In a previous blog post, we pointed out that your data in the cloud may not be as safe as you thought it was. As many of the stakeholders at the organizations where our IT Consultants serve in the role of virtual CIO read the post, they asked us how they could still take advantage of the cloud, but keep their data protected.
During Edward Snowden’s interview at the South by Southwest conference last month, one of the things he advocated for in terms of protection of data is encryption. Regardless of your position on Snowden, on that point he is correct. The thing that is missing in most business level discussions around the cloud, however, is a ‘technicality’ that can make a HUGE difference in the safety of your data.
Virtually every cloud provider out there encrypts communications between you and them as it traverses the Internet. The techie term for this is ‘encrypted in transit’. The problem arises, however, from the fact that once the data gets to their servers, it is no longer encrypted. What you need to ask when interviewing cloud providers is whether the data you give them is also ‘encrypted at rest’ (the techie term to ensure the data stays encrypted even AFTER it gets on their servers). Furthermore, it is also important to ask the vendor who has access to the private keys for that data.
A private key is what is required to ‘unlock’ encryption and allow a computer to read the underlying data. In the most secure cloud setup, only you would hold the private key meaning even if the cloud vendor tried to access your data on their servers, they would not be able to do so. Unfortunately this isn’t practical in cases where the cloud provider needs to ‘do something’ with your data once they have it. Examples include indexing the data for search in a document management system, looking for keywords in a compliance (FINRA, HIPAA, etc.) scenario, etc.
In that case, someone at the cloud vendor needs to also hold the private key so they can do whatever it is they need to do. Regardless, if you decide to give them your data in this type of scenario, you should ask a lot of questions around their policies for control of and access to the private key, auditing capabilities (so you can see who accessed the data and when), and also notification policies if your data gets subpoenaed or they decide to access the data for whatever reason.
At the end of the day, each organization has to make a decision about the level of risk they are willing to accept when it comes to their data. Knowing the right questions to ask in order to assess that risk is the key and why it is important to engage a trusted IT provider to be part of your team.