All our Press, News and Articles

Are US cloud services secure?

March 18, 2024

In discussions regarding the cloud, it is sometimes argued that it is more secure to leave your data with US cloud service providers.

The question is – more secure than what?

More secure than a low-priority server rack in the basement? Most likely. A low bar is easy to get over. You can almost sense the cobwebs and water leaks creeping into the mythical server basement.

Fortunately, in most cases the alternatives in reality are different. Both when it comes to running things on-premises, but especially when looking at the choices available on the market for buying cloud services from providers.

Cleura and many other companies offer cloud infrastructure as a service (IaaS) but also platform as a service (PaaS) in competition with Azure, AWS and Google Cloud. Cleura does this from its data centre regions in Sweden and Germany.

Organisations can thus move to the cloud – with hosting by an external service provider – without handing over their data to US cloud service providers.

The alternative: OpenStack-based clouds

We at Cleura, and many with us, use the OpenStack platform to deliver cloud infrastructure. Today, you can get OpenStack-based public cloud services delivered from over 180 data centres worldwide.

OpenStack was created by the US hosting company Rackspace and the US space agency NASA.

In other words, it is technology with American roots.

Rackspace and NASA discovered that they had each built complementary cloud components. They decided to merge the projects and created what can best be described as a replacement for AWS.

Those involved at the time have said that the project could have fallen apart early on – the difficulties seemed insurmountable. A US senator reportedly tried to stop the project because it threatened employment – more automation would lead to fewer jobs in the country’s data centres. NASA’s bureaucracy was also an obstacle. But in the end, it worked. Wire magazine has a fascinating article on the subject titled The Secret History of OpenStack, the Free Cloud Software That’s Changing Everything.

OpenStack is special because it is based on collaboration – not just between Rackspace and NASA, but between organisations all around the world. Because Rackspace and NASA released OpenStack with an open source licence, everyone could contribute with improvements to the project.

And no one has to ask anyone for permission to use OpenStack, or pay a licence fee.

However, hundreds of organisations using or relying on OpenStack choose to contribute with code, financial support or through other means. OpenStack can be likened to a commons that its users nurture and care for. The difference with a plot of land is that OpenStack becomes more valuable to everybody as more organisations use it and participate in the community. As a result, OpenStack has become one of the world’s most successful open source projects.

Thanks to OpenStack, European and Swedish cloud service providers like Cleura can offer infrastructure as a service (IaaS) to organisations that need to comply with the GDPR and other regulations. These are pure, scalable cloud services provided from, for example, Cleura’s data centre regions in Sweden and Germany.

The OpenStack project’s home has long been the OpenInfra Foundation. The foundation makes sure that the project is managed and developed for the benefit of the community, without appeasing the special interests of any individual company.

In addition to OpenStack, the foundation hosts several related projects in areas such as AI/machine learning, CI/CD, containers and edge computing. Cleura is a gold member of the OpenInfra Foundation and is represented on the advisory board of OpenInfra Europe.

What about security?

A recurring refrain is that US cloud service providers devote a large number of staff to security. However, this doesn’t say much about the results achieved.

Are staff resources used effectively? Do they have to clean up messes after the fact, due to a fast pace of development leading to security flaws in the code? Are new features added at a pace which increase the attack surface to the detriment of security? Is old technical debt burdening the code, requiring extra effort from a security point of view?

Does the solution have such a large customer base that it is a particularly attractive target for adversaries?

It seems logical that the more people that use a standardised cloud solution, and the more sensitive the data processed in that cloud solution, the more attractive it will be for adversaries to look for security holes. One vulnerability could then be used against a larger number, or more sensitive, targets. It is only natural that a provider of such a solution has to allocate more resources to security. In addition, a disruption at the provider may affect many organisations at the same time.

It is worth mentioning here that Google has identified the dominance of one of its competitors as a particularly big security problem, not least for the public sector.

NBC news article: "Attacking rival, Google says Microsoft's hold on government security is a problem. Microsoft pushed back strongly against the claim from its business rival, calling it 'unhelpful'."

The company in question has also failed to maintain its own internal security, stating in January 2024 that Russian hackers stole internal messages and files from its leadership team, and cybersecurity and legal employees. The intrusion later turned out to be much worse than initially known.

Competitors to the vendor’s security business are also levying sharp criticism, according to a report by GovInfoSecurity:

”Any way you cut it, the threat is very real and very serious, and the prevailing view across the national security community seems to be that [the vendor] is hanging on by a thread,” said Krebs, who served as the first director of the U.S. Cybersecurity and Infrastructure Security Agency. ”These continued incidents pose a significant risk to companies that rely on [the vendor’s] systems and are driving executives in government and industry alike to reevaluate their dependence on [the vendor’s] systems.”

