Data Security in the Snowden Era #1 – Double Blind Encryption
In the first of two articles today on data security in the Snowden Era, Mike Batters* talks about cloud-based email storage security in the light of the growing demand for double blind encryption from law firms…
As the volumes of email grow exponentially companies commonly turn to archiving solutions to help reduce storage requirements, improve performance & ultimately the user experience. This trend is set to continue with general data growth expected to increase by 44 times by 2023.
The market offers numerous solutions to this ever growing storage problem split between on-premise and cloud-based technologies.
For those opting for on-premise solutions, such as Symantec Enterprise Vault, there are a number of obvious considerations such as selecting the right product, provisioning scalable Tier 2 storage technologies, integration in to DR strategies, implementation & management skills and capital cost. All of these factors however draw from knowledge typically held within a well-resourced IT department or trusted technology partner. Many companies also choose this solution, as all the elements are within their control & data stays within the bounds of the corporate network.
In contrast, cloud-based technologies provide a seemingly simple route to solving the problems. Evaluate feature sets and costs of the services on offer, investigate cloud resilience & security then verify the track record and away the data goes. For those happy to embrace cloud-technologies benefits are delivered in the form of minimal setup cost and expenditure on scaling the solution in years to come, reduced management overhead of internal IT teams.
Despite all these benefits companies are still (rightly) wary of cloud-based archiving due to the level of dependency placed on the provider’s service and security concerns related to legal access granted to 3rd parties. A major influencing factor has always been the geographical location & legal jurisdiction covering the actual data store location.
Many pieces of well documented legislation exist in the US and Europe which grant governments and law enforcement agencies rights to access customer data by directly approaching cloud-service providers and if necessary explicitly forbidding the provider from notifying their customer. Many cloud service providers promote what encryption protocols are in-use both when data is transmitted and stored on their systems. Access to this encrypted information is (theoretically) only possible to those in possession of the decryption keys which is, in general, the service provider.
Recent revelations contained within Edward Snowden’s leaked data about the PRISM initiative have further heightened these concerns as key global companies such as Google have been granting “back door” access to intelligence agencies therefore bypassing encryption protocols, supposedly in place to protect customer data. The merits of the PRISM programme can be argued both for and against, the processes and legalities are still not clear and the sheer volumes of data mean that interested parties are not just browsing randomly but are targeting information related to specific areas of interest.
So, in light of legislation & the recent revelations what should you been looking for when considering the security of a cloud email archive?
Accepting that there is no way of denying access to legally enforceable information requests the focus should be to guarantee you are aware of any such request by forcing authorities to make the request directly of you, rather than of the service provider. This is achieved by holding the encryption keys yourself rather than them being in the service provider’s possession. This is a technique referred to as Double Blind Encryption where the data is encrypted on-premise by software or an appliance before being sent to the service provider. This process ensures that even if the service provider receives an information request they are not in a position to honour it, as they cannot access the encrypted data.
With the request coming directly to your organisation you are aware and are in a position to assess if there are reasonable grounds to deny such access with greater diligence than may be given by the service provider – in the same manner as if the email archive was a wholly on-premise solution.
Properly secured cloud email archives deliver the security and visibility of on-premise solutions, while retaining the scalability, cost and management benefits of other cloud archives.
* Mike Batters, Technical Director, NETprotocol Ltd www.netprotocol.net