A US court case considering whether a US judge can force Microsoft to hand over e-mails sitting in the company's Irish data centre raises critical issues for cloud computing companies, according to David Etue, vice president of corporate development strategy for identity and data protection at global security company Gemalto.
Addressing a session at the RSA security conference here, Mr Etue said Microsoft’s ongoing appeal against the demand, after refusing to comply with the subpoena, is a case many security specialists didn’t notice because it involved a consumer cloud environment, Microsoft’s Hotmail web mail service.
However, he stressed that the case “is a big deal” and has far-reaching implications for the cloud sector.
“Microsoft has said this is extraterritorial, that you can’t subpoena data outside our US operations. If that was a piece of paper sitting in Microsoft’s Irish office, [a us court]would have ask the Irish government to go get that document,” Mr Etue said.
Instead, the court went directly to Microsoft to demand the e-mails. Microsoft is appealing the case on the grounds of data privacy, arguing that existing international treaties are the appropriate and lawful route for requesting cross-border data access.
Mr Etue believes the case will go all the way to the Supreme Court before it is resolved.
For the many big cloud service providers around the globe, the Microsoft case raises the question of “what’s the chain of ownership of the cloud”, he said.
"For example, if you are doing business with [Japanese provider] NTT in a service in Europe, does that bring the Japanese government into the conversation?"
For businesses using cloud providers, the chain of ownership raises security, governance, government discovery, and risk issues because many cloud companies and services utilise other cloud providers, especially companies offering Platform as a Service (PaaS) and Software as a Service (SaaS).
Some PaaS and SaaS services could have at least five other cloud providers behind them, he said, and some do not make this clear to users of the service.
There are few industry standards concerning what companies have to communicate about such arrangements, and how, he said.
“It’s not clear who is responsible for discovery, and it’s not clear who is managing risk. Understanding what the trail of their data is, and how you control these environments, is critical in adopting the cloud in a secure fashion.”
Encryption is consequently, very important because “it’s the one security control that works when you don’t have control of the rest of the cloud infrastructure.”
You can take data that is encrypted and put them into a hostile environment and know they will remain secure with a mathematical degree of certainty, he noted.
Mr Etue emphasised that cloud users should use their own encryption in the cloud to retain control of encryption keys, because a cloud provider may have an obligation to surrender the keys of its own cloud encryption offering to government agencies such as the National Security Agency.
“We’re seeing [company] general counsels driving encryption now because of that [concern],” he noted.
The session, entitled Whose Cloud is it Anyway? Exploring Data Security, Ownership and Control, looked at aspects of data management for cloud service providers and for businesses using cloud services.