It’s all about the data, dummy

Businesses must secure the key to encrypted data passed to a third-party cloud provider, says Paul Simmonds, chief executive of the Global Identity Foundation

Ten years ago, a group of leading global chief information security officers (CISOs) came together to form a think-tank called the Jericho Forum. We all had a common problem – our organisations needed their corporate data to flow freely outside the corporation’s security perimeter to partners, joint ventures and a plethora of other bodies with which we did business.

The term “de-perimeterisation” was coined to describe what was happening to us and the challenge we faced. We wrote 11 “commandments”, principles upon which to design for this new paradigm. Commandment nine asked the question: “How do you manage data in an environment you don’t control?”

Now let’s fast forward to today and a world of always-on connectivity, computing performed in the cloud, using someone else’s computing resource or sharing a common application, bring your own device, using a device I purchase and maintain to do my day job, while we live in a post-9/11 world where the spooks would like access to all this data.

The recent Snowden revelations introduced us to terms such as PRISM and Tempora, the American and British surveillance programmes, but primarily alerted us to the scale on which the US National Security Agency was surveilling the world.

That it was going on was well known prior to Snowden, with the US Patriot Act and Foreign Intelligence Surveillance Amendment Act (FISAA) in force since 2008, and the UK’s Regulation of Investigatory Powers Act since 2000, all containing “gag” clauses prohibiting cloud vendors and internet service providers from letting their clients know what they are being obliged to hand over.

If the Snowden revelations have done anything, it’s to bring to the attention of chief executives and chief financial officers the risks involved, and put a lie to those many cloud salespeople who assured businesses their data was totally safe with them.

We are rushing headlong into a world with ever-increasing amounts of our data in the cloud and where it is critical to secure this data

As a CISO, how long do you think you would have a job if you took the secret recipe for Coca-Cola, wrote it on a postcard and announced to your board that you planned to give it to a third party to look after? However, a number of people – you don’t know who or how many – from that third party can see it and, if someone obtains a court order to read that postcard, the third party will be legally prohibited from telling you.

Unfortunately this is what countless companies have been doing and continue to do today. And not only with company secrets, but also with sensitive personal data they are legally obligated to keep secure under UK and EU data protection legislation.

Meanwhile, Microsoft has openly admitted that the US Patriot Act and FISAA apply to any data centre of an American corporate, irrespective of where in the world it is located. So “solutions” proffered by US companies of keeping your data physically in an EU-located data centre seem rather hollow.

In addition, many European countries have laws on the statue book giving them similar powers, making claims from niche local vendors, offering EU or country-centric data centres, seem equally dubious.

So can businesses securely use the cloud environment and cloud services? The answer is a resounding yes. But only if you can answer that original question: “How do you manage data in an environment you don’t control?”

There are solutions out there which allow you to do just this. They encrypt your data before it leaves your control and enable you to retain the key, while still letting the cloud provider operate – search and index – that data. Technically it’s known as format and operations-preserving encryption.

Critical to any encryption solution is key ownership. To the auditor who asks, “How do you guarantee this data is secure?” the answer is, “Because I, and not the third party, have the key”. The information security industry is taking these challenges seriously.

So we can secure data for a company looking to use a cloud solution. But looking at the future, we are rushing headlong into a world with ever-increasing amounts of our data in the cloud and where it is critical to secure this data.

To have any chance of achieving our goal, we need a single, consistent global solution for identifying people, the devices we use and the organisations we interact with, allowing us to simply and easily encrypt our private data, both in transit and while stored in the cloud. That, however, remains a little way off.

Paul Simmonds is chief executive of the Global Identity Foundation, and was formerly chief information security officer at AstraZeneca and ICI.