Data Protection In The Cloud: The Facade Of Vendor Trust Is Crumbling

Many non-US organizations operate under privacy regulations that require that customer data remain within their countries or jurisdictions. In response, US cloud providers build data centers and host their applications inside countries that they're selling their solutions to.

However, all this is nothing but theater. These requirements are far more useful as a local jobs program rather than as an effective privacy practice. I've warned about this before: Any US vendor is going to be handing over data under a US subpoena, and most certainly under a National Security Letter. It doesn't matter if it resides in a data center on US soil, in the EU, or even in outer space.

So it's refreshing to see a vendor openly admit this, as Microsoft has.

Maybe now that we're all starting to be honest with each other this issue will gain some traction, and vendors will begin to incorporate some real data protection measures into our cloud environments, such as encrypting the data in such a way where only customers - not the cloud providers - have the keys. I suspect we'll start to see such requirements begin to show up in a lot of RFPs.

Comments

When one-size-fits-all doesn't fit

I couldn't agree with you more, Jonathan. At Accellion, we compete against cloud offerings by Box and Dropbox by offering a secure collaboration and file sharing application that can be deployed on premise, virtually, and/or in a public, private or hybrid cloud deployment. The public cloud, one-size-fits-all approach to deployment has a time and a place. When savvy European companies need an onsite physical appliance in one country along side the public cloud deployment in another, that they can manage, encrypt and hold the keys to, we win.

Encrypted data without the keys isn't data

Great comment. I think we'll see more companies recognize that they only need to keep the keys local (and, more importantly, in their control) rather than the encrypted data - which is just a meaningless blob without the keys. I'd like to see some regulatory guidance about this, as many companies intuitively recognize this is sufficient but lack the assurance that regulators and auditors understand all the subtleties.