"So, So you think you can tell, heaven from hell" - a quote from Pink Floyd's 'Wish You Were Here' - serves as a good analogy for determining whether you have full data sovereignty over your online data or if you have relinquished control to your cloud provider.
In today's digital landscape, embracing public cloud services has become standard practice for businesses aiming to enhance efficiency and scalability. However, concerns over data security and sovereignty persist. While public cloud providers implement robust security measures, entrusting sensitive data to third-party entities understandably raises apprehensions. In this article, I aim to delve into the current landscape of public cloud providers, while proposing four proactive strategies to fortify data protection and maintain sovereignty in public clouds.
In general, access of your data in the public cloud by the provider is meant to be beneficial. Public cloud providers diligently monitor their systems, regularly apply patches, and employ trained staff to ensure data security. Where it turns adverse is when your cloud provider uses the information to deliver tailor-made advertisements or when forced to hand over information to a government agency, without informing you.
Just to be clear, most companies, my estimate is over 95%, increase their security when their data is in the cloud rather than in their basement. However, moving your data into the cloud always results in handing over the access to a third party. The Swiss data protection office is clear in their assessment: third-party handlers must adhere to regulatory frameworks like GDPR. However, public cloud providers, often foreign entities subject to local laws, may inadvertently clash with clients' regulatory standards, highlighting a significant dilemma.
Recognizing this challenge, public cloud providers offer solutions to enable customers to uphold data privacy and sovereignty.
A fundamental approach involves customers encrypting data before storage, withholding access to encryption keys from the provider. The provider cannot read the data, since the customer holds the keys, best in a hardware security module (HSM). Should data processing be necessary in the cloud, the customer decrypts it for processing, re-encrypting it before storage. Future systems using homomorphic cryptography might even allow the data to be processed without decrypting it.
For Microsoft Office applications, you can use DKE – Double Key Encryption. It allows you to encrypt office documents and emails on your computer before it goes into the Azure Cloud. All people in your Active Directory group that have access to the same sensitivity label can read the data. Sensitivity labels with DKE can also be used across companies. You can work on confidential contracts even though they are stored in the Azure cloud (Explore 365 DKE capabilities here).
Google has a similar solution called CSE – Client Side Encryption to encrypt Google documents.
Implementing External Key Management (EKM) solutions, such as Amazon Web Services' (AWS) External Key Store (XKS), augments data security by enabling encryption without sharing the control of the key to the cloud provider. By establishing a secure proxy between the cloud environment and external key stores, organizations uphold data sovereignty while capitalizing on cloud scalability and agility. Discover AWS External Key Store here. Google offers a similar solution labeled EKM – External Key Management.
For all these systems it is recommended to use HSM – Hardware Security Modules – to store these secret keys. HSM should be set up in clusters across different locations to provide geo-redundancy and have redundant internet connectivity. HSM systems like the CloudsHSM service from Securosys or the complete DKE Service from Securosys deliver bespoke drop-in solutions.
Navigating complex regulatory frameworks, such as GDPR, demands meticulous adherence to data protection standards. Organizations must educate stakeholders and foster a culture of compliance to mitigate regulatory risks effectively. Establishing comprehensive data classification systems and conducting regular training sessions empower teams to uphold data sovereignty while embracing cloud technologies responsibly.
Data protection officers also need to understand these systems so that they can give clear recommendations instead of just inhibiting cloud access. Moreover, companies, agencies, and governments entities can no longer look away and start tackling the issue.
Take Actions
🚀 Explore DKE, XKS, CSE, and EKM to boost your data privacy strategy.
🔒 Figure out what level of protection is required for your data
📝 Implement robust data classification frameworks and train your teams accordingly.
🛡️ Safeguard the information of your employees, customers, and stakeholders.
🙌 Regain your data sovereignty in the cloud ecosystem!
What challenges are you facing in your organization to maintain data sovereignty in public clouds?