Concerns about government agencies’ surveillance of private corporations’ digital data and communications have been top of mind since U.S. government passed the Patriot Act in the wake of the 9/11 terrorist attacks. Add Edward Snowden blowing the lid off National Security Agency (NSA) domestic spying activities in 2013, and cases like the U.S. Department of Justice search warrant seeking access to customer emails stored on Microsoft servers in Ireland (the US government argues they have jurisdiction to demand emails held in an Irish data center in connection with a drug-trafficking investigation).
“The scope of the privacy laws around the world is now a very important question, and this is the beginning of what may be a lot of litigation on the question.” – George Washington University law professor
While a final ruling in the Microsoft case is still ongoing, with the Irish government and advocacy groups supporting Microsoft, the US government has won several important appeals in the case. What that means is that customers adopting cloud services should proceed under the assumption that the US government can, and will, demand access to corporate data from your cloud service provider (CSP), whether or not your firm consents. In fact, in most cases enterprises will not be notified of a government request for data residing at your CSP. Housing sensitive data in an offshore data center is no guarantee of data privacy for you or your customers. As with other threats to cloud data, corporations cannot expect to prevent all data leakage whether the agents are governments or criminals. Instead, they must work to minimize the risks associated with any access of high value data that can expose personal information, financial details or intellectual property.
Luckily for privacy-minded companies, there are practices and approaches to ensure the privacy and integrity of sensitive data will conserve the cost savings, scalability and efficiency gains of cloud computing. Encryption along with sound key management practices is the most obvious of these approaches. As our guide to the Microsoft-Ireland case describes, encryption will allow enterprises to comply with government regulations for data privacy of customer data while mitigating the risks of actually exposing that data when governments come knocking on your CSP’s door. Encryption devalues the data,: it renders it unreadable (and therefore worthless) to all except authorized parties, so that even if the data is disclosed, outsiders will have no way of reading it without the express consent and assistance of the data owner.
However, not all encryption models are the same. When encryption services are provided by a CSP that hosts the data and applications, the encryption keys are available on-demand by the CSP. That means that they can, if ordered, turn over clear text data—and that means that the encryption effort has not protected the data from government surveillance at all. In fact, any encryption scheme that allows a third party to handle encryption keys is one that doesn’t fully protect sensitive cloud data from lawful intercept and many other threats by malicious attackers.
Ultimately, the solution is to not only encrypt sensitive data headed for the cloud, no matter where that cloud resides, but also to retain exclusive control of encryption keys. Under such a system, government agencies wishing to gain access to sensitive data must deal with the cloud customer itself and cannot achieve its goals by going through a third-party CSP. Encryption of appropriate strength, paired with zero-knowledge practices for data and keys, is therefore the best solution for ensuring cloud data privacy, residency and sovereignty.
Ready to learn more about protecting sensitive data and maintaining compliance without giving up the cloud? Download our free white paper, “Managing Data Residency and Compliance in the Cloud Age,” today.