KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
I'm not sure that I'm going to manage this in less than 20 minutes, but what I'm going to talk about is is what many people do not realize the full impact of the Shrems to judgment on cloud and what you need to do with your data in the cloud? Now, I, in effect what happened was that in July, 2020, there was this judgment, which as you rightly say, put into question some of the agreements from the us, but further in November, 2020, there was a supplementary technical measures specification that came out of the European data protection board.
And I'm not sure that everybody understands the severity of what these are requiring. So to put this into context in April, 2021, the Portuguese data protection authority ordered this Portuguese national Institute for statistics to suspend the ending of personal data from their 2021 census to a us based cloud service provider. And they gave them 12 hours notice to do this. So would your business be able to survive, being told by a regulator that you couldn't send your data, which you'll, you've got in a us based cloud service provider, and that doesn't just apply to EU based organizations.
It applies to organizations anywhere that are processing the personal data of EU residents. So what does this come from? This comes from the Shrems to judgment and that judgment, and basically, and the judgment says that you are not allowed to process personal data in the clear, and it is not permitted. And that's kind of a significant problem that up till now all of the cloud service providers would provide reassurance through contractual clauses, which basically said, we are honest people.
We will not do things that are wrong under GDPR, but the consequences of this are that the contractual clauses are not sufficient, but there is updated advice from the European production board on these. So it is important that there are new contractual clauses, but they are not sufficient. And what is needed is supplementary technical measures to protect the data. And these technical measures consist of encryption.
Well, we all know about encryption, but the key thing there is that the keys have to be retained within the EU, by the exporter. Another approach, which is acceptable is pseudonymization and pseudonymization is something that comes in many forms, but it is only the Anisa approved pseudonymization process that is acceptable. And the third approach is something which is called split processing, otherwise known as multi-party computing. So what I'm going to do in the rest of this presentation is explain what this is all about and what technical measures really mean.
So one of the, the things that is kind of confusing the issue is that there is now a lot of people saying, well, we'll be all right. If we use a sovereign cloud, well, what does a sovereign cloud give you? It guarantees data residency. It guarantees the residency of the administrators and the operators, and it guarantees that they will all be covered by EU laws and rules.
Now, everyone should have a lawyer. I think a lawyer are, are great people, but they're very expensive. And basically if you have a lawyer, that means that you will be able to take legal action, but it doesn't mean that it guarantees that that service will provide data confidentiality. It doesn't provide that it will provide security or that it will support all of the technical measures. So lawyers are good. Lawyers are a backstop, but really what you need to do is to implement the technical measures. So what is this confidential computing and what does it matter? Now?
What has happened is that the use of cloud introduces new threats. And one of those threats is this compliance and legislation. And what you want to do is to protect the data that you have, that's under your control when you put it into the cloud. And that means that you need to protect it whilst it is in transit. You need to protect it whilst it is being processed, as well as whilst it's being stored.
And the issue is protection during processing, because although it may seem odd, there are many, many tools that now exist that can scrape the data in your realm while your data is being processed, and that is considered to be a risk. And so you have to, according to the rules, when you are processing that data outside of the EU in a third party, you need to have it protected. So how can we do this?
Well, one of the, the, the approaches, a, a good old fashioned approach is an encryption gateway, or what in fact happens when you use backup tools, which is that your data is encrypted before it leaves your premises, and you keep the keys on your premises. And so it sits protected in the, in, in the, the, the service, but it isn't being, it isn't processable. It cannot be processed. I in any sensible way using normal encryption. So that's good providing audio, going to do is to store the data.
Now another approach, which is put forward by our friends in Microsoft, which is a feature of office 365, it's called double key encryption and double key encryption allows you to use tools which effectively encrypt the data while it is in your control. And before it is sent to the, to, to the, to, to the Microsoft office 365 system. And what that does is that protects the data because it's encrypted, but it means that you can only use the apps. You cannot use the online apps or the online versions of the apps.
