Why Aren’t Cloud Vendors Pushing Encryption More?

Microsoft is currently embroiled in a major legal dispute with the US government. US prosecutors, seeking to gather evidence from a Microsoft cloud customer in a drug-related case, are asking for Microsoft to turn over various customer records even though the data in question is held in an Irish data center. Microsoft has argued that the US government has gone too far with this request because the data is held in a foreign country and that authorities in that country are not involved in gathering the data. The government has argued that this case does not violate the sovereignty of a foreign state, since Microsoft can produce the requested data remotely without use of its staff members in another country. The case, which started in 2013, has been escalating: Microsoft has refused, thus far, to turn over the data and a number of companies (including AT&T and Apple) and others have filed friend-of-the-court briefs in support of Microsoft’s position.

Aside from a number of legal, ethical and political issues – as well as the big issue of how successful cloud computing can be in the future if any government can demand information from a data center in any other nation – this case raises the importance of encrypting data in the cloud. For example, if Microsoft’s customers could encrypt data before it ever got to the company’s data centers, and if Microsoft did not have access to the keys to be able to decrypt this content, requests for data from government or anyone else would be rendered moot. Of course, the US government in this case could have pushed the party whose data is being requested to provide the keys, but the important point for Microsoft is that they would have been only minimally involved in this case, if at all, since they would not have had the ability to produce the data. This presupposes that the US government could not crack the encryption that was employed, but that’s another matter.

Moreover, if the customers of cloud providers encrypted their data before it ever reached a provider’s data center, this would offer the latter the quite significant benefit of not being culpable if their customers’ data was hacked in a Sony-style incursion. Unlike the Sony situation, which has resulted in the publication of confidential emails, pre-release films and other confidential material, well encrypted content could probably not be accessed by bad guys even if they had free run of the network. This would help cloud providers not only to avoid the substantial embarrassment of such a hacking incident (which, I believe, is inevitable for at least one or two major cloud providers during 2015), but it would also help them to avoid the consequences of violating the data breach laws that today exist in 92% of US states.

Cloud providers should be pushing hard for their customers to encrypt data, if for no other reason than it gets the providers off the hook for having to deal with subpoenas and the like for their customers’ content. In this case, for example, Microsoft could have avoided the brouhaha simply by being unable to turn over meaningful data to the government.

The bottom line: cloud providers should push hard for their customers to encrypt data where it’s possible to do so, and customers should be working to encrypt their content where they can.

One thought on “Why Aren’t Cloud Vendors Pushing Encryption More?

  1. Could not agree more, Mr. Osterman.

    The challenge starts with architecture. Most cloud providers were not designed to support customer-driven encryption without compromising the searchability of that information once it is stored within the cloud. As you know, cloud-based storage is becoming a more actively utilized data source, so providing security and while also optimizing data availability often operate as conflicting objectives.

    Beyond architecture, audited processes and contractual provisions also need to ensure that the cloud provider has no mechanism to obtain readable access to customer specific information in order to build a stronger case against a third party (or government) request. A request backed by government subpoena can never be rendered moot, but it can be claimed to cause harm to a cloud business if satisfying that request places it in violation of client contracts and audited processes (e.g. SSAE-16). Plus, it would simply be easier to obtain the data directly from the client. This sounds easy enough, but is operationally very complex for a cloud provider to operate a service without readable access to client data.

    I agree with your conclusion – this must be an integral component of evaluating any cloud service.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s