One of the factors many organisations (including governments) agonise over when deciding whether to use public cloud services is whether or not services and data can be stored “off shore”. It’s not a topic we tend to discuss very well.
“Off shore” usually means stored in data centres in other countries but can sometimes mean in facilities within the originating country but operated by foreign-owned companies. For UK organisations looking at infrastructure as a service that conversation is dissipating now that the three biggest players all have UK data centres, but switching to UK data centres is really just dodging the issue rather than looking at how and why decisions are made.It was great to hear Ian McCormack from NCSC addressing offshoring in his spot in the keynote at the AWS Public Sector Summit in DC recently.
[embed]https://youtu.be/75Xkm0ZaSvw?t=5m55s[/embed]
“It’s often said to us that due to the global nature of a service it’s somehow inherently less secure than if exactly the same service was hosted on a datacentre in the UK. But actually that just doesn’t stand up to technical security outside of particular national security type applications.” - Ian McCormack, NCSC
For the vast majority of applications from the vast majority of organisations, the physical location is not a factor in confidentiality or integrity. There may be compliance requirements that force decisions on you, or there may be performance reasons to choose particular geographies, but not security.That said, the topic comes up so often that it seems worth breaking down some thoughts on how you might approach the issue if you want to really consider the risks. Which hosting companies you use, who they’re owned by, and where their various assets are hosted should be considered within your overall risk assessment.A risk model is only as good as your understanding of the service it’s protecting. Before starting on anything you should make sure you have a solid grasp of the service expectations, what its impact on other services is, and so on. That will help you understand any trade-offs that need to be made, and also help understand whether any offshoring concerns might be coming from.The following thoughts are based on a set of conversations over the past couple of years. They’re far from comprehensive, but I’m regularly in situations where I find people who don’t know where to start with breaking down these issues and it seemed worth sharing even some sketchy thoughts.
The context, then the risks
Before getting into detail on the particular risks, it’s worth first considering the scenarios where the location of data might be important.Are you solely concerned about data security, or are your concerns about making sure your services keep working in the unlikely event that all network connections out of the UK fail?If that unlikely event is a real consideration for you would you need to get your services back up and running immediately, or will backups that let you rebuild locally be sufficient? Most of the time it’s going to be more important that you’re running in multiple locations than whether one of those locations is in your home country.Once you understand your context, you can go into the next level of detail. Roughly speaking there are three areas of risk that people are concerned about when they trust their services to a third party, regardless of the classification of that data.
- Confidentially and integrity risks if staff in those companies can access their data through their administrative roles
- Confidentiality risks should a foreign government issue a legal order that the company hand over data from your service
- Confidentiality, integrity or availability risks should a hostile state-sponsored organisation use access to the network or physical proximity to a data centre to attack your service
There is also a further risk that we don’t often discuss, which is that the availability of services will be disrupted due to the complexity of international network routing.It’s worth noting that I’m assuming you are using a robust cloud provider and are applying good practices to your cloud usage so that the chances of other customers affecting your services are very small.
Staff accessing data
The risks relating to staff at cloud companies accessing your data are similar whether your data is entirely contained within the UK or is stored elsewhere.Before worrying about where the data is, you should be thinking about what impact comes with disclosure of the data. For much of what we do simply being careful about how we use a tool will minimise that impact. For example, if we’re using a project management tool we shouldn’t include personal data or credentials in what we store.When you do have data that needs to be restricted then many infrastructure as a service providers will share information about the measures they take to make it very difficult for their staff to access customers’ data. Increasingly details of those measures are available publicly. Those measures apply whether the data is stored in the UK or outside it.
Legal orders
Non-UK ownership of companies, or non-UK residence of data centres is a reality of most modern internet services. There have been a number of legal cases around the world over the past few years beginning to test to what extent governments can compel companies to provide their customers’ data to law enforcement agencies or litigants in certain cases.The full ramifications of those cases are still unclear and the legal situation will continue to vary significantly from jurisdiction to jurisdiction, but there are other things we should consider before getting into the detailed legal situation.Once again, we need to understand the risk associated with a court granting access to the data we have in a service. That will largely depend on the way any data that is disclosed will be handled and what guarantees we have offered to our users. Access to a very specific record granted via a warrant and committing the accessing parties to hold the information carefully, is very different from a court allowing various parties to hold full copies of a database without protection.We then need to consider the likelihood of such an order and the practicalities of fulfilling it. These cases are extremely rare and likely to remain so.For governments, in the very rare circumstance where such situations did arise, most foreign governments are likely to use diplomatic channels to address requests of this sort that touch on government-owned data. Not to do so would risk a diplomatic incident and that is rarely worthwhile. Those diplomatic channels give us an opportunity to find other ways to address the situation.Regardless of whether you’re a government, where your data is stored on third-parties’ servers that doesn’t mean it’s entirely out of your control. Just because your data rests on someone else’s server doesn’t mean you can’t encrypt it and store the keys elsewhere, or take other similar steps.
Hostile interference
There are always risks that hostile actors will want to interfere with your service, and that’s something that should be considered as part of the general threat modelling and risk assessment for a system regardless of where it’s hosted.Infrastructure security is incredibly important but far too often people focus on that at the cost of application security, which is where the easiest to exploit vulnerabilities are usually found. Regardless of where an application is hosted you should be managing the application security appropriately. With that, you should be taking appropriate and proportionate steps to maintain the integrity of the data in your services. For example, when using large-scale public cloud services you should implement industry standard encryption of your network traffic, and thinking about how you’d detect tampering with your data at rest.It is possible that certain types of attacks will be easier if data is in another country, particularly disruption to the availability of a service. If your service is genuinely critical, you should already have plans to make it resilient against network outages, for example by deploying software you run to multiple “regions” or by ensuring that your software-as-a-service providers do similarly.It’s also worth noting that there are limits to what you can reasonably prepare for or protect against.One example of where an organisation has thought ahead about that and set out to be realistic, is the threat model for UK-OFFICIAL. The UK government accepted the possibility that determined and highly capable foreign governments may be able to access some data and services:
“This model does not imply that information within the OFFICAL tier will not be targeted by some sophisticated and determined threat actors (including Foreign Intelligence Services) who may deploy advanced capabilities. It may be. Rather, a risk based decision has been taken not to invest in controls to assure protection against those threats, i.e. proportionate not guaranteed protection.”
Conclusion
For the vast majority of what any of us do, considerations about where to host your data and services come down to good architectural practices: are our services designed to be resilient, fault-tolerant and responsive enough to meet users’ expectations?In some cases being comfortable hosting services off-shore brings very real advantages, not just because it gives us access to a wider market of suppliers but also because it allows for geographical resilience, or for better services to those based outside the UK.The main thing that’s important whatever we’re doing is to maintain awareness of what we’re using and how. In a cloud-centric world that no longer means understanding every server, but having a good sense of where companies you’re dependent on are owned and operated and for high-availability services how their network connectivity is provided.