Menu

How encryption trumps surveillance

(Editor's note: Continuing disclosures of details of the National Security Administration PRISM surveillance programs have been a boon to encryption vendors. Elad Yoran is CEO of one such firm, Vaultive. Here's his take.)

Today's revelations in the Washington Postabout the extent of the NSA surveillance programs should be sobering news for all businesses concerned with privacy, confidentiality and exposure of data in cloud environments.[1]

VIDEO: How the Edward Snowden affair threatens cloud computing.[2]

The NSA programs re-affirm the notion that once a company moves data outside its four walls, they have ceded ownership and control of that information. Regardless of the security a cloud provider has to protect its infrastructure and operations, they are still compelled to hand over data in response to a government subpoena or to mining programs like those the NSA operates.

The US laws that underpin the programs broadly referred to as PRISM have similar counterparts around the world that could result in a business having their data, emails and other information exposed without visibility.

Businesses need to maintain ownership and control of their data regardless of where it's stored – on-premise or in the cloud. The best way to maintain control of data is to encrypt it before it leaves the company's network and persistently encrypt it while its stored and processed at a cloud provider.

Elad Yoran

Elad Yoran is CEO of encryption vendor Vaultive(Photo: Vaultive)

This ensures that the cloud service provider can only hand over encrypted useless gibberish in response to a government request. This puts the power of ownership back into the hands of businesses – compelling any government agency to direct further requests to the actual data owners.

So while a cloud provider will hand over the information at the legal request of any government agency, the data is ultimately unreadable unless the company provides the keys to decrypt the information.

This enables businesses to maintain confidentiality, privacy and control of data in the cloud, while complying with legal data collection requests."

back to top