cloud_security

Edward Snowden may be in Russia but we’ll feel the impact of his actions for years to come – and not just in the United States. His unmasking of the National Security Agency’s surveillance programs PRISM and XKeyscoe has also created headaches for Canadian, European, and APAC users of US cloud providers.

Given strict data residency and data privacy requirements in these parts of the world, which run counter to the cozy relationship between American intelligence and big business, companies that move customer data across national boundaries are caught between two opposing forces. At some point, I expect that a cloud service provider will find itself in deep trouble.

The cloud community spent years addressing the inherent ambivalence that customers could feel in moving sensitive data to the cloud. In those days, fears revolved around the threat of malicious hackers and disgruntled employees/partners accidentally or willfully exposing their data. Now it’s legal entities and governments that are doing the same. That’s a whole other threat assessment.

Some foreign governments have already been active. Germany, for one, has set policies governing data privacy and sanctioned some US firms. A laudable intent, but the goals and net effect are dubious. The costs associated with sanctioning cloud providers coupled with damage to the brands’ reputations is far greater than any benefit derived.

While it may seem counterintuitive the US cloud computing industry is not even close to profitable. It could lose as much as $35 billion over the next three years. A recent CSA survey found that half of the  non-US respondents surveyed said they will move away from US clouds. But where would they go? And how can they ensure that they would be moving to better provider and not from the proverbial frying pan into the fire?

For foreign entities, such as European corporations, choosing a cloud provider in the US can rank high on their to-do list. That’s because a higher number of cloud providers reside in the US, which have good tech and competitive pricing. Until now, all you had to worry about was the data residency (or privacy) issue, but recent events have led everyone to worry about whether a US government agency is covertly inspecting their data.

Looking for a viable solution?  Don’t send sensitive data to the cloud. If you do, transmit either encrypted garble or tokens that look like the original data.

When you encrypt data before it leaves your perimeter, you control the data’s fate. You get to choose the encryption key, the specific algorithm, and key management. This means you get to control “who gets to see what, when and how much.” This is important. If anyone needs to see your sensitive information, they have to come to you rather than going to your data sitter. You control the “keys to your kingdom.”

A second option gaining momentum recently is “Tokenization” (or Tokenisation as it is known everywhere else). This means you take the original sensitive data out, store it in a secure vault, and replace it with a random token that looks, feels, and acts like original data. The premise of tokenization is that “what is not there cannot be stolen.” Let hackers and governments have fun with it without knowing the data is fake.

It works like this: The software intercepts any message that goes out, in any enterprise messaging format (structured or unstructured data), and scans for sensitive data in the message. It removes this sensitive data (such as credit card, personal info, health records, financial records, etc.), stores them in a safe place, and replaces them with random data formatted exactly as the original data. The only entity that can correlate the token to the original is you.

It’s also “touchless.” You don’t have to touch or modify any of your existing applications. You simply drop these tokenization or data protection gateways in the line of traffic, regardless of the type of traffic or type of message/data, and it will automatically sense the data based on pre-defined policies and work its magic.

Caveat Emptor: You still have to be ready when a government agency comes knocking on your door.