Where to store your encrypted data [LWN.net]

By Jake Edge
October 22, 2014

In a talk entitled "Lies, Damned Lies, and Remotely Hosted Encrypted Data", Kolab Systems CEO Georg Greve outlined the thinking and investigation that the company did before deciding on where to store its customers' encrypted data. The talk, which was given at LinuxCon Europe in Düsseldorf, Germany, looked at various decisions that need to be made when determining where and how to store data on the internet. It comes down to a number of factors, including the legal framework of the country in question and physical security for the systems storing the data.

The intent of his talk was to relay the lessons Kolab Systems learned in the process of setting up its data storage facility. There are a lot of questions to be asked when evaluating the integrity, security, and privacy implications of the options. Greve hoped the talk would give attendees "a better idea which questions to ask".

Threats

Using a set of handwritten and hand-drawn slides [Slideshare], he started by talking about the threats users face. To start with, users have a feeling of insecurity because of all of the surveillance that has been in the news. Security is an "emotional subject", he said. There is no such thing as total security, however, so security is a question of balancing the expense for an attacker against the need to protect the information.

This surveillance creates an awareness of a new risk for users. There is the feeling that they are always being watched, but the actual risk from that is not something they can get a handle on easily. Humans are poor at choosing which risks are more important based on their probability. The classic example of the likelihood of dying in a plane crash versus that of dying in a car on the way to the airport is a good demonstration of that. Our "risk perception is completely off", he said.

Another risk to users and their data is industrial espionage. Greve said that he is personally not convinced that the large budgets given to the US National Security Agency (NSA) and other spying organizations are not aimed at assisting in industrial espionage. The NSA's mandate explicitly says that the data it gathers can be used for promoting the US economy. That aspect has not figured prominently in the discussion of internet surveillance, but he thinks it may have a greater impact than the other uses of the data.

Criminals are another threat. The lore among the tech savvy is that criminals are not particularly smart, but that simply is not true, he said. He gave an example of a point-of-sale device that came "pre-tampered from China". Eventually it was determined that you could detect the tampering by weighing the devices; the tampering added 30g. After a while, that test stopped detecting any tampered devices; opening them up revealed that 30g worth of plastic had been carefully removed from the inside of the case.

Beyond that, some of the changes are themselves tamper-resistant. Trying to determine if the devices have been maliciously altered destroys the evidence of tampering. Internet criminals are sophisticated and technically adept—increasingly they are part of organized businesses. In fact, Greve said, "they are not as inept as we would like them to be".

There is lots of advertising for products that supposedly provide security. There are many different claims: "It has crypto!" or "It uses P2P [peer to peer] technology". But users are left trying to figure out what to believe. Total security does not exist, he reiterated, especially not without loss of convenience. If something is "ultimately secure", that means it will "ultimately do nothing".

"We like the convenience of the Google cloud", Greve said, but we want to be able to restrict access to the data we store there. On the other hand, though, sharing and collaborating with others is part of the value of the internet. Users just want some controls on that sharing.

Location and hardware

The physical servers that store "data in the cloud" have to be located somewhere. Whatever choice is made brings with it a legal framework that governs various aspects of the data stored there. This is a really important decision, he said. "US companies are screwed" by the legal framework that governs their data. The laws that are in place, including those that compel them to secrecy about requests for data, make the US framework rather hard to work with.

But it is more than just the physical location of the server that determines the legal regime applied. If a US company stores its data outside of the country, that data is still subject to US laws. So the laws that apply to the data come from both the physical location and where the company is incorporated. In fact, US companies have tried to claim that European companies should be subject to US laws if they have any US-based employees—just a single salesperson, for example.

If you provide services to others, Greve said, you will hear from the police at some point. You need to know what you will do when they come. Some countries request more data than others, which will determine the frequency of the requests.

In some countries, requests for data will come with a court order that is based on other evidence. That process may be fully transparent and documented. In addition, there may be no other way for the authorities to request data that does not require going in front of a judge and leaving a paper trail that others can review. There are "very few countries where that is the case", he said.

