies won’t abuse their powers in order to gain access to our data, but having to simply trust that they won’t isn’t any sort of a guarantee and it’s a real problem.
Through Regulatory Systems
The drive for regulatory-driven privacy legislation is steadily gaining momentum, and we’re now starting to see the impact of new implementations, such as the GDPR and CCPA, taking full effect. For the most part, I think everyone can agree that this is a good thing. But there are sneaky methods, such as abusing the Right of Access under the GDPR regulation, for example, that allows a third party access to a small fraction of the data your Cloud Service Provider (CSP) stores on their servers.
Yet it gets worse. The Norwich order - a Canadian-specific pre-trial measure - allows a third party to obtain information or intellectual property before any claim is issued. A Norwich order can encompass other provider info, but we’ll focus on the cloud:
Let’s say you have a competitor who tries to make a claim for details of a specific product your company is developing. With a good enough lawyer and some creative fibbing, a competitor can abuse the Norwich order as a legal avenue of obtaining information in the name of evaluating whether there’s cause for a lawsuit or in order to preserve evidence of ownership of property.
If a judge deems their claim valid then your CSP has to release that information in order to comply, and they gain access to your cloud-stored data without your consent and without you knowing - until it’s too late. Essentially, the court then deems the claimant’s right to this information more important than your right to privacy or confidentiality. Part of this issue stems from the fact that many judges aren’t tech-savvy enough to be able to dispute such claims. The end result is a competitor gaining the advantage by accessing your intellectual property or trade secrets from right under your nose.
In truth, the legislature that allows third parties to legally obtain secure cloud data in both the examples above stems from a place of good intention, but the opportunity for abuse is a real threat. Among management teams today, few, if any, are currently aware of these somewhat obscure but very real threats to their information assets stored on the cloud.
The Possible Fallout
You lose sight of the data and you fail to control the chain of custody because a third party is now getting access to it. And you don’t even know about this until it’s too late.
The most obvious impact is that you fail to meet compliance requirements or breach regulations since your data was stolen. The fact that a third party abused a legal means to get at the data is irrelevant - if your customer data was stolen then there is cause for legal action. On top of that, the GDPR is specific on the breach notification timeline - unlike PIPEDA - so if you don’t wise up to the theft quickly enough and report it to the supervisory authority in time then you could face a hefty fine.
Unsanctioned access blurs the "chain of custody" of a firm's data. You lose sight of it and uncontrolled dissemination of the firm's data means you lose CONTROL of it. This means IP theft is another massive consequence, which can provide an unfair advantage to your competition.
So, What Can We Do About This?
One of the tenets of InfoSec is to ensure that information assets are only disclosed to authorized parties. But what do you do when a third party tries (or succeeds) to obtain legal authorization to access your data?
As is almost always the case with any cybersecurity measure - prevention is better than having to fix the problem after the fact.
The options available to you are limited, but powerful.
Option 1: Lawyer up
Since a big part of the problem lies within the realm of legislation, it’s imperative that you lawyer up. Don’t wait until after things have gone south, do it now and be proactive about reviewing the contract terms of a CSP. Think of it in terms of KYP: Know Your Provider. Select wisely and understand the scope and applicability of their security certifications. It’s also a good idea to find out where their servers are located, where they do business, who are the subcontractors involved, so you can read up on the legislature for those regions.
You might be wondering - wouldn’t Identity and Access Management (IAM) then become a key part of the process here?
That’s somewhat true. Temporary access mechanisms do exist with certain providers (e.g. Office 365 Customer Lockbox), but you're asked to blindly trust it because you won't be able to verify that your CSP is actually asking for your permission before touching your data. This isn’t a unfounded concern either, a report released by ESG at the second annual Cloud Native Security Summit in 2019 showed that 90% of respondents cited not having visibility into misconfigured cloud services, server workloads, network security, or privileged accounts as a cloud security challenge.
Option 2: Make (proper) use of cryptography
The second, and arguably the only real “mechanical control” you can implement to prevent data theft, is to make use of cryptography. Although, this is where I need to add a massive disclaimer: how useful any cryptography application will be depends on how you implement it, and how keys are managed in the cloud.
Organizations face many pitfalls with regards to cryptography, partly because many turn to cure-all solutions, like some forms of transparent cryptography, which in reality have no meaningful impact on the security of data. Implementing cryptography just for the sake of passing a compliance bar and not with the intent to fully commit to data security is a losing strategy.
If you don’t have a clear understanding of where your data is, how your keys are handled, and don’t have complete vision over the chain of custody, then how can you safely say you have control over your data?