Cloud Encryption – Who’s Really Responsible?
There's a growing buzz in the industry about "who" should be responsible for encryption in the cloud from a user perspective. As usual, the technology to do this is not the hard part – crypto is crypto is crypto, etc. It's really more of a privacy and legal issue; privacy from the perspective of preventing others from seeing your stuff in the cloud and legal from the perspective of who has control over that data that is secured in the cloud.
I think we all get the idea of privacy of our data in the cloud. For example, if you put your personal financial data in the cloud to either be stored and/or used by an application, you want to make sure the data is secure. If it's just storage, then you can personally encrypt the data before you store it in the cloud using encryption solutions like PGP. If you're lucky enough to have a cloud provider that encrypts it for you, but gives you complete control over the encryption keys such that the provider doesn't have any encryption keys, then that's much easier and better than buying your own encryption technology and likely faster. These are the simple approaches, but, in the case of the second example, may not be the easiest to achieve or really understand.
Here's where the legal issues start getting a bit interesting. This has to do with who owns the encryption keys (cloud provider or user) and what does this give the owner the right to do with those keys and the data that is protected. In the examples above, it's pretty straight forward. The user owns the encryption keys and there's nothing the cloud provider can do with your data, short of deleting, archiving it, or locking your account. At the end of the day it's just a jumbled blob of data.
If, however, in the example above, the cloud provider controls the encryption keys then the cloud provider has control over your data as well as you do. In fact, the cloud provider has more control since the provider can change the encryption keys at any time, potentially view your data without you knowing or, worse, locking your account and removing your access to the data. You now have your personal sensitive data in the cloud that is available for misuse, sale to third parties or, if a hacker gets into the cloud provider systems, they can probably find the keys and do what they want the data.
The other interesting dimension (or, confusing) is where law enforcement comes into play. If, for some reason, law enforcement determines they must have access to the data stored in the cloud and the cloud provider has the encryption keys and your account password then they would be potentially compelled to give them access to any and all data. Keep in mind, this may not have anything to do with you the individual, but could be potentially a broader need by law enforcement to search for something they need in order to discover who is at the other end of whatever case they’re working on. In any case, you may not have control over who’s passing out or providing access to your sensitive data. Now your sensitive data is potentially in the hands of folks outside the cloud provider and either is or isn’t adequately protected.
Clearly, what I've described above is a worse-case scenario, but when it comes to protecting our own personal sensitive data, we all need to consider what the worst case scenario would look like. Over the years we've seen a lot of theoretical security scenarios become reality since the advent of world-wide use of the Internet and the ability to share data. The lesson here is that if you're storing your own personal sensitive data with a cloud provider; make sure that only you own the encryption keys to your data.