Cloud computing and SaaS applications’ unstoppable and borderless growth brings up quite naturally questions about data privacy and giving your greatest asset away to other companies. They are the ones to keep and manage it, so we have to put some trust in them. BUT, as usual, it should be limited as the cases of Google and Microsoft shows again. What’s it all about? Read further…

Well, things are getting complicated when our data might be subject to a legal request from the law enforcement in the country of the company’s service hosting residence.

Companies like Microsoft and Google are constantly requested to hand over data stored in their services to law enforcement agencies in their countries. What is key to remember here, is that the data managed by cloud providers is stored in multiple data centers – most of them outside of the country of their operations – namely the United States.

In such case, the data is stored in data centers which are under different jurisdictions. Exactly the reason why cloud providers are building dedicated data centers in these countries is to be able to adhere to the rules of law in the given country. Example?

Microsoft data centers in Germany or UK built to meet law requirements in these countries.

Microsoft vs. Google: What’s the case?

Well, I’m not a lawyer, and we are not going to divulge on this here  – I just want to highlight two facts that occurred in the recent days.

First: On Jan 24th 2017 Microsoft’s case against the seizure of data stored in data centers outside of US was upheld. It is an important decision as it means that Microsoft has no obligation to hand over the collected data to US law enforcement agencies if it’s stored outside the United States (under different jurisdiction).

Second: Just a few days after this statement Google has been ordered to hand over e-mail information stored in its data centers outside the US to the law enforcement in America.

It comes just after Google announced that it is switching to hosted S/MIME for its e-mail protection (thanks to Ken White for pointing me to this one). “Hosted” means Google is keeping private keys for S/MIME on their infrastructure. It allows Google to decrypt the content of any email – as provided on Google’s blog – it’s being done for protection against spam. However, this ruling puts it in another perspective.

What does it mean to your organization?

It is a very important fact for all the users of SaaS and cloud offerings from Microsoft and also other cloud providers. If this decision is not changed in the future by the Supreme Court or Congress, it means that Microsoft will not be forced to hand over data from data centers in foreign countries subject to different law jurisdiction.

This decision is another step in building trust environment around business operations based on cloud services.

ToddABishop, flickr.com

What to do to keep your data in control?

If you want to keep your data within your control from jurisdiction point of view, you should always be sure to select services in the region which correspond to the data centers where you want to keep it.

When creating your Office 365 subscription, you can select the region it will be created in. Same for your Azure Services – you can check on Azure Regions page in which region service is available, and when creating it, select it as well. Some services, especially those not rolled out for GA, might be available in some regions only – so pay close attention to that. If you have sensitive information to store in SaaS applications and you want it to be protected, you can always encrypt this information at the time of its creation.

In this case services like Rights Management Service comes handy. Rights Management Service (RMS) allows you to encrypt the content of the document (which might also include e-mail) at the time of creation. Azure RMS is making the deployment of these services easy and its biggest advantage is that it enables easier cross-organization collaboration and collaboration with external parties (while saying easier, I don’t mean friction-free for users).

Azure Information Protection allows you to classify data and enforce encryption automatically if needed. Again – this is lowering a barrier for users to start to protect data stored later in cloud service at the time it is created.

azure.microsoft.com

Azure-based machinery

OK – did I just said Azure RMS and Azure Information Protection? Aren’t those cloud services as well? Yes, they are.

Speaking of Azure RMS, if you use it in a default configuration,  encryption keys are stored in HMS devices in Microsoft data centers and as per nature of HSM – it is very hard to get it retrieved back. Looks good but what if you don’t want to take chances and hand over these keys to Microsoft?

The best option we have right now to take advantage of cloud service and yet hold keys to important information we create in our organization is Hold Your Own Key (HYOK) feature of Azure Information Protection.

HYOK allows you to take advantage of service as Azure Information Protection using your infrastructure and encryption keys, especially when you have something sensitive to protect. In this case, all content classified as sensitive might be protected with your keys. It ensures that even Microsoft owning the cloud infrastructure can’t access your data.

There is also an option to use your key with Azure RMS infrastructure known as Bring Your Own Key (BYOK). In this case, you own a key, and you can bring it to HSM infrastructure at Microsoft.

Planning the key management for these services should be done upfront and executed as it is planning the keys handling to all your protected content. You can read more on the subject in the Microsoft’s documentation. And if you need any help with this subject, you can always connect with one of our experts in Predica.

Well, there a number of topics to discuss that are popping up like mushrooms these days… and data protection is not the only HOT one.