CLOUD SECURITY CUP: USA VS. EUROPE (SPOILER – IT’S NOT A 0-0 DRAW)
July 3, 2014 | Leave a Comment
By Brandon Cook, Skyhigh Networks
With the World Cup in full swing, one cannot help but compare the US to our neighbors around the world. The event begs it. We see our skills, our style, our strategy and our fans all juxtaposed with more established soccer powers from around the globe.
Privacy: Europe 1 – US 0
Given the concerns around the US Patriot Act and US government-issued blind subpoenas, there is a growing school of thought encouraging IT shops to use cloud services that are headquartered in privacy-friendly countries (i.e. EU).
Why? Well, under the US Patriot Act, US intelligence agencies are permitted to access data owned by non-US citizens stored on clouds hosted by US companies.
This perspective has been championed by European IT leaders such as John Finch, CIO of the Bank of England. He’s said, “You need to think about where Cloud companies are domiciled. Even if that well-known cloud provider says ‘don’t worry’, if they’re an American company, your data is linked to the American Patriot Act. That means if the FBI or CIA want it, they’ve got it. Think about what you’re giving and when.”
Security: US 1 – Europe 0
However, the data tells a different story. While privacy is important, one cannot ignore data security. Based on statistics from Skyhigh’s Cloud Registry, which uses a security framework developed in conjunction with the Cloud Security Alliance (CSA), 9% of cloud services headquartered in the EU are high risk, compared to only 5% of cloud services headquartered in the US. So, while EU-based cloud services provide some protection from the US Patriot Act, they do expose organizations to greater security risks.
WWJKD (What Would Jürgen Klinsmann Do)?
So, if using US providers isn’t the answer, what is? Encryption is one effective solution that is gaining traction for many cloud consumers. It’s important that your cloud provider provide encryption for data not just in transit, but at rest as well. Equally important, especially for European customers concerned with the privacy of their data hosted by US cloud providers, is encryption key management. If your cloud provider owns the encryption keys, the US government can subpoena your cloud provider, forcing them to de-crypt and share your data. Further, they can issue a gag order to your cloud service provider so this is done without your knowledge. In order to protect your company’s security and privacy, make sure you encrypt sensitive data AND manage your own encryption keys.
For straight-shootin facts on cloud encryption and a run-down on the tradeoffs of each algorithm, check out the Cloud Encryption Cheat Sheet.