A US federal court recently ruled that Microsoft had to give up a client’s data stored in one of its databases in Ireland. The decision adds a new element to putting data in the cloud: providers could be forced to give up their clients’ data, even if the data is stored in another country, and they have no obligation to notify the client. If that’s the case, then clients putting their data in the cloud are essentially giving up control of their data and trusting the provider to advocate for the protection and privacy of that data, says Elad Yoran, the CEO of Vaultive, a provider of data encryption solutions for cloud adopters.
Normally when the government serves a subpoena for a company’s data, the company’s legal department will try to protect as much data as they can. At the minimum, they will ensure that only data directly related to the subpoena is handed over, explains Yoran, who will be speaking about data encryption in the cloud at Interop in New York City next month.
“But if Microsoft gets a subpoena for your data, they have to hand [the data] over, and you don’t get a seat at the table,” he adds.
[Learn more about the Internet of Things at Interop's Internet of Things Summit on Monday, September 29.]
Losing control over company data in this fashion could understandably make organizations hesitant about cloud adoption. But new advances in encryption technology can help companies keep control over their data even when it resides in the cloud, he says.
Traditionally, data encryption meant encrypting the data when it was in transit or at rest. But in order for the data to be used, it had to be decrypted. For instance, if a company is using a cloud provider for email, then the data has to be decrypted for employees to search their messages. However, new advancements in encryption technology now allow data to be encrypted even when it is in use, which could keep control of the encrypted data in the hands of the client, as the data never has to be decrypted on the server.
[For more on data encryption in the cloud: Making the Cloud Secure for Sensitive Data]
The important thing for businesses is that, even if their data is encrypted in use, they have to keep control of the encryption keys, Yoran shares. “In that case all the cloud provider can hand over to the government is encrypted data. The government still has to go to the client and ask for the keys, and then they can go through the standard legal process,” he explains. “Before the provider needed the encryption keys to decrypt the data so that it could be used. Now with encryption in-use, that’s no longer the case.”
This kind of complete control over data can be important, particularly for financial services firms when dealing with compliance, since regulators have begun to focus on data privacy and security. One financial services client that works with Vaultive had previously dismissed using cloud-based Office 365, because it knew that having the data decrypted by Microsoft could raise concerns among its regulators, Yoran says. But once the people in that company found they could encrypt the data in-use, they were able to adopt Office 365. They can also tell their auditors that they have complete control over their data in the cloud, he adds.
Data encryption in use can also help multinational firms dealing with differing data privacy regulations in different geographies. Countries with strict data privacy laws often require that data created in their countries cannot leave their borders. That precludes a multinational from keeping its data from one country in a cloud provider’s database located in another country. With data that is encrypted in use, however, regulators can be satisfied, as long as the encryption keys for that data are kept in the country, since they know the data will never be decrypted without those keys.
“The paradigm shifts from being about where the data is kept to being about where the keys are kept,” Yoran explains. “It can take some education for regulators, but there is an emerging acceptance of this new paradigm, and I think it will be widely accepted in two or three years.”
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio