Customer data privacy vs. cloud legislation
Cloud Risk & Security
How can organizations retain control of their data in the cloud so that legal requests are sent to their organization, rather than to the cloud vendor?
A blog post by Stephen McMaster
One of the main challenges faced by cloud customers is how to handle situations where legislation in a cloud vendor’s home country conflicts with legislation in the customer’s country–specifically where a foreign government requests access to data stored by a cloud vendor.
Most cloud vendors do not want to share an organization’s data with governments. Indeed, it is not in their interest to do so since the disclosure of such data could be detrimental to the vendor’s reputation. The challenge lies where the cloud vendor is legally compelled to release information by a government agency, and when the release of that information causes one of their customers to violate their own country’s data protection laws.
Of course, well-managed organizations are comfortable handling requests for information where criminal activity has been identified whilst simultaneously protecting other unrelated information. This is not, therefore, a question of avoiding such requests: It is a question of how customers can take control of their data, avoid breaching regulations in their own country, and only reveal information related to the subject of such a request.
The question therefore becomes:
How can we as an organization retain control of our data so that such legal requests are sent to our organization, rather than the cloud vendor?
- AWS, for example, has been securing their customers’ data for many years using strong encryption and their own encryption service–KMS (Key Management Service). A lesser-known service provided by AWS-CloudHSM (a physical “Hardware Security Module” hosted by AWS and dedicated to single customer), can be used by KMS to store a customer’s encryption keys.
The Hardware (which is FIPS 140-2 Level 3 compliant) that underpins CloudHSM can only be accessed by AWS in two ways:
- To get information about the HSM Device, such as its IP Address, Firmware Version, etc.
- To wipe/zero-write the HSM upon request from their customers.
However, AWS cannot see, access, extract, or in any way manage the customer’s keys. Therefore, on receipt of a request by a law enforcement agency AWS would–when presented with a valid legal request–be able to hand over encrypted data, but not the keys required to unencrypt that data.
The following illustration from AWS shows this separation of roles:
Naturally, it could be argued that data has still been handed over to a government agency–albeit encrypted data. However, the fastest route for a government agency in this case would be to request the data directly from the organization instead of the cloud vendor.
It should be noted that storing data with AWS can provide a number of potential benefits–such as segregation of duties between operations and data centre staff, heavily secured data centres, military-grade data-destruction procedures, integrated encryption, and management planes-that are simply not available in most brick-and-mortar data centers and, indeed, provide higher levels of security than most organizations can provide themselves.
Using a CloudHSM-backed KMS instance to encrypt your AWS RDS Databases, Volumes, Messages, Buckets, etc. is one of a range of tools that can be used to help secure your data and demonstrates your organization is taking reasonable measures to secure its data.