Subpoena-Proofing Data in the Cloud

“…to subpoena-proof the cloud!” We had asked one of our largest customers what they were looking to accomplish with the deployment of our application-level data protection software.  This was their response. This certainly did not seem like the typical statement of requirements for a data protection solution!

I’ve been in data and network security for nearly 40 years.  In my experience, when a phrase like this comes from a Technical Director of Information Security, there is almost always a corporate legal team behind it.  When legal is putting technical teams on message, it’s usually an indicator of some fundamental change in thinking related to an emerging market dynamic or shift in market conditions.  When I heard the phrase for the third time in the same quarter, I was convinced. Companies are changing how they think about liability in the cloud.

The Cloud Migration Continues

More enterprises continue to migrate their applications and data to the cloud.  And it’s long been evident that new challenges around data protection are bound to arise.  So too are issues of liability.  Today, many of the companies that store their data in the cloud look to their cloud solution provider not only for computing power and storage space but also for encryption and cryptographic key management. In fact, all of the burden of protecting what has become many companies’ most valuable assets (data) is at times entirely left in the hands of cloud providers.   

This all very interesting, I find. The first phase of cloud deployment seemed to focus on feasibility – building the technical and business case for moving data and applications to the cloud.  We are now in a phase of cloud deployment that presents fresh new questions around ethics, privacy, and liability.  Legal departments all over the world should be addressing these questions.  One simple one among them: What happens to my company’s sensitive data if our cloud provider is subpoenaed?  Good question.   

Protecting Against Subpoena

Since I’m not a lawyer, I won’t pontificate on the outcome.  But what is clear is that there are many general counsels around the world that are beginning to challenge their technical teams to solve this issue before it ever becomes a problem.  If data is secured before it is stored in the cloud, and if the cloud provider never has access to the cryptographic keys, the cloud provider has no mechanism for unlocking the customer’s sensitive data when regulators come knocking.  The fact that this same posture also helps prevent a cloud provider’s rogue employees from accessing sensitive data might help compliance officers and general counsels sleep that much better at night.  

So why do so many companies still relinquish control of their data protection?  I read a recent survey by the Ponemon Institute that addressed controlling encryption keys in the cloud.  The vast majority of respondents (nearly 80%) said that controlling keys was very important.  Yet only 53% of these businesses actually control their keys when their data is encrypted in the cloud.  I find this odd.  Maybe they’ll be fine? 

We, however, always recommend that folks protect sensitive data at the application layer, before it’s used, moved, or stored. This is exactly what our customers do with EncryptRIGHT. Robust EncryptRIGHT® key management functionality and integrated role-based access controls govern how sensitive data is secured and unsecured and limits who has access to it. The only thing our customer’s cloud providers can hand over in a subpoena is a blob of meaningless ones and zeros. No one gets access to their data without their permission. Their cloud data is subpoena-proofed.


15 Comments

  • Clareta Merell Bow Reply

    I just started my blog a few months ago and discovered this site just two weeks now, and wow…So grateful for you. Thanks for the post. awesome.. Clareta Merell Bow

  • erotik izle Reply

    Bonjour, toujours super de voir d’autres personnes à travers le monde du trou dans ma recherche, j’apprécie vraiment le temps qu’il aurait fallu pour créer cet article génial. À votre santé Jocelyn Dalis Burroughs

  • erotik izle Reply

    Vielen Dank für die gute Berichterstattung. Es war in der Tat ein Vergnügungsbericht. Schauen Sie weit fortgeschritten, um von Ihnen angenehm hinzugefügt zu werden! Wie können wir übrigens kommunizieren? Caitlin Augustine Schlessinger

  • erotik Reply

    Das Lesen Ihres Artikels hat sehr viel Spaß gemacht. Rhody Knox Tucky

  • Amazing Reply

    Hallo und vielen Dank für dieses Blog ist eine wahre Inspiration ..
    Carie Fabio Damales

  • Danielle Reply

    This is a very good tip particularly to those fresh to the blogosphere.

    Brief but very precise information… Thank you for sharing this one.

    A must read article!

  • Randy Reply

    Just wish to say your article is as astounding. The clarity for
    your publish is just nice and i could assume you are a professional
    in this subject. Fine with your permission let me to grab your feed to stay
    up to date with impending post. Thank you a million and please keep up the
    gratifying work.

  • Lieselotte Reply

    What’s up to every one, for the reason that I am truly eager of reading this weblog’s post to be updated regularly.
    It carries fastidious stuff.

  • Jani Reply

    wonderful post, very informative. I wonder why the other specialists of this sector don’t understand this.

    You should proceed your writing. I am sure, you’ve a huge readers’ base already!

Leave a comment