A year ago, Microsoft’s U.K. managing director surprised many people by publicly admitting that Microsoft will hand over data stored in any of its worldwide facilities when asked to do so by the U.S. government. In fact, the cloud customers and their data subjects would not even be informed if there was a gag order or a U.S. National Security Letter attached to the request—even if this was personal information about E.U. citizens stored by an E.U. corporation on servers physically located within the E.U.
For most of us, the surprise was the public admission. We already assumed that this was the case.
The GigaOM Structure 2012 conference in San Francisco hosted a presentation at which Juergen Urbanski of Deutsche Telekom’s T-Systems said that security and compliance were “the Number 1 obstacle to the faster adoption of cloud services” in Europe. He went on to say that about 90% of these concerns were “perception versus reality”, saying that the Patriot Act is “way overblown in the minds of European customers.”
Well, maybe. But Microsoft’s director spoke the truth. Amazon runs an even bigger cloud, and they will want to keep their biggest customer, the U.S. Government, happy. Besides, it is a U.S. law.
Is it possible to keep Uncle Sam from reading your information? Possibly.
If you maintain control of the cryptography and store ciphertext in the cloud, then as long as you are careful with your choice of cipher and your key management, this could provide the security that you need. But a number of issues remain.
First, your control of the cryptography is most practical in IaaS settings, getting more difficult to impossible as you move through PaaS to SaaS. But, people want to save more than capital hardware costs by moving to the cloud. They also want to avoid that messy system administration work. IaaS is too much work for some.
Second, you really have to maintain full control. For example, Amazon recently added Server-Side Encryption for S3 in response to customer requests. But all the customer sees is a checkbox indicating “Don’t worry, Amazon is encrypting this for you.” And therefore would be able to turn it all over. (Maybe it wasn’t customer requests after all…) The S3 alternative is to use the Java SDK for Client-Side Encryption and manage your own keys.
Third, are you just using the cloud for static storage? Or are you searching or otherwise processing your data, which usually requires that it be unencrypted?
Fourth, it’s easy to select a good cipher. It’s the key management that is very difficult.
Finally, will you be able to convince an auditor that your solution is fully compliant?
If you are interested in learning more of the details, Learning Tree’s cloud security course discusses these issues and even includes an exercise in which you set up encrypted cloud storage. Spoiler alert: You have to manage an encryption key.