Cloud, data sovereignty and the law: key points all companies should consider

Data sovereignty has become a priority for all organisations using cloud, but what are the key issues to consider?

Data sovereignty has become a priority for organisations of all types as cloud services have become mainstream.

Even enterprises in regulated industries now use external cloud services, such as file sync and share or endpoint backup. This doesn't necessarily mean organisations are losing sight and control of their data, but they must investigate ways sensitive information can be compromised.

Data sovereignty

Data sovereignty was the main driver behind the European Court of Justice declaration that the Safe Harbour agreement was invalid in October 2015. Each EU country now will decide whether companies that store citizens' data in the US are following safe practice. Germany has already enacted strict measures to address data sovereignty and the Safe Harbour ruling is expected to have a significant impact on companies operating in Europe.

We expect the deployment of in-country clouds to accelerate as legislation tightens. The US Patriot Act is just one example of national legislation that mandates a government may collect data from cloud companies based in their jurisdiction regardless of the data's physical location. An important case currently ongoing is Microsoft vs. The United States of America. This case, now at the appeal stage, is seeking to address whether a domestic US search warrant can compel American companies to produce data stored in servers located outside the US. The outcome could change the focus of the data sovereignty discussion from where data is stored to who is storing it. Organisations need to keep abreast of developments.

Tenancy model

Companies adopting cloud solutions must ensure they understand the provider's tenancy model. There are various options. For example, a virtual private cloud, or VPC, hosted within a public cloud should be as secure as a company's own private data centre environment. Even if access control mechanisms fail, the firm's data can never be mixed with other data. By contrast, in the multi-tenant model of the public cloud a company's data is stored in the same logical system as other organisations' data, and access to it is governed by access control mechanisms. A VPC also enables the customer - and not the cloud services provider - to encrypt data with its own encryption keys, and control every aspect of encryption policy.

The SaaS risk

Then consider the SaaS risk. Consumer-style SaaS file-sharing services have proliferated in the enterprise as users demand easy, convenient productivity tools. These services pose a huge risk to sensitive data and may ultimately have a severe impact on a company's business.

Many SaaS providers will tell you that it matters less where the data is physically located and more where the encryption keys are managed. Several public cloud file services providers have announced support for enterprise key management (EKM), which enables customer-only management of encryption keys, to nudge security-conscious, cloud-averse organisations into cloud adoption. While at first this may seem like a good approach to data security, it's neither sufficient nor comprehensive.

This inadequacy is because large portions of the enterprise file sync and share functionality are in the public cloud so users still need to ensure that their service provider:

1. Wasn't instructed by the government to install an auditing device, responsible for tapping and recording ALL data, metadata, encryption keys and user identities.

These types of data collection represent fundamental intrusions into data security and privacy and are unlikely to comply with future safe harbour regulation. Moreover, the provider's hands may be tied by regulation imposed on them by their home country's legislation.

2. Won't impersonate user accounts to access their data.

Any impersonation of user accounts will leave data accessible to the impersonator and that is a clear breach of data governance, security, integrity, sovereignty, and compliance.

3. Won't generate links or collaboration shares to data on behalf of the company's users.

Any links that create a method of access to data present a further obvious potential for security and regulations to be breached.

4. Doesn't cache the keys that are used to encrypt files.

If the provider caches the keys that are used to encrypt files the keys can be utilised to decrypt the same files in the future. It's like letting your provider know the combination code to your briefcase.

Organisations should also consider that EKM, whether cloud-based or on-premise, provides only a post-mortem solution for preventing data falling into unwanted hands. Good practice requires users to address the time between when a security breach started and when they retract access on the EKM server. Furthermore, once this access is retracted, the entire file service is inaccessible to corporate users.

It's time for organisations to understand these issues in detail and, even as the regulatory burden changes, recognise that cloud providers are not responsible for their data - they are.

Aron Brand is chief technology officer of CTERA