When you park your data do you hand your keys to the valet?

August 5, 2014 / Security / 0 Comments

Car Keys

Security remains a top concern for IT managers considering the cloud. This is symptomatic of trust issues when working with cloud providers. After all, when you hand your precious data over to a cloud provider in general you are also handing over the keys! Just like when you valet your car. You’ve never met the young gentleman with the red vest and the bow tie but you are handing him the keys to your brand new Mercedes! Your corporate data could be worth much much more.

Once you’ve handed the valet the keys to your data you have no control over how he (she) handles those keys or who they might share them with. This applies to your data as well. The primary fear is that hackers might gain access to your data and exploit it, resulting in loss of your business reputation and real money. Cloud applications, even when they are encrypting data in the cloud, have the keys to your data somewhere. Exploiting the application may reveal the keys or the application might be altered into revealing your data.

Inadvertent release (leakage) is also a possibility. The application may have a bug or security hole that someone might stumble into. The application thinks you’re asking for your own data but the requestor is actually someone else. Such errors are unfortunately all too common.

Then there’s access by state actors. For data stored in the US, the US government has several legal tools available to get access to your data without you ever being informed. If you’ve given your keys to the valet, the feds present the right legal documents to the valet (subpoena, national security letter, sometimes even less) and the valet gives them your data. Recently a NY court held that the US also has legal authority to request data that is stored overseas! This brings new legal risks for data stored everywhere. Foreign authorities may start making requests for data stored in the US by US companies that have overseas subsidiaries. European efforts to keep data in-country may become moot if the providers have presence in other countries. While one of the key benefits of the cloud is to make location irrelevant if this NY judge’s decision is upheld there could be a significant legal downside. Companies will feel that if they hold data in their own data centers at least they will be informed when their data is being requested by authorities.

At Cloak Labs we don’t hold our customers’ private keys. Only the sender and recipient of a message can read its contents. We don’t have to ask you to trust our cloud infrastructure, encryption and decryption happens on your premises. Our cloud infrastructure just queues and transports encrypted messages. Were we to be subpoenaed for your data, we would of course legally be forced to cooperated, but all we could provide authorities with is highly encrypted messages. We don’t wear shiny red vests and bow ties and we don’t have the keys to your data.

About the author

Dr. Michel Floyd: Michel has spent his entire career in Silicon Valley in a succession of technology and business leadership roles. Most recently Michel was Global CTO at YouGov Plc, a global opinion research company based in London. In that role he helped integrate a large number of acquisitions in different parts of the world. He built up a world-class development team distributed from Germany to Alaska to Peru. His accomplishments include releasing an interactive, 14 country brand tracker which is both the company's fastest growing and most profitable product. Before YouGov Michel was EVP & CTO at Knowledge Networks (subsequently acquired by GfK). There he focused on technology, operations, and driving business efficiency throughout the company. He had P&L responsibility over $13M in revenues and also served as interim CEO. Michel earned his SB, SM, and ScD degrees in aeronautical and astronautical engineering from MIT. He has participated in two IPOs and numerous acquisitions, primarily on the buy side. He has been awarded 4 patents. Dr. Floyd is also on the board of directors of VLAB, the Silicon Valley chapter of the MIT Enterprise Forum.


Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

Leave a Reply