Good data custodiansCompanies like law firms, accountancy firms, insurance companies, health providers and research institutes (with intellectual property) use different Software as a Service (SaaS) solutions to process, store and share sensitive information with their partners and clients. As ethical data custodians they want to, and in some cases must by law, protect their client’s data. The clients rely on the SaaS provider to cater for this protection. Such reliance allows the SaaS providers to distinguish themselves from the competition based on security. Much effort is therefore exerted by the SaaS provider to improve the security of the SaaS application. However, the landmark decision of where to host the SaaS solution is more than often made too quickly. While protection of client data has its technical challenges, it is first and foremost a legal challenge.
Where to host your data? The far-reaching decision impacting your data sovereigntyAs for the legal challenge, where your data is hosted makes a considerable difference. It is sometimes even a legal requirement that data doesn’t leave a country so that local jurisdiction is maintained. Such policy is crucial in preventing foreign law from governing over your data only because it resides on their ground. For instance, the recent statement of governments of the Five Eyes countries states that “should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.”
Unfortunately, SaaS providers are not always transparent about where they host their customers’ data. Some U.S. companies would not be content with their SaaS provider hosting their data in China at a Chinese cloud provider, such as Alibaba cloud. Likewise, some Chinese companies would be malcontented to realise that their data is hosted at a U.S. cloud provider. Furthermore, a SaaS provider should offer you, as a customer, the possibility to choose where you want your data to be stored and processed. This geolocation or data residency service ensures data sovereignty, allowing your data to be protected according to your chosen jurisdiction. If you don’t know where your data is currently, ask your SaaS provider. If they don’t know and can’t offer you geolocation options, you might want to consider another SaaS provider.
Cloud providers are subject to law enforcementLet's assume that you can choose your data residency. Moving your data to your preferred location is still only partly solving the data sovereignty challenge. If your data is hosted in your chosen country, but by a U.S. cloud provider, i.e. a U.S. registered company, such as AWS, Digital Ocean, RackSpace, Azure, then data sovereignty can still come under pressure. This is because both the U.S. Foreign Intelligence Surveillance Act and the USA Patriot Act allow U.S. authorities to force U.S. companies to access your data without your permission no matter where it is stored or whom it belongs to. Recently, the Cloud Act has also been enacted to overcome some challenges with the previous acts. These acts may impact an Australian law firm that has chosen to host their data locally in a data center in Australia. However, if that data center is owned by one of the aforementioned U.S. registered companies, such as AWS in Sydney, their data can still be accessed by the U.S. authorities. A SaaS provider should therefore not only store your data locally where you want but also offer you the choice to opt out from some specific data centers based on their country of registration.
Encryption, your last resort when your legal defence has failedAs for the technical challenge, a SaaS provider should ensure that all customer data is encrypted when it is in transit, i.e. when it is traversing the network between you and your partners or customers, and when it is stored on the cloud. Only you and your relations (partners and customers) that you have explicitly authorised should have access to your specific dataset when you share the encryption keys with them. Currently, most SaaS providers offer this level of encryption by using third party Key Management Systems (KMS) to generate your keys.That is where the caveat is. This also means that these third parties that create your keys can keep a backdoor key to access your or your customer’s data. These third-party key makers can if they want or if required by law, access your and your customers’ data at any time without your permission. Think of a locksmith carving a key for your house, but also keeping one for themselves to break in when you are on holiday or when the police ask for the key to search your home. As a result, using a third party KMS undermines the whole security architecture to protect your data despite all the security certifications some of those SaaS solutions advertise on their website. Therefore, a SaaS provider should have their own Key Management System for encrypting your data and as such, avoid backdoors by third parties.
Let's take it a step further and give clients the assurance that even the SaaS provider who owns the KMS cannot keep backdoor keys. This means that their proprietary KMS system should be able to generate the private key at the client-side (your computer) and not at the SaaS provider’s server. Such requires a client-side script to be executed, which makes it even impossible for the SaaS provider to see and copy a client’s key. Furthermore, the private key is generated based on a unique paraphrase that only the client knows. Now that the key generation happens at the client-side, a SaaS provider also has to make sure that using that key to perform the encryption and decryption doesn’t occur at the server-side. The solution should perform the encryption and decryption of your data at the client-side so that during any transaction with your data, no one can see and copy your keys.