A manager at security firm CrowdStrike has gone so far as to call the vendor ”a threat to national security”, saying ”We know [the vendor] has had many problems with [its cloud platform], and this breach demonstrates [the cloud platform’s] broader authentication issues.”

But it’s not just competitors of the company that have had concerns. In April 2024, the U.S. Department of Homeland Security published a report outlining ”a cascade of security failures” at the vendor and that ”[the vendor’s] security culture was inadequate”.

”Throughout this review, the board identified a series of operational and strategic decisions [at the vendor] that collectively points to a corporate culture that deprioritized both enterprise security investments and rigorous risk management,” the report reads in part.

The board that produced the report consists of government and industry officials, from entities including the Departments of Homeland Security, Justice, and Defense, the NSA, FBI, and others.

Adding to this, BSI, the German Federal Office for Information Security, has not received clear answers from the same cloud service provider regarding its use of so-called double-key encryption (DKE). By using two keys, one of which always remains with the customer, DKE is meant to prevent data leaks in specially secured environments. But after a particularly bad incident at the provider, the information the BSI received from the provider was so unclear the BSI couldn’t assess if the attackers were able to access data in plain text anyway. ”Even after repeated requests and threats of legal action, Microsoft did not provide the requested information. Therefore, the BSI is now using the legal instruments at its disposal, explains a BSI spokesperson,” heise Security reports.

Security isn’t easy, but a diversity of views makes it easier

Security isn’t easy. Any solution that becomes large or significant enough will attract adversaries looking for vulnerabilities. We are not raising this issue to point fingers at a single vendor, but to show that an excellent level of security does not necessarily follow automatically from a single company putting a lot of staff resources into security.

With American roots and contributions from around the world, one advantage of OpenStack is that the source code is freely available. Thousands of organisations use OpenStack and thousands of people contribute to its development. This widespread use and participation becomes an advantage by exposing the source code to many eyes and perspectives. If someone wants to perform an independent security review of a certain part of the code, or penetration test a certain implementation, that is entirely possible. For the project, this creates value for all users because it helps to find security vulnerabilities.

Eggs in the same basket

An organisation can reduce its vulnerability by spreading its eggs in several baskets, instead of putting all of its data in the same cloud that almost everyone else uses. This also reduces vulnerability at the societal level, as one security vulnerability cannot affect large parts of society at the same time.

In addition to these perspectives on security, there is another one: US authorities gaining access to the data processed by US cloud service providers. This can be a threat to trade secrets, confidential information and personal privacy. We have written more about the threat of such access in the report What your organisation needs to know about the third adequacy decision.

Deep dependence on a single provider at a national level can even undermine a country’s independence. In Denmark, for example, the association representing regions and municipalities has lobbied the government for changes to Danish law to allow Google to use school children’s personal data to improve its cloud services. The reason is that municipalities feel they have no choice but to use Google’s school solutions, while Google wants to use school children’s personal data for these purposes.

One advantage of OpenStack is that you do not become dependent on a particular provider. If you feel that your existing provider of OpenStack-based services doesn’t provide good enough support, doesn’t manage security well enough, or doesn’t maintain competitive prices, it’s perfectly possible to migrate to another provider that provides essentially the same infrastructure service. This creates an interesting paradox: the easier it is for the customer to leave, the more likely it is that the customer will voluntarily choose to stay. This is because the provider has strong incentives to be responsive to its customers and deliver a secure and competitively priced service.

Summary regarding US cloud services

  1. Large resources alone do not guarantee high security. Development needs to be done in the right way and resources need to be used efficiently.
  2. There are alternatives to US cloud services: Cleura Compliant Cloud, for example.
  3. Cleura and many other cloud companies sell infrastructure as a service (IaaS) based on OpenStack, one of the world’s most successful open source projects.
  4. The open source nature of OpenStack provides several advantages from a security point of view:
    • development is transparent and hosted by the neutral OpenInfra Foundation, allowing everyone to see that new code is reviewed according to agreed procedures in a secure manner,
    • anyone who wants to can perform or commission a security review of the code or penetration test a particular implementation and configuration,
    • all else being equal, more eyes on the code makes it more likely that security vulnerabilities will be discovered.
  5. Since there are many providers of OpenStack-based clouds, both in Sweden and Europe, you can switch providers if you are not satisfied. This means that your provider has strong incentives to deliver a quality service with high security at competitive prices. A provider with customers who have difficulty leaving the service on the other hand, is not held accountable to market forces. This increases the likelihood of the supplier stagnating, including when it comes to security.