You can only use the apps on premises, and it also has an impact on other things like the, the management management rights, data management rights. So it gives you some level of protection, but it doesn't cover all of the cases. Now another approach, which is promoted, which again goes some way towards solving. The problem is bring your own key where effectively, what is happening is that you encrypt the data in the cloud, using your keys in a way which is protected in the hardware security module in the cloud.
Now that's good because the data as it is stored is in fact encrypted, but in order to process it, you need to decrypt it. And that leaves you with a problem that whilst it is being processed, it is potentially at risk. And so from this, we then lead onto the solution, which is the most common and practical solution that is now being put forward for all of this is the trusted execution environment. And in a trusted execution environment, you are effectively bringing your own key. You put your own key in some kind of trusted hardware, which is a, a hardware security module.
The data is then put into a piece of trusted hardware and both Intel and AMD have that Intel call it secure, secure SGX, the secure guard extension, which means that the data within the actual processor is decrypted, but only in an enclave where nobody else can get at it. And you have to rely on the hardware vendor to do that. But that is the, the most practical, current approach. But note that this is something you can do if you are writing your own applications, but there is no guarantee that a software as a service vendor will be doing that.
In fact, one vendor has, in fact, now launched a database, a managed database service, where they claim that that is what they are doing, and you can control the keys. The next area is pseudonymization, and it's not just any pseudonymization. It's the NSA pseudonymization, where effectively what you do is you replace the data, the real data with some kind of fake data that replaces it, which you can control on premises. And that fake data is of such a form that it can be processed.
And one of the good things about this is that actually pseudonymous data pseudonymized data in a reasonable form is suitable for machine learning and machine processing. So there is a sigh of relief, but not many people seem to be taking that approach. This approach also has enormous benefits for other reasons, because you can use pseudonymized data for development purposes for test and QA purposes. And for other kinds of reasons, if you want to outsource your development. So of all the ones that is most comprehensive in its solution is pseudonymization.
Now multiparty compute or homomorphic encryption, sorry is one of these things that has been talked about for a long time and some vendors are implementing it, but it has a very high processing overhead at the moment, but basically it encrypts the data in a way which some kinds of processing can be done amazingly on the encrypted data in such a way that when it is decrypted, it comes out with the correct answer. The final approach is this secure multiparty computing. Now secure multiparty computing is a more generalized approach to what is pseudonymization, which is that's.
You can define a set of mathematically provable protocols that allow parties to operate together in, in a way where nobody divulges to the other party, what the data is. And the commonly given example of this is that when the, the, the finance brokers, the financial traders get their annual bro, their annual, their annual upgrade in, in bonus, that what, what they will often do is they will say, well, the one who got the biggest bonus is going to buy the drinks. So how do those people actually work out who got the maximum bonus without actually telling each other what bonuses they got?
And there are protocols that can do that. And one, another example is auctioneering. And what you, what you want to do is to replace using this secure protocol, a single point in the middle with some way of interchanging information, which never divulges the information that you want to keep secret. So let us now just look at some of these things in terms of a mapping that first of all, what stands out from this is that cloud services will say to you that they're, they already implement some kind of encryption on the data, which they control, and they hold the keys.
And largely speaking that is not satisfactory. Customer controlled encryption is good in the sense that it's sufficient for backup. And it sufficient for holding the data. As I described with the double key encryption, trusted execution environments are good for cloud disaster recovery, where you want to move your workload to a cloud and for IASS workloads where you can control the use of that. And the only thing that works across all of these is the NSA pseudonymization.
So in summary, basically the trims two judgment, which I do not believe most organizations have really understood means that you will need supplementary technical controls for processing personal EU data. It is not sufficient to rely on a contract. That cloud sovereignty means that you know, where the data is, and you can Sue them under the laws, and they may be committing criminal offenses under the laws, but it doesn't guarantee privacy or security, confidential computing technologies provide this extra protection and you should be looking at them.
And really what you need to do is to take a zero trust approach to the data in the cloud, never trust and always protect. Thank you very much.
