Countries are establishing data residency regulation to protect private and classified data generated from their citizen by mandating storing this information within that country (the country of origin). The theory is that the laws of the country in which the data is stored apply to that data. Large cloud providers such as Amazon, Microsoft, Salesforce are opening cloud data centers outside their home countries (Cloud Data Center Expansion Race) to satisfy these laws. The question is “Does Data Residency Reduce Cloud risks?
The life cycle of data has six aspects. These are the creation, storage, use, sharing, archiving and destruction of the data. Data residency only deals with the aspect of data storage.
Data residency requests are based on concerns that data privacy laws may be less strict in some jurisdictions. For example, countries in the European Union believe that their privacy laws result in better data protection for their citizens than those in effect elsewhere. As a result, the European Union (press release) insists on having certain data sets stored within its boundaries or signs agreements extending its data protection rules to other countries.
Data residency has become a policy in some jurisdictions, but there are doubts regarding its effectiveness. Does keeping protected data stored in its country of origin reduce risk or is the level of risk the same while the nature of the risk changes? Merely storing data meets data residency requirements but data residency is not effective in data protection if the owner of the cloud center, or the SaaS provider, controls and can access and send the data to be processed in other jurisdiction.
Reading this article, please remember that Cloud computing is based on the layered service model that utilizes Cloud federation to achieve maximum functionality, reach, performance and economy.
How Cloud Computing Increases Risk
When you use cloud services, you automatically lose control of your data. Even when your cloud service provider encrypts your data both during transit and when stored in the cloud, he can easily decrypt it as well. A key risk is that governmental agencies or private organizations using the courts can force your cloud service provider to turn over your data or the relevant encryption keys. Often you may not even know that such a legal process or court order has been executed. That is called “Blind Subpoena.”
The problem becomes obvious when your data is processed in different countries while it resides (stored) in one country. When your data resides on data centers located in your country, you should be able to rely on the legal protections that apply to you and your data. For example, when Canadian organizations store data within Canada, data residency criteria are met, and Canadian privacy legislation is supposed to protect the data. When Canadian data is stored or processed abroad, for example in the United States, Canadian laws don’t apply, and American privacy regulations applying to American citizens may not protect the data of Canadians. Cloud service providers operating in the United States can be legally forced to give third parties access to Canadian data without telling the owners.
The Gaps in the Data Residency Policies
There are two main cloud data security issues that data residency does not address. These gaps exist because Internet traffic does not respect borders (Cloud computing is based on the layered service model that utilizes Cloud Federation) and because cloud service providers may access remote data in another country to provide specific processing requirements that can not be satisfied in their local data center. Simply storing the data in the country of origin does not mean the data can’t be transferred to other data centers for a special type of processing or operation. It is just about storing data at rest.
Even if the stored data stays in the country of origin, and it is controlled by a national company, the data traffic between the client and the cloud center does not. For Canadian Internet service providers, a lot of the Canadian traffic goes through the United States where it can be accessed. Due to leaks from several sources including the Snowden releases, we know that American security agencies intercept Internet traffic on a regular basis. Your data might be safe in Canada, but a copy could easily have been made as it went from your organization into the cloud. Even if it was encrypted, you don’t know who has the keys to decrypt it.
Should your data reach the cloud centers without leaving the country, it is still not safe. In the case of Canada and many other countries, the big cloud service providers are based in the United States. Your data may be in your country, and it may be encrypted, but an American company put it there. That company can be forced by US government agencies or by court orders to access and decrypt your data as in the ongoing Google court case. Using cloud computing while relying on data residency to protect your data puts your data at increased risk. In the end, it is your data, and it is your responsibility.
Mitigating Data Residency concerns
While data residency will not protect your data, you can add a layer of security by encrypting your data end-to-end yourself. You need a tool that keeps your data encrypted all the time, it never appearing in clear text until the intended recipient receives it. It doesn’t matter where your data is stored or processed if it is encrypted with the appropriate method. Your encrypted data is no longer personal or classified data. It is similar to the information in the release of a classified document to the public after it is redacted. Your cloud service provider, government agencies, hackers and third parties who gain access to your data will not be able to read it. Only when you authorize someone to see your data in clear text, will he be able to decrypt it and read it. Your data is safe at all times. The data residency laws do not apply since the data is no longer identifiable.
Not all methods of encryption are equivalent. If you try to send encrypted data to an application, the application will reject it because it doesn’t have the right format. You can’t process and store encrypted data normally unless an encryption method called masking is used. Masking replaces individual characters in the data with different characters of the same type. A credit card number will still look like one but the numbers will be random, and the credit card won’t work. Data masking is an effective way of encrypting data so it can be stored in the cloud or elsewhere normally. Data masking is secure but less disruptive than traditional encryption.
The CloudMask Solution
CloudMask provides Dynamic Data Masking (DDM) that masks production data in real-time. Running on end devices, it transparently intercepts and changes the production data so that the unauthorized data requesters do not get access to sensitive data, while no physical changes to the original production data take place. CloudMask’s solution simplifies the implementation of security in any SaaS or legacy application. The intercepted data may belong to a variety of applications, such as Google, Salesforce, and MS 365.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
