Our latest conversations with CipherCloud Chief Trust Officer Bob West have centered primarily on security leadership and enterprise data privacy. Of particular interest to many organizations as they look at adopting the cloud are data residency and other legal concerns. When the news emerged that “Microsoft’s latest attempt to resist a US government warrant demanding access to emails stored on servers in Ireland has been dismissed by a federal judge,” as the BBC recently reported , we took the opportunity to ask Bob what that means for enterprises concerned with data residency and privacy.
What are the ramifications of the US government attempting to claim jurisdiction over data stored in other countries?
Bob West: One of the challenges that we have is we don’t know where this is going to end up, and so it becomes that much more important for an enterprise to understand where its information resides and what regulatory issues are associated with the geography where the information sits. It’s also important not to get overconfident that the safeguards with respect to data residency will be enough.
The reason Microsoft set up a data center in Ireland was to help their European customers comply with the EU Privacy Directive. A secondary reason was to avoid issues such as the US government issuing a blind subpoena for information at the cloud provider’s data center in the US. Along come these judgments. First of all, the US is saying that it doesn’t matter where information resides geographically, we are going to take your information.
It’s not just the US, either. There are different pieces of legislation being signed into law on a global basis that make it much more challenging for an enterprise to comply with regulatory requirements globally. It’s going to continue to be a challenging environment for enterprises, and they need to be very judicious and focused on understanding how regulatory issues and security and privacy laws evolve over the next few years.
What can enterprises do today to minimize the risks of data disclosure to government agencies?
Bob West: If you’re encrypting the information and holding the encryption keys on the enterprise side, that has a practical implication, because now you retain much more control of the information. There’s a whole host of issues that as an enterprise, you can begin to address when you implement tools like that. Tokenization serves a similar function. Legislation just passed in Russia, the crux of which is that in 2016, if information is being collected about Russian citizens, the technology needs to sit within Russian borders. Technical solutions like tokenization can work in the type of case if the information needs to stay within Russian borders.
Compliance with data residency laws and regulations is a moving target. The environment is changing, and the letter of the law as it stands is often not enough to stop a government from attempting to overstep its bounds. Bob and CipherCloud believe that the best way to protect your organization’s sensitive data from unauthorized access is to protect that data with strong encryption and encryption keys exclusively controlled by your organization, not a third party provider.
What are your data residency worries? Let us know in the comments.