“…to subpoena-proof the cloud!” We had asked one of our largest customers what they were looking to accomplish with the deployment of our application-level data protection software.  This was their response. This certainly did not seem like the typical statement of requirements for a data protection solution!

I’ve been in data and network security for nearly 40 years.  In my experience, when a phrase like this comes from a Technical Director of Information Security, there is almost always a corporate legal team behind it.  When legal is putting technical teams on message, it’s usually an indicator of some fundamental change in thinking related to an emerging market dynamic or shift in market conditions.  When I heard the phrase for the third time in the same quarter, I was convinced. Companies are changing how they think about liability in the cloud.

The Cloud Migration Continues

More enterprises continue to migrate their applications and data to the cloud.  And it's long been evident that new challenges around data protection are bound to arise.  So too are issues of liability.  Today, many of the companies that store their data in the cloud look to their cloud solution provider not only for computing power and storage space but also for encryption and cryptographic key management. In fact, all of the burden of protecting what has become many companies’ most valuable assets (data) is at times entirely left in the hands of cloud providers.   

This all very interesting, I find. The first phase of cloud deployment seemed to focus on feasibility – building the technical and business case for moving data and applications to the cloud.  We are now in a phase of cloud deployment that presents fresh new questions around ethics, privacy, and liability.  Legal departments all over the world should be addressing these questions.  One simple one among them: “What happens to my company’s sensitive data if our cloud provider is subpoenaed?”  Good question.   

Protecting Against Subpoena

Since I’m not a lawyer, I won’t pontificate on the outcome.  But what is clear is that there are many general counsels around the world that are beginning to challenge their technical teams to solve this issue before it ever becomes a problem.  If data is secured before it is stored in the cloud, and if the cloud provider never has access to the cryptographic keys, the cloud provider has no mechanism for unlocking the customer’s sensitive data when regulators come knocking.  The fact that this same posture also helps prevent a cloud provider’s rogue employees from accessing sensitive data might help compliance officers and general counsels sleep that much better at night.  

So why do so many companies still relinquish control of their data protection?  I read a recent survey by the Ponemon Institute that addressed controlling encryption keys in the cloud.  The vast majority of respondents (nearly 80%) said that controlling keys was very important.  Yet only 53% of these businesses actually control their keys when their data is encrypted in the cloud.  I find this odd.  Maybe they’ll be fine…? 

We, however, always recommend that folks protect sensitive data at the application layer, before it’s used, moved, or stored. This is exactly what our customers do with EncryptRIGHT. Robust EncryptRIGHT® key management functionality and integrated role-based access controls govern how sensitive data is secured and unsecured and limits who has access to it. The only thing our customer’s cloud providers can hand over in a subpoena is a blob of meaningless ones and zeros. No one gets access to their data without their permission. Their cloud data is subpoena-proofed.