Mike Web - SmartVault
Protecting Your Digital Assets: The Facts About Security ‘Backdoors’
Court orders, security ‘backdoors’, and the level of employee access to sensitive digital assets have been at the center of debate with the rise of cloud-based services. Concerns around data security have recently been amplified with the media coverage of Edward Snowden, NSA employee who used his system administrator privileges to NSA’s intranet to download thousands of documents that were later used in a series of articles published by The Guardian. The documents contained highly sensitive information concerning the U.S. government’s collection of data on emails and phone calls.
The impact of the Snowden scandal has been far reaching and triggered many questions within the accounting profession—and rightfully so. Many professionals are now asking, “Who are the guardians of my firm’s digital assets? How safe is my clients’ sensitive and confidential information?”
As cloud service providers, we are obligated to address these concerns in our security policies, but it shouldn’t stop there. Cloud vendors need to go above and beyond simply pointing customer inquiries to a Security page on the company’s website. Rather, it is the vendor’s responsibility to not only provide easily accessible and clearly written information regarding security, access, and privacy, but also to help provide education and clarification when needed so that customers can make informed decisions in regards to where they choose to access and store client information. In other words, this needs to be a conversation between a service provider and a customer.
To better represent the depth to which vendors should be educating customers on the topic of security, I would like to share a recent customer inquiry and my follow-up response. The question came in through a security email alias that we publish and drops directly into my Inbox. This is a good example of the type of question received regularly from customers who are evaluating cloud-based services for their practices.
Question from a concerned business professional:
After the Snowden scandal I am concerned about my clients’ sensitive data being accessed by poorly screened government contract laborers through court ordered backdoor access to file sharing servers.
- Where are your servers located?
- Does anyone other than your employees have access to those servers?
- Is the data stored in an encrypted form and who has access to the keys?
- Should I evaluate Swiss-based servers, such as Kolab, for email and storing client information?
Given the recent revelations regarding the United States Government's access to digital information your concerns are valid. As a US citizen and an active member of the security/technical community in the United States, I am as also concerned about this and other problems regarding digital rights governance.
Our servers are located in Houston, Texas, and are only accessed by a small group of carefully screened employees. All data is encrypted in transit and encrypted at rest (if uploaded after September 2012). No one has ‘backdoor’ access to any of our systems…period. The encryption keys are only accessible by a small group of carefully screened employees.
That being said, I think much of the media and public are generally misinformed by the issues presented recently in the Edward Snowden scandal. First, SmartVault (as is everyone under U.S. jurisdiction, including yourself if you do business in the US) is subject to at least two potential legal requests for sensitive data:
- Federal, State, and Local Government can request access to data via a warrant (subpoena in some cases). If any of these agencies provide a warrant for access to a specific customer's data as part of a legal investigation, we would comply.
- Several provisions of the Patriot Act allow the Federal Government to request access to data related to terrorism using a secret warrant granted by the FISA (Foreign Intelligence Surveillance Act) court. If presented with this request, we would comply.
In my opinion, this is where much of the current confusion regarding ‘backdoors’ has arisen. Several large providers see a few thousand requests of this nature per year. In the past, they manually fulfilled these requests, which can be a very expensive process. In order to streamline their operations, they have provided portals where government agencies can request access to data and these requests can be fulfilled. These portals are not backdoors and do not provide any direct access to data. It completely stretches believability that someone such as Google has backdoors on their servers and could keep that secret. A conspiracy such as this is simply too large.
Any data you store on your own laptops or servers would fall under these same provisions if you do business in the United States. I cannot speak to the specifics of doing business in other countries as I'm sure they have their own digital rights laws. In regards to your inquiry about Swiss-based servers, I would suggest that you at least educate yourself regarding doing business in Switzerland. The Swiss are currently negotiating with the U.S. to provide key information on tax cheats—something unimaginable just a few years back.
None of these issues concern security, but rather they concern legal obligations and governance. That being said, we have also seen revelations that the NSA is trolling and scooping digital communication en mass. They likely have access to email, unencrypted HTTP traffic, etc. There is huge potential for abuse here—some of it legal and some of it not. Just one year ago, Facebook forced all of its communication to be ‘https.’ Fundamentally, secure, encrypted transfer of data should always be used. It is negligent to transmit any sensitive data in the clear on the Internet.
As a security professional I believe that for the vast majority of the public, the threat of the NSA watching what you do is grossly overblown. Most people are likely to experience data being transferred into the wrong hands via negligence. With scenarios such as:
- Loss of an unencrypted laptop, thumb drive, etc.
- Sharing computers at home—either personally or by your accounting professional.
- Sharing of sensitive data over insecure channels (email).
I completely understand your concerns and encourage you to evaluate the risk to your clients. I think this is best done by realistically evaluating all of the threats to their data and choosing a solution based on an informed understanding of those threats.
The accounting professional is the guardian of their client’s sensitive information; therefore, they should absolutely scrutinize their service providers so that they can evaluate any potential risks to their clients regarding data loss or breach of privacy. I would also encourage this audience to question a provider’s security policy if it’s not clear. If there are still questions or concerns—don’t be intimidated to pick up the phone and ask to speak to someone in the company responsible for data security. And when something sensational happens, like the recent Snowden event, use it to start a conversation with your colleagues in the industry and with your service providers to further educate yourself on any potential threats to your clients’ data. This furthers your value to your clients as their trusted advisor…and guardian.
About the Author
Michael Webb is Chief Technology Officer and a founding member of SmartVault, an online document storage and secure file sharing service. Michael has more than a decade of experience in the commercial software industry and has emerged as a leading expert in the area of data security. Contact Michael at firstname.lastname@example.org.