Most of us live in countries where the police do more harm than good, Greve said; that led to an undercurrent of disagreement from the audience. He shrugged that off and continued. It is also important to recognize that you can treat the police as an adversary, but if that happens, they may reciprocate.

Once you have a place to locate your servers, with reasonable laws, and you know what you will do when the police come knocking, there are still some things to think about. Perhaps you will have the money to build a data center, but most don't, which means using an existing data center. The ownership of that data center makes a difference as well; make sure it is fully owned by citizens of the country where it is located. Otherwise, you may be adding another legal system into the mix.

Once you have chosen a data center, you can have them "slap a server into a rack" for you, but that means they can put their hands on the hardware. That, in turn, means they can access the server. An even worse choice would be to rent a virtual machine (VM). There are attacks against hypervisors that might allow other guest VMs to access your data.

The right way to go about it is to own the hardware and place it into a cage with keys that are only in your people's hands. That way, no one can (easily) access the systems. The server room and data center facility should be under 24-hour surveillance as well.

Software and security

There is no such thing as trusted software, Greve said, because all software has bugs and nothing is 100% foolproof. A silver lining from the recent discussions about government spying is that it has shown that there is no reason to trust closed-source code. Open source doesn't mean that you can trust it, but at least there is the option of examining it for flaws.

Using open-source code as far down as you can go—unfortunately only as far as the firmware these days—is important as it builds trust in the system. Choose the open-source software that you are most comfortable with, he said, and be transparent about what you are running.

Operations staff, or "the guy with the root shell", is a vital role. You need to choose that staff carefully and make them aware of the trust being placed in them. In some countries, there are laws that make it a crime to look at data without authorization. But there is no really good answer to the problem of malicious system administrators, he said.

Users will access their data from browsers, which brings in "a whole host of other issues". There are no secure browsers today, which is a problem. In fact, browsers are more about being a software recipient than they are about rendering web pages. "The human equivalent is a junkie that rams every needle you give them into their arm", Greve said.

There are various applications that advertise that data is encrypted in the browser, but that is hardly reassuring. The code to do so comes from elsewhere and can be updated at any time. That update could contain a keylogger, for example.

When using an online service, there is always a payment of some kind. It is not cheap to run servers, so providers of gratis services bury onerous provisions in their terms of service (ToS). Those are not negotiated between the parties and are typically one-sided. They are also quite important, but often not read. He recommended the ToS;DR site that rates the ToS of various services.

If you are hosting data, it is not a matter of whether you will have a security problem, he said: you will. How you react to and handle it are what makes the difference. Defense in depth is important, as you don't want a single server that contains everything needed to compromise the rest of the system. The analogy of a castle is a good one but, like castles, undefended and unwatched systems fall easily.

MyKolab

These questions came up in the context of setting up a service for hosted instances of the Kolab open-source communication and collaboration tool (email, calendar, file sharing, etc.). The MyKolab.com service is hosted in Switzerland, which has favorable laws (including requiring court orders for data requests and criminalizing unauthorized data access). In fact, one can download a spreadsheet (unfortunately in Excel format, he said with a laugh) that details all of the police requests for data in Switzerland.

MyKolab started as something of a demonstration at FOSDEM in 2013, but turned out to be quite popular. Then the Snowden disclosures started, which made it even more important to set the service up correctly. Kolab Systems owns the hardware and runs all open-source software. MyKolab has an "A" rating (very good) from ToS;DR and a FAQ that describes the privacy and security features of the site and the laws that govern it.

The Q&A session after the talk was rather lively, with many people interested in exploring the defenses against governments for a service like MyKolab. Greve noted that when he leaves Swiss soil, his passwords are disabled so that he can disclose them to countries who compel password disclosure (e.g. the UK), but they can't be used to access any of Kolab's systems.

