Thursday, December 01, 2011

Never mind the Patriot Act, watch your thumb drives

Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...

Never mind the Patriot Act, watch your thumb drives - Page 1 - Security

By: Grant Buckler
On: 01 Dec 2011
For: ComputerWorld Canada

Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security

OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.

David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.

Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.

But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.

And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.

“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”

And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”

Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.

Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.

Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”

The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.

The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.

Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.

1 comment:

Thomas Xavier said...


To be honest the biggest issue with hosting sensitive data south of the border is not the clear similarities with seizure protocols that we share with them but the fact that the various American agencies tend not to withhold much due diligence when it comes to sending out requests for information.

I don't think the Canadian Intelligence services will be as abusive- I know this statement is not based on any sort of quantitative fact but just the impression I get.

Either way- plenty of "true" offshore providers- I host my blog on a cloud powered vps in Amsterdam and the speed/price ratio is more or less comparable to top tier American hosting.

Great blog, Thomas.