The slippery slope of data sovereignty was brought into the limelight again recently with the news that certain Canadian government agencies were entertaining discussions to store secret Canadian data on US-based hyperscale clouds - forbidden by current Canadian Federal policy. These discussions centered around the use of encryption to ensure that this data remained secret - with the premise being that as long as Canada held the keys to the encryption, the data would be safe. Encryption has also been front and center in many discussions concerning readiness for the EU General Data Protection Regulation (GDPR), already approved, and due to be enforced beginning in May 2018.
Encryption, as it applies to both data-in-transit and data-at-rest, can be a very effective tool for securing private data. Of course this assumes that policies followed for management of encryption follow certain best practices, particularly as it relates to key management. However, despite this, encryption is not foolproof:
- Ideally the encryption keys should remain solely with the “owner” of the data, as in the example above, the Canadian government. However, in a cloud scenario, this isn’t necessarily possible, as the data needs to be decrypted in order to allow further processing on the cloud platform.
- Once data is decrypted for additional processing, it is no longer protected for the duration, and thus becomes potentially accessible to third parties.
- Despite the value and strength of encryption, it is ultimately possible that it is still reversible via backdoors or other methods, again making it potentially accessible to third parties.
So, just who are these mystical third parties referenced above? Amidst today’s political climate, the US government and Patriot Act, more often than not, are top-of-mind considerations when seeking data sovereignty. While many gray areas remain, we’ve worked closely with leading authorities on the subject of jurisdiction and data sovereignty, including Éloïse Gratton (one of Canada’s foremost privacy experts), to put together to provide guidance on what this all means for your cloud deployments. We have updated our Jurisdiction Matters white paper and will continue to do so as the legalities evolve. Click here to read it.
Image can be found here.