Today, the Cloud and using IT Solutions from within the cloud, is recognised practice. The past concerns about bandwidth, latency, security and data ownership seem to have dissolved away and you need not go far in a google search to read about benefits of the cloud. I fear, however, that this momentum, commonly referred to as cloud first, still leaves one question unanswered: If you use the cloud, who exactly has access to your data?
This question comes about because, as you are already aware, late last year the US Data Privacy Shield agreement that was allowing the transfer of personal data between the US and EU was invalidated by the Schrems II judgement in the European Courts. This means that US (data) companies/importers that fall under the American FISA 702 regulation are under a direct obligation to grant access to, or turn over, imported personal data that are in their possession, custody or control. This may extend to any cryptographic keys necessary to render the data intelligible. In a nutshell, if you are a US company, the US Government can see the EU data you host in your EU cloud.
This year, the UK Office of National Statistics reported that almost half of all UK employees now work from home, a large majority (86%) moving to home working as a result of the Covid-19 pandemic. This trend is global and if you align results from a recent Morgan Stanley Survey with frequent reports in the news, you will note that large enterprises are having a permanent, sudden and seismic shift towards home and mobile working.
Add to the mix the rollout of 5G communications and the proliferation of IoT devices and we have a shift resulting in businesses needing IT solutions which are flexible and fast to provision and the cloud first strategy fits that very well.
There are three key types of cloud:
- The first is a public cloud, which is shared IT multi-tenanted Business cannot see other businesses data due to software settings.
- Virtual or Hosted clouds are the same as public, except that, respectively, firewalls and physical separation are used instead of software settings.
- The final type is an internal private cloud in effect, the company intranet and data centre.
I think it would be safe to say that most companies have a mix of the above and this is referred to as a hybrid cloud. The commonality here is, unless you have everything in your private cloud, then all these solutions require you to transfer your precious data to a cloud hosting company; and if it is a US company and you take no action, that data can be read by the US government.
The key Cloud benefit is the Speed of Change: it is just too valuable. It resonates with key business goals to adapt immediately to the customer needs or miss out. Renting the right kit at the right time can help companies be flexible: one day you may need 1000 servers for a marketing campaign, the next only 10; you pay for only that what you use, with all of this access and provisioning at the click of a button! This is speed, this is flexibility, this is reacting to the needs of a modern business. The cloud is here to stay, so what can be done about protecting your sensitive EU data and complying with GDPR?
The European Data Protection Board (EDPB) have provided help only recently around this problem. Their full response to the Schrems II verdict is on their website and to me, as an IT practitioner, one comment helps my focus:
Contractual and organisational measures alone will generally not overcome access to personal data by public authorities of the third country (where this unjustifiably interferes with the data importers obligations to ensure essential equivalence). Indeed, there will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purposes.
In effect dont rely only on contracts, also use technology to protect your data. And in this case encryption is the solution. Encrypt before moving to the cloud and do not share the decryption key with your cloud provider, because, referring back to the US legislation above, it states [US Access] may extend to any cryptographic keys necessary to render the data intelligible.
Most Companies are encrypting already so this technology should not be new to them. It is the way companies use encryption which needs to be enhanced. It is important to remember that one must encrypt the data itself and not just the container. The mathematics around encryption is complex and all that you really need to know is if you hold the key you can read the decrypted data. The main downside of adding encryption is around retrofitting it into the software you have, because most systems have been around so long that they find it hard to adjust to these modern requirements or, worse still, are owned by a separate company and you cannot change their coding.
Micro Focus have solutions around encrypting data which can help ease your pain in these situations. First, at the core, we have a world-class encryption engine which will encrypt your data from within your data centre and form a center-of-excellence for encryption in the Enterprise. Most importantly to note here is that those precious keys stay local to you and remain in your data centre. Secondly, this solution can be used individually within your current applications, or extended to wrap around those applications you cannot change or those which reside in the cloud - all the while your keys stay local.
As you can read, the whole subject of using the cloud and encryption is complex and huge. I hope reading the above has made you a little more aware of the area and would encourage you to engage more in conversations with Micro Focus.