During the same decade that the USA PATRIOT Act conferred unprecedented powers on U.S. law enforcement officials, such trends as the consumerization of information technology (IT) and virtual servers gained traction on the enterprise data center scene. Simultaneously, the advent of cloud technology ushered in an era in which data from companies all over the globe can be housed in the same data centers as that of many other companies. Obviously, access to certain assets must be restricted to protect sensitive business data and strategic applications—within the letter of the law.
Broadly speaking, the purpose of cloud computing is to enable data to reside anywhere in the world and empower it to flow freely across borders, yet the purpose of the USA PATRIOT Act is to provide its enforcers with access to data, no matter where it resides.
You see the problem.
Some European cloud service providers seized the opportunity to capitalize on the U.S. legislation’s restrictions and position their own services as a more secure option, and they did attract customers on that basis. However, both the European cloud providers and their new customers erred in assuming that their data would reside outside the grasp of the PATRIOT Act. According to the international law firm Mayer Brown, these businesses overlooked the fact that U.S. law enforcement authorities can serve orders on:
- Any U.S.-based cloud services provider or customer
- Any services provider or customer with U.S. offices, and
- Any services providers that have regular business dealings with U.S. companies—no matter where their data is stored.
Thus, it follows that, since many European companies maintain some sort of presence in the United States, they are subject to U.S. law, regardless of which company fulfills their cloud data storage needs or where it is located. Further complicating matters is the fact that data security laws vary from nation to nation. For example, the U.K. has its Regulation of Investigatory Powers Act, and Canada’s privacy laws require any organization that collects data to be responsible for securing it.
So what’s the solution? How do we strike a balance between business and government agendas, and is it even possible to keep information totally secure in the cloud?
A Brief History of the USA PATRIOT Act
In 2001, the U.S. Congress enacted a law with a long name and a catchy acronym: “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2000,” better known as the USA PATRIOT Act. The intent of this legislation was to protect Americans from terrorism.
The new law gave U. S. law enforcement officials the power to search the contents of e-mails, tap phone lines and probe medical and financial records without first obtaining a court order. It also made it much easier for U.S. officials to gather foreign intelligence within the United States, while simultaneously monitoring some financial affairs of foreigners and greatly expanding the powers and reach of U.S. immigration authorities.
Although the USA PATRIOT Act was originally intended to be of only four years’ duration, it was later revised and reauthorized by Congress and signed into law in 2006. Its supporters are grateful for the law, since it strengthens the government’s ability to circumvent terrorist activity. However, its detractors have voiced concerns about eroding privacy and the potential for data security breaches.
Encryption Solutions Hold the Key
Gartner released a research report on August 23, 2013 entitled Simplify Operations and Compliance in the Cloud by Encrypting Sensitive Data. The report urges enterprises to heed the following warnings:
- When using cloud SaaS applications, be sure to protect sensitive fields and columns.
- To prevent access to encrypted data, don’t allow keys to be stored or used in other jurisdictions or by a third-party provider.
- If you’re managing keys or tokens onsite, get smart about potential impacts on access and availability of your cloud services provider, and know all there is to know about appliance performance.
- Be sure to carefully investigate vendors’ claims, so you know that their solutions are based on proven security models.
According to Michael Goodspeed, Global Leader of Infrastructure Services and Cloud Services at Unisys, “Our Unisys Stealth solution not only protects users’ data in the cloud but also enables them to retain and control the data encryption key.”
The Unisys Stealth is a single security technology that increases data protection, simplifies management and reduces reliance on physical infrastructure. It provides certified data security from internal or external theft, misuse or corruption.
Unisys Stealth enables the separation of critical servers and databases with software that creates secure groups of users or Communities of Interest (COI). Stealth makes the data invisible to barred users, which not only helps secure sensitive data in a regional data center but also secures corporate assets in the enterprise data center. For example, only users in the orange COI can access a specific server, while only blue COI users can access another. These secure communities thwart hackers by cloaking endpoints and segmenting the network virtually, rather than physically.
According to Gartner’s August 23, 2013 research report, the award winning PerspecSys Cloud Data Protection Gateway intercepts sensitive data or files on the client’s premises, and substitutes a random, tokenized or encrypted value that essentially makes the data meaningless should it be accessed by unauthorized individuals while being processed or stored in the cloud. Gartner observes that the PerspecSys Cloud Data Protection Gateway offers clients:
- Preservation of cloud application functionality
- FIPS 140-2 compliant modules from leading industry cryptographic providers
- Client ownership of encryption keys
- End user capabilities encompassing sorting and searching data, sending e-mails and generating reports, even when they contain tokenized or strongly encrypted data
Knowledge is Power, So Get Smart
Enterprise-wide adoption of the cloud requires a comprehensive understanding of the associated security and operational risks posed, as well as a strategy for managing them. IT services providers stand ready with solutions that can minimize breaches and maximize security.
What are some of your company’s strategies for ensuring security for data it stores in the cloud?