Nestled in the fields of Normandy near the banks of the Seine, an ultra-modern data center has just switched on thousands of servers. The center belongs to a new French cloud infrastructure provider called CloudWatt. Its stated purpose? Defeating the USA Patriot Act by placing French cloud data beyond the long arm of American authorities. For, laments Le Monde in an article announcing CloudWatt’s launch, “the supercomputers of the biggest cloud providers, such as Amazon or Google, are all located outside of France”. In particular, they are mostly located in the United States, where – according to Le Monde – the Patriot Act “allows the American government to access any data it pleases if the data is considered sensitive”.
Many lawyers would contest the French newspaper’s interpretation of the unusual powers supposedly granted to U.S. authorities by the Patriot Act. In fact, a review by the global law firm Hogan Lovells found that authorities in Europe, Japan and Australia have largely the same legal powers to access cloud data as the U.S. “Even European countries with strict privacy laws,” the study found, “also have anti-terrorism laws that allow expedited government access to Cloud data.” Some countries, notably France, appear to have far greater powers than granted to U.S. authorities by the Patriot Act.
Still, the fact remains that fear of the Patriot Act remains a powerful hindrance to cloud adoption overseas. This fear is frequently cited by enterprises and public sector agencies in both Europe and Asia as a reason to stay away from cloud services – or at least from those services provided by the big U.S. vendors who lead this market, such as Amazon, Google, Salesforce or Microsoft. But the alternative - building cloud infrastructure inside the borders of each country – while feasible, defeats one of the chief aims of cloud computing, which is to lower the cost of computing by consolidating expensive shared infrastructure into a small number of very large data centers.
Is Encryption the Answer?
As SafeGov contributing experts Rich Falkenrath and Paul Rosenzweig of the Chertoff Group have pointed out, an elegant solution to Patriot Act concerns would be for users to encrypt their data before sending it to the cloud. Provided that the users retain sole control over the encryption keys and that their data is encrypted not only while in transit but also while at rest on the cloud provider’s servers, the data will remain forever inaccessible to the U.S. government and every other outsider - even the cloud provider’s own system administrators and data mining algorithms. With a suitable encryption method, such as AES 256, it’s hard to see why this approach couldn’t assuage the doubts of even the most security-conscious cloud adopters. Some European Data Protection Authorities share this view. For example, the French DPA (Commission nationale de l’informatique et des libertés, or CNIL) recently recommended encryption with user controlled keys as a standard practice for French firms and government agencies moving to the cloud.
However, a common objection to the use of encryption for cloud data is that it is complicated for customers to deploy the necessary software, enforce the proper policies in their organizations and manage the encryption keys. Indeed, a CNIL official recently confided to SafeGov that it had encountered precisely this objection to its recommendation in favor of encryption.
Encryption is never likely to become trivial to implement. But there has been interesting recent progress in this area that is worth bringing to the attention of prospective cloud users and data protection authorities who are concerned about Patriot Act issues. Within the past year a wave of new startups have launched turnkey encryption solutions specifically designed to work with popular cloud services such as Salesforce.com, Google Apps, and Microsoft Office 365. Some names include CipherCloud, Concealium, Impartio, Navajo Systems (acquired by Salesforce), PerspecSys and Vaultive.
Although the products and go-to-market strategies of these companies differ in important ways, they all share the same basic concept, which is to encrypt user data on the fly behind the customer’s firewall before sending it to a cloud provider’s servers over the Internet. When the data is retrieved from the cloud it is decrypted and presented to the user as if nothing had happened. We are of course referring here to encryption of the data itself and not merely of the transport tunnel which it uses to reach the cloud. The former kind of encryption is known as “at rest” encryption, as distinct from “in flight” encryption. The latter is easier to implement and nowadays routinely offered by many cloud providers, but it only protects data while it is moving, not when it is stored in the cloud. Only “at rest” encryption can respond to user fears about the Patriot Act and data breaches caused by malicious insiders, outsider hackers, or system admin mistakes.
I recently had the chance to sit down in CipherCloud’s San Jose offices with Senior VP Dev Ghoshal and two of his colleagues, Allen Pogorzelski and Ram Boreda. Below is an edited transcript of what they told me.