In order for a foreign government to request data from the MyKolab systems, it needs to go through the Swiss courts; the decision and supporting documentation can then be reviewed by others. In addition, the offense alleged must be a crime in Switzerland.

Some also wondered about the Swiss suddenly changing their laws, but Greve seemed relatively unconcerned about that. "The Swiss are known for many things, but not quick decisions", he said with a chuckle. That brings a lot of stability, but does have some downsides. In any case, he believes they would have lots of warning that the laws were changing and would have enough time to make other arrangements if needed.

[ I would like to thank the Linux Foundation for travel assistance to Düsseldorf for LinuxCon Europe. ]

Index entries for this article
Security	Cloud
Security	Privacy
Conference	LinuxCon Europe/2014

to post comments

Where to store your encrypted data

Posted Oct 22, 2014 23:13 UTC (Wed) by dlang (guest, #313) [Link] (4 responses)

The issue of what legal framework you are dealing with is even more complicated than Georg was making it out to be.

You are always going to have to deal with the legal framework of wherever your company is based, adding a data storage out of the country is adding a second legal framework.

> US companies have tried to claim that European companies should be subject to US laws if they have any US-based employees—just a single salesperson, for example.

and similarly, European entities have claimed that companies are subject to European laws if they have even a single European customer.

The issue of what jurisdiction applies is a horrible mess.

The important thing to keep in mind with all of this is that when you have someone else host your data (or your servers), you are incorporating their organizational risks into your own. If they have a disgruntled employee, they can harm your business, and you won't have much chance to know that the possibility is even there.

Where to store your encrypted data

Posted Oct 23, 2014 9:59 UTC (Thu) by ortalo (guest, #4654) [Link] (1 responses)

Outside of the issue of building an effective international worldwide law enforcement organization - which goes probably much further than simply computer-related issues - I think one of the problem too is that many companies are actually using the discrepancies between juridictions in order to *evade* most privacy laws.

That's somehow similar to taxation affaires: multinational companies claim that they are doing "fiscal optimization" and should be entitled to do it until... all laws of the world converge.(What idealists they make... aren't they?) Granted, this optimization is really morally debatable; but well... off-topic.
The problem starts when everyone realize that they have optimized so much that they are in fact doing fiscal *avoidance*. Which is morally not debatable at all and on-topic for any of the other honest taxpayers on earth. (And too late to react usually - at least with mere adjustement.)

With respect to privacy protection, debates do exist and are clearly not definitively settled. But a significant portion of the reason some data is stored offshore is to remove the protection of law. Another one is economical.
Neither of those have anything to do with privacy - quite the contrary - and encryption only plays the role of a convenient alibi in these cases.

Furthermore, let's get back to the root definition, encryption is not about privacy, it's about secrecy. Among Switzerland specialties, I have always prefered their chocolate.

Where to store your encrypted data

Posted Oct 23, 2014 18:36 UTC (Thu) by jhoblitt (subscriber, #77733) [Link]

Secrecy and privacy are not mutually exclusive concepts nor is one a complete super set of the other.

When I connect to lwn via https there's no 'secret' that we are communicating (the traffic is observable in 'public') nor is either of us anonymous. However, the content of that communication is theoretically 'private'. It's possible to split hairs endlessly around the semantics but there's no universally accepted definition.

Where to store your encrypted data

Posted Oct 23, 2014 22:12 UTC (Thu) by Seegras (guest, #20463) [Link]

> The issue of what jurisdiction applies is a horrible mess.

Yeah, the bloody wild west on the internet. Every small-town sheriff and vigilante thinks he can take the law in his own hands and proclaim "das Internet kann kein rechtsfreier Raum sein..", or, more often, the equivalent of that in US english.

Where to store your encrypted data

Posted Oct 24, 2014 10:57 UTC (Fri) by greve (guest, #8385) [Link]

> The issue of what legal framework you are dealing with is even more complicated than Georg was making it out to be.
> You are always going to have to deal with the legal framework of wherever your company is based, adding a data storage out of the country is adding a second legal framework.

