Historically, global organisations have had to make a trade-off between the agility and collaboration benefits of the cloud and maintaining data sovereignty, security, and control. But this is no longer the case: you can have the best of both worlds.
There are simple ways that organisations can take complete control of the data they store and share in the cloud, ensuring that sensitive data can only be accessed by the people and systems that have been granted the authority to do so. With this level of control, you can maintain data sovereignty and residency, as well as implement a zero-trust architecture, while using the cloud providers of your choice.
A company based in Europe may find itself in a situation where it’s required to hand over its customer data to the US government. Why? Because: (a) the leading cloud providers are predominantly US-based and subject to various laws requiring cooperation with US local and federal government entities, and (b) there is currently no multilateral privacy framework.
The absence of a global privacy framework has caused governments to take different legal and policy approaches to data, and with this, privacy has become a polarising issue for global businesses.
However, while the system of national and regional law continues to evolve, companies are demanding flexible and universally compliant cloud enablement tools right now: to enable their full participation in the global economy, maintain the benefits of the public cloud and provide complete control over data access.
Cloud providers have taken steps to strengthen data residency and sovereignty, such as defining regions and zones for data storage and processing. But this approach is incomplete, and depending on the location of your organisation, the capabilities can vary. For example, GPUs may not be available in some regions.
In a world where speed, efficiency and collaboration are table stakes for innovation, global companies need a better option. You shouldn’t have to sacrifice productivity for security and control of your own information.
Achieving control of sensitive data in the cloud
Implemented correctly, end-to-end encryption of sensitive data can not only shield data from unauthorised access, but it can also give you complete control over that data as it travels and is shared.
The European Data Protection Board has identified end-to-end encryption as an effective means of securing data while leveraging a third-country service provider, so long as that encryption and its algorithm are robust; that the encryption is applied for the entire time period that the data must remain confidential; and the keys are reliably managed and controlled by the data owner.
End-to-end encrypted data is protected before it hits the cloud provider’s server, shielding sensitive data from anyone without authorised access – including the cloud provider themselves. When you control the encryption keys, only you can decide who to grant access to your sensitive data.
The result is that your most important asset – your data – remains secure and fully under your control, while giving you the ability to leverage the cloud provider of your choice, even if they’re located in the US.
If your data is protected by end-to-end encryption and shielded from the cloud provider, you don’t have to worry about whether foreign governments subpoena your information, because while the cloud provider may be forced to turn over the information they have, that information is incomplete: it does not include the true, meaningful contents of that data, because they don’t have the keys to what’s inside.
What to look for in end-to-end encryption partners
Not all encryption providers are created equal. In a rapidly evolving global cloud landscape where cyber threats are continuing to escalate, you’ll want to consider the following:
- Data-centric protection that wraps each data object in its own layer of encryption;
- Zero-trust data access controls that are granular and sophisticated enough to ensure the recipient is authorised to view the encrypted data;
- The ability to host and manage your own encryption keys, so that neither your cloud provider nor your encryption partner can access the contents of your data;
- Persistent control across the full life cycle of the data, even after that data has been shared externally. Ensure that your encryption partner can facilitate the revocation of data, should circumstances change.
Renaud Perrier is senior vice-president, international, at Virtru, a specialist in encryption standards and technology.