How to keep the feds from snooping on your cloud data

Virtual padlocks can keep storage providers -- and the government -- from accessing data in the cloud

A cottage industry is growing up around virtual padlocks that consumers can place on cloud services so that the vendors themselves can't get to the information -- even if the government requests access.

And in recent years there have been a lot of those government requests for access from storage-as-a-service providers.

For example, Google regularly receives requests from governments and courts around the world to hand over user data. Last year, it received 21,389 government requests for information affecting 33,634 user accounts. Sixty-six percent of the time, Google said it provided at least some data in response.

During the same period, Microsoft received 70,665 requests affecting 122,015 accounts -- more than three times as many requests for information disclosure as Google. Only 2.2% of those requests resulted in Microsoft turning over of actual content; 1,558 accounts were affected. Another 79.8% of the requests resulted in disclosure of subscriber or transactional information affecting 56,388 accounts.

Newly disclosed information, however, has added to public sensitivity around government intrusion.

Freedom of Information Act requests by the American Civil Liberties Union revealed last week that the U.S. government claims the right to read personal online data without warrants. "It is the case everywhere in the world that governments seem to believe that if data is recorded and available, they should be able to access it," said Jay Heiser, an analyst with research firm Gartner. "It's not unique to the U.S., although the United States brags about it to a unique degree."

New documents obtained by the ACLU from the FBI and U.S. attorneys' offices revealed startling realities around the government's email surveillance practices. Last month, the ACLU also obtained documents showing that the IRS does not always get a court order to read citizens' emails.

Locking the feds and thieves out

So should consumers add security to their cloud storage repositories to keep their data even more secure from prying providers and government snoops? Absolutely, says Heiser.

That's because many data breaches involve frustrated service provider employees who see treasure-troves of data as a way to make a quick buck. "There are repeated stories ... of rogue employees who collect data to sell to credit card fraudsters," Heiser said. "It is an issue with provider staff morale."

Apart from downloading freeware, such as TruCrypt, and encrypting every folder or file before it's uploaded to the cloud, new automated tools are emerging that handle the job of cloud storage security more seamlessly.

SafeNet, for example, just launched a beta of SafeMonk, which adds a secure encryption log-in to Dropbox. Essentially, the data you store in Dropbox can't even be accessed by Dropbox itself because users get to keep the encryption keys.

Ironically, SafeNet also happens to be one of the largest suppliers of encryption technology to the U.S. government.

SafeMonk, which will be available for download at the end of this month, works by creating a dedicated encrypted folder in your Dropbox account. The service also allows users to share files by offering others an RSA public key password and will eventually offer businesses administrative oversight so admins can monitor traffic and restrict corporate data access.

SafeMonk is free to consumers, who can download the software and start encrypting and sharing Dropbox files at no cost. For business customers, SafeMonk plans to charge for its service once it is available, though prices have not yet been set.

Chris Ensey, who runs the security division of Dunbar Armored, an armored transportation service, has been beta testing SafeMonk, largely in a bid to thwart to malware and cybercriminals.

He was able to take part in the initial beta testing because he worked for SafeNet last summer, before SafeMonk was created.

Ensey and his wife used the cloud encryption tool during a recent refinancing of their house. Initially, the security-sensitive Ensey passed along sensitive financial data to his mortgage broker using a USB thumb drive, something that turned into a laborious process. With SafeMonk, the couple could securely share files quickly.

"At some point you get worried that email isn't something that is very secure. Anything you put in there is being indexed by Google," he said, referring to Gmail. "I like having more control over that.

"And [my wife] doesn't even realize it's there. It's transparent," he continued. "This product is really pretty approachable. I just point to a folder and tell her anything you put in this will be protected."

Ensey also said he'd like to see the tool expanded for mobile and Android OS use.

Other options

SafeNet is not alone in offering a virtual padlock for cloud-based data stores. Vendors such as Boxcryptor, Sookasa, TrustedSafe and PKWare with its Viivo offering, are also going after the same market, according Heiser. So is CipherCloud, which is expected to offer consumer cloud encryption protection.

Willy Leichter, senior director of product marketing for CipherCloud, said virtual padlocks for cloud storage is a nascent but "hot" area for his company, especially in light of the increase in government requests to vendors for access to customer data.

Through its CipherCloud Platform, the company currently offers cloud data encryption and data loss prevention (DLP) tools for businesses. CipherCloud recently announced a partnership with cloud storage and content-sharing service, offering both encryption and DLP to users.

While Leichter said CipherCloud's cloud encryption business is "growing rapidly," he would not expound on whether his company plans to begin selling a consumer-class product anytime soon.

Businesses are acutely sensitive to government information requests because they're also beholden to privacy laws, such as HIPAA and the Gramm-Leach-Bliley Act. So, in highly regulated industries, such as financial services and healthcare, businesses must strike a balance between government oversight and consumer privacy.

"They feel they can't comply with local privacy laws and have their data subject to Patriot Act. We allow them to encrypt their data in the cloud and they keep the encryption keys," he said.

The U.S. Electronic Communications Privacy Act of 1986 came along in the early days of the Internet. The act did not require government investigators to obtain a search warrant for requesting access to emails and messages that are stored in online repositories.

In 2001, the Patriot Act further added to the authority of the federal government to search records under its "Library Records" provision, offering a wide range of personal material into which it could delve.

"You can argue that people shouldn't try to skirt around the Patriot Act, but they're also trying to comply with data privacy issues," Leichter said. "When some government agency requires information disclosure, most organizations I know would like to make that decision themselves and not have the cloud provider make it for them."

This article, How to keep the feds from snooping on your cloud data, was originally published at

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is

See more by Lucas Mearian on

Read more about cloud security in Computerworld's Cloud Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags American Civil Liberties UnionGoogleMicrosoftsecuritycloud securityprivacycloud storage

More about DLPDropboxFBIGartnerGoogleIRSIRSMicrosoftPKWareRSASafeNetTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucas Mearian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place