This past summer, a 20-year-old man was arrested in Venice Beach, CA for allegedly stealing a $200,000 Mercedes-Benz SLS outside a Venice restaurant after the valet had left it running for the owner. Earlier this month police in Charlotte, North Carolina charged an employee of the airport's valet parking service with stealing three cars that customers had left while they were away on trips. Even scarier, it is common to hear police warn to never leave your house keys with a valet. Your address is easily found on documents in the vehicle, and this information (along with a copy of your key) can then be used to waltz in the door one day and literally strip the place.
I don’t think that we are surprised when we hear these stories. After all, in these cases, we’ve given keys to valuable property to complete strangers who may have a strong economic or other motive to compromise those keys and make use of the information for their own profit. If you polled security professionals, think you’d find a very low level of trust in this kind of a circumstance. I avoid valet parking whenever possible, and always remove my house keys when circumstances make it impossible to avoid their use.
What I don’t understand is that many of the same people who feel as I do about using Valet parking don’t hesitate to hand over their encryption keys to a third party. What I find even more shocking is how many organizations hand over their data to 3rd parties with no protection at all. These organizations are then surprised when their data is compromised or their keys and data are released to the government without their knowledge. We know from the Snowden documents, Lavabit, and from common sense, that the US Government has attempted to obtain the master encryption keys using the Foreign Intelligence Surveillance Act. Apple, Yahoo, AOL, Verizon, AT&T, Time Warner Cable, and Comcast all declined to respond to queries about whether they would divulge encryption keys to government agencies. What is a large company to do when subpoenaed?
That is what makes the news about Lavabit’s founder Ladar Levison’s recent actions so incredible and interesting. Mr. Levison shutdown his company in August rather than releasing his customers’ encryption keys to the government. I think the integrity and actions of Mr. Levison are admirable. However, we can’t expect a major corporation to take such draconian actions to fight the government, especially when the government is also a big customer for most large Internet companies.
So how does an Enterprise business use a public infrastructure securely? Is it impossible? It’s simple. Just park your own car and lock the doors. This simple action significantly reduces your risks and attack surface! To be more specific, don’t give your keys to a 3rd party and lock your data before leaving it out in public. The result is that if a data valet, like a hypervisor administrator wants to sell your data they can’t because it is encrypted, and they don’t have the key. And, if a hacker is pretending to be a data valet like a storage administrator, they can’t identify and access your data. Finally, even if the government wants your data, they now need to come to your company to get the keys. When your organization is subpoenaed (instead of a 3rd party who can’t disclose it to you), at least your organization is aware that you are a target. This then allows you to do something about it. Your organization can get lawyers involved, create a response plan and take other actions.
It is easier than ever to use 3rd party infrastructure, managed service providers and outsourcing companies, while still protecting what matters through access controls and encryption. However, if you really want to protect your data, don’t hand your keys over with your data. Keep control of your keys.