In the wake of an eventful year in information security, the tech giants have moved security and privacy to the top of the IT agenda. Despite some headline-generating missteps (with plenty of help from the National Security Agency and other intelligence agencies), it's clear that most cloud service providers are doing a better job keeping customer data secure today than they were a year ago. In fact, the Electronic Frontier Foundation just released its annual "Who Has Your Back?" transparency report, giving many of the largest tech firms kudos for their data privacy and transparency efforts. We echo this sentiment and congratulate the service providers.
Microsoft, among the vendors given a perfect score in the report, has poured a great deal of resources into the security of the Office 365 platform, building in several security tools such as RMS/IRM, Bitlocker, Exchange Hosted Encryption and S/MIME. The increased focus on encryption reflects an industry-wide shift, with cloud service providers like Google and Yahoo dedicating time and resources to securing customers' data.
However, these encryption tools focus solely on security, and not on the underlying issue that's putting customer data at risk in the first place – control. When organizations leverage the cloud for communications, there are very specific requirements needed to meet security, fiduciary and compliance requirements. Enhanced encryption from cloud service providers is a nice (and necessary) first step, but in and of itself is not sufficient because it lacks the control capabilities businesses need amidst the rise of data ownership concerns. For example, Microsoft's various encryption tools, while useful, do not cover all the organization's requirements. These shortcomings include:
Maintaining Ownership & Control
So what can organizations do to maintain ownership and control of their data? Encryption remains the best way to ensure the only people looking at data are the ones who are supposed to be looking. Regardless of how one feels about Edward Snowden, it is interesting to note that Glenn Greenwald, in his new book, asserts that moving encryption to the mainstream was one of Snowden's primary motives for disclosing NSA data mining secrets. Security experts across the globe advocate the use of encryption as the core technical requirement to ensure ownership and control. Bruce Schneier, the internationally renowned security technologist, has the following to say about encryption:
“Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure….”
In order to achieve the kind of privacy business requires, control over data is critical. Any solution must deliver on several criteria:
Given the limitations of cloud service providers – even well-intentioned, trusted ones with good products that ensure data security - the onus is on organizations to maintain ownership and control of their data at all times. Fiduciary and regulatory obligations as well as business common sense dictate that businesses take action to do so. Security is of paramount importance, but control is king.