Could a recent ruling by a federal judge turn the tables on privacy in the cloud?
Concerns over privacy and data governance in the cloud have reached a new level in the wake of a Federal court ruling requiring Microsoft to turn data over to the U.S. government that it has been storing for customers in a data center located in Ireland.
Because Microsoft is incorporated in the United States, Federal Judge Loretta A. Preska ruled that the U.S. government still has the power to compel Microsoft to turn over data regardless of where it is physically stored. In the wake of recent court rulings, cloud service providers (CSP) had been storing data outside of the United States on behalf of customers that did not want that data to subject to U.S. jurisdiction. The ruling by Judge Preska is clearly a blow to cloud service providers based in the United States that are trying to compete in what has become a global cloud computing market.
But as disturbing as this latest Federal ruling is to cloud service providers, it may prove to be a boon to providers of encryption technologies. IT organizations have long-resisted the use of encryption because it has been difficult to manage and created a lot of processing overhead. But the federal ruling makes it clear that the only way IT organizations can retain control over their data is if they retain control over keys used to encrypt their data.
At the moment, many IT organizations rely on (CSPs) to encrypt their data. But relying on the CSP to encrypt data means they retain control over the encryption keys. As the CEO of Vaultive, a provider of encryption software, Elad Yoran said this latest Federal ruling will force the encryption key control issue in the cloud.
Yoren said the legal difference between who retains control of those keys is profound. If a government sues a CSP, the CSP has to turn that data over immediately without informing the customer. If the customer retains control over the keys, the government then has to sue the customer, who can then seek all the legal protections that might apply, including—most importantly—any client-attorney privileges that might apply.
Ultimately, Yoren said just about every government in the world is to one degree or another pursuing legal and illegal means to access data stored in cloud services. In fact, Yoren noted that many governments now require data created by organizations that legal entities in their particular country to store their data in a place where that country can still retain jurisdiction control over that data.
Obviously, all these government efforts to access data stored in the cloud is not a positive development for the IT industry as a whole. But given the overall economic benefits of the cloud, none of these rulings necessarily mean there will be less usage of the cloud. But it does mean organizations will be a whole lot more particular about how and when cloud computing services are actually employed.