Q: How does CipherCloud protect a cloud application users’ data?
A: CipherCloud encryption software resides within a customer’s network to secure sensitive cloud application data in real-time while retaining all the native functionality of the application. The data that is encrypted is determined by the customer, including for example: sensitive fields in a database, text of email messages, documents attached to email messages, or perhaps only data items occurring in messages that have a certain specific format such as social security numbers.
Q: How do you handle the encryption keys?
A: CipherCloud also manages the encryption keys for the customer. These keys never leave the customer’s site and are not shared with the cloud provider. This ensures that the data stored in the cloud application by the cloud application provider is completely undecipherable to anyone who accesses those servers – whether it be one of the provider’s employees performing a legitimate sys administration task, or a malicious insider like a Bradley Manning seeking to leak information, or an outside attacker who has somehow gained access to the system, or even the U.S. government knocking on the cloud provider’s door with a copy of the Patriot Act in hand.
Q: Can CipherCloud software only be deployed on premises, or can it work in the cloud too?
A: No, CipherCloud can be deployed within a customer’s enterprise network, DMZ, edge, or with a trusted hosting provider i.e. Amazon. We recommend that CipherCloud is deployed where the customer has full control over it and also convenient for remote users. In the case of Amazon, the data would go from the customer’s premises through a secure transport tunnel to the server at Amazon, where it would be encrypted and sent on to the cloud provider.
Q: What kind of cloud applications are your customers using with CipherCloud?
A: Our CipherCloud customers are using a number of well-known cloud applications including Salesforce.com, Google Docs, and Microsoft Office 365 etc. We also have the CipherCloud Connect AnyApp offering that enables customers to connect to any number of other cloud applications. For example; we had a customer interested in using CipherCloud to encrypt data in their SAP SuccessFactors HR cloud application and with AnyApp we were able to enable them.
Q: Does the Cipher Cloud encryption offering break the functionality of these cloud applications?
A: No, our CipherCloud encryption offering does not break any cloud application functionality. This is one of our key differentiators a vis-à-vis ordinary encryption solutions. We encrypt data in a way that preserves data formats and operations. You can see demos of how this works on our web site at www.ciphercloud.com
Q: For example, how would someone working with CipherCloud be able to sort a list of customers in Salesforce.com by revenue or do a keyword search on messages in their Gmail inbox?
A: Our ability at CipherCloud to enable both these examples is part of our core intellectual property. We have a number of patents pending with respect to this. In simple term, we add certain identifiers to the data that is encrypted in order to preserve functions such as sorting and keyword searching. When an end-user performs these functions with CipherCloud in a cloud application, the application behaves exactly the same way it would if the user was working without CipherCloud.
Q: What customers have adopted CipherCloud so far?
A: Our customer list is growing extremely rapidly. We have a number of marquee customers on our website at www.ciphercloud.com. Our customer growth is across a range of industries but particularly in Financial Services [Banking and Insurance], Healthcare, and High-tech.
Q: What customer penetration do you have in public sector?
A: Yes, the public sector vertical is also one of our fastest growing segments. We have customers in the US, Canada, and the UK.
Q: Do your non-US customers express concerns about the U.S. Patriot Act or more generally about meeting the requirements of European data protection laws?
A: Yes, both US Patriot Act and European data protection laws come up frequently in our discussions with customers. Financial services companies and healthcare providers would be adopting encryption even without the Patriot Act, due to regulations and requirements that are specific to their industries, such as the requirement to protect credit card data or the HIPPA [Health Insurance Portability and Accountability Act] mandate to protect patient health information. But, many customers, including in the public sector, are concerned by the Patriot Act, and they see encryption as a way of protecting themselves from governmental intrusion.
Q: I understand that you are currently working mostly with enterprise customers. What are your plans for smaller companies?
A: Yes, CipherCloud primarily has enterprise customers, including leading companies in financial services, healthcare, high tech, public sector etc. But, we also have medium size companies as customers. We see strong interest for our offerings among large and medium enterprise companies.