So, you’ve examined the options for storing or processing your data in the cloud, and come to understand the importance of encrypting the data there for privacy – that’s clearly one of the top encryption key management use cases these days. Following best practices, you requested a copy of the candidate cloud providers’ third party SSAE 16 audit reports and skimmed all to determine which appeared to have the best data protection. That one you read closely and, while there will always be risks from rogue insiders, the practices that are documented and followed indicate that
- Appropriate controls are in place to avoid commingling data in the multi-tenant environment
- Logical perimeter protections are strong and regularly reevaluated, and
- Segregation of duties combined with diligent log inspection mitigates the risk of internal fraud
After all that effort, you select the vendor, move your data and processing to their cloud, start reaping the benefits of reduced cost, then sit back and relax, but...
Sadly, just as your feet hit the top of the desk, the phone rings and your cloud provider rep says, “Hey, you know that data you put into our encrypted cloud – well, some feds showed up with a subpoena. They’re not interested in your data but, once we give them the master keys to our encryption, they can effectively access everything. You might want to let your chief auditor know….”
How the Feds Can Ask for Decryption Keys
While there is a great deal in the media about what the NSA or other federal agencies have asked for under various national security acts, whether the requests are lawful or not, and who may have complied or resisted the requests, this risk will persist so long as access to data is needed for the defense against terrorism. While much of the focus has been on the exchange of phone call and emails, the nature of cloud computing inevitably makes it a likely target for the same kind of demand for access – data can be accessed from anywhere, the service may be contracted without any in-person meetings, and encryption protects the privacy of the data of the unjust in the same it does for the just. Even as the debate of what is allowed or not allowed under the existing statues, such asthe Foreign Intelligence Surveillance Act, continues, some interpretations are allowing broad access, as seen in the opinion of Chief Judge Selya of the First Circuit US Court of Appeals. That judgment allowed the federal government broad access to call being placed by and to citizens in the US, even while the focus of the Act is on foreign nationals. It is only a small logical leap in the interpretation of the Acts’ language for it to include the exchange of documents via cloud storage as encompassed by Acts’ definition of electronic communication.
The point of this analysis isn’t to foment additional fear and uncertainty about privacy in the wake of the Snowden disclosures and other reporting on the scope and potential abuse of the counter-terrorism powers granted federal agencies. It is, instead, meant to point out a little-appreciated but tangible risk to which use of cloud computing is inherently subject to, and to advise that this risk, like all such risks, should be mitigated with appropriate controls to minimize the risk to the enterprise.
Protecting the enterprise without giving up the cloud
This framing encryption key management use case leads unavoidably into another. Even when storing or processing data in an encrypted cloud, the enterprise interests must be protected by encrypting the data before it is sent to the cloud and the cloud provider must never have access to the decryption keys. While the rationale for this conclusion is different than the prior post in this series, the effect is the same.
That leaves the very interesting matter of how to achieve this goal, particularly when the enterprise seeks the compelling cost advantages that compute-in-the-cloud can offer. That will be the subject of the last post in this series that will be published later this week. In the meantime, learn more about the obstacles and opportunities for enterprise key management from Securosis CTO and data security analyst, Adrian Lane, by clicking on the image below.