FWIW, you are right. I explained the same thing in my talk.

That's why we chose to only ever host in Switzerland for ourselves. Only a single legal frame work to deal with.

Where to store your encrypted data

Posted Oct 23, 2014 9:37 UTC (Thu) by ballombe (subscriber, #9523) [Link] (2 responses)

I am confused. The titled is "Where to store your encrypted data" but then most of the issues raised seem to assume the data are unencrypted or at least that the data center can decrypt them somehow. If I were to store my encrypted data in a datacenter, I would make sure it is not the case.

Where to store your encrypted data

Posted Oct 24, 2014 6:14 UTC (Fri) by eru (subscriber, #2753) [Link]

most of the issues raised seem to assume the data are unencrypted or at least that the data center can decrypt them somehow.

I suspect that is specific to the Kolab situation. Since they are running a mail and calendar service, their server has to be able to decrypt at least the metadata (how else would they know where to send the mail?).

Where to store your encrypted data

Posted Oct 24, 2014 11:27 UTC (Fri) by greve (guest, #8385) [Link]

Yes, if you use data centres only as "external disk space" then you can encrypt it to some relatively high level of confidence locally.

Only when you look at providing services with some level of "cloud convenience" or data sharing does the whole picture change.

And my talk was indeed about the latter.

Where to store your encrypted data

Posted Oct 23, 2014 11:52 UTC (Thu) by jwakely (subscriber, #60262) [Link]

> when he leaves Swiss soil, his passwords are disabled so that he can disclose them to countries who compel password disclosure

Ooh, nice hack!

Where to store your encrypted data

Posted Oct 24, 2014 11:49 UTC (Fri) by greve (guest, #8385) [Link]

The attendees in the room mostly seemed from the EU & US. For that reason I don't think their police does more harm than good. It's actually the other way around. So it seems I must have swallowed a "not".

By choosing Switzerland as our legislation, we are for instance in a position that the police are actually for the vast majority of cases an ally in keeping people safe and protecting their privacy. Because we would be breaking criminal law when providing data to third parties who are not entitled to it. That includes all secret services, including the Swiss one. If they want access, they need to go through the police and justice system, like anyone else.

And in our own practical experience thus far, criminals are the much more common threat to your data (think: "car") in comparison to secret service (think: "air plane"). The US may be an exception to that rule, because they made their services part of their political tool set for foreign and economic policies, rather than just upholding the rule of law within their country. But I don't think that's the rule for a lot of countries, the US laws seem fairly unusual in that respect.

For Switzerland at least I can say with certainty it's not the case.

(Which naturally does not mean that all police officers in Switzerland are perfect. Their mandate and responsibility mean they need to be monitored critically. But for the most part that seems to be working rather well in Switzerland.)

Anyhow. The main point remains.

This whole area should be thought through before you start.

And naturally we need to take steps to protect ourselves and our users from overreaching laws in other countries unless we want to confine ourselves as people strictly to the physical boundaries of Switzerland. Which isn't really an option.

No, Our Risk Perception Is NOT Completely Off

Posted Nov 3, 2014 1:01 UTC (Mon) by ldo (guest, #40946) [Link]

Assuming you are not driving across the country to the airport, you are less likely to die in a car on the way to the airport than you are in a plane crash. That’s because the risks are quite differently distributed.

With cars, the dominant statistic is deaths per passenger per unit distance travelled. The more distance you travel, the more likely you are to be in a crash. If you use the same statistic for planes, then you reach the usual conclusion that plane travel is a lot safer. However, if you measure time spent travelling, then the two are in fact comparable.

And if you measure deaths per passenger per journey, then aircraft are a lot more dangerous than cars. This is because two-thirds of passenger aircraft accidents happen at takeoff and landing. That is where most of the danger lies, and you can’t avoid having one of each of those per trip.

At least, if you want the trip to end well...