Insights For Success

Strategy, Innovation, Leadership and Security

Using Non-US cloud providers doesn't protect data

technologyEdward Kiledjian2 Comments
Image by  Jaaron  under Creative Commons License

Image by Jaaron under Creative Commons License

My day job is in security so I read every Snowden leak with great interest. It is fascinating to see how well funded intelligence agencies can collect the data they need. All these these leaks seem to have tickled a nerve with some non American corporate IT managers who are now demanding that their cloud providers store their data outside of the US. 

But does that really make a difference?

In my opinion, the answer is no and here's why. The US Patriot Act (link) which gives the US intelligence community its super powers, compels any US company to turn over requested data regardless of where it is stored (it is not limited to data stored in the United States). Companies that allow customers to choose where the data is stored are providing a false sense of security to customers.

So how should we do to protect our data?

If you are a non-US company that wants to leverage a cloud service provider but that still want to protect your data from the NSA then you have to use a non-american provider and ensure your data is stored outside of the US. 

But even this doesn't guarantee total privacy. Keep in mind that most countries have local intelligence organizations (CSE in Canada, GCHQ in the UK, etc) and the leaks show that many of these agencies eagerly collect data for each other and share that data with limited control.

For the time being, your super secret data should be encrypted by you before it is sent to the cloud using Trust No One encryption but then you lose most of the value of these cloud services. Ultimate security means broken functionality. Ultimate functionality means broken security. You'll have to try to find a balance somewhere in between.