Data Sovereignty was the hot topic at this year’s RSA conference, and Australian lawyer Hayden Delaney was invited to explain how lawyers and IT professionals need to work closer together to combat the challenges.
HopgoodGanim Partner, IT and Intellectual Property, Hayden Delaney, is a specialist lawyer concerned with the information, communications and technology sectors. His main areas of focus are commercial, intellectual property and competition law.
Delaney was invited to address the RSA conference regarding data and personal information from a legal, commercial and technological perspective.
Delaney appeared alongside RSA chief security architect, Robert Griffin, in a presentation titled Compliance by Design: Using Innovation to Beat the Compliance Rat Race.
He focused on the issues of data sovereignty and how encryption in particular can help organisations stay ahead in the race for compliance.
“From my side of things, the focus on how encryption key management can be used to resolve legal and compliance issues, it went very well and we had some excellent discussions. Key management ended up being one of the focal points of the entire conference," he said.
“One of the keynotes from RSA president, Amit Yoran, mentioned key management as one of the major challenges for the year ahead.
“When a topic like that is mentioned in one of the keynotes it goes to show that it is an issue that the industry is looking to focus heavily on for the year ahead.
“One of the panel discussions between the chief global privacy officers of Facebook, Google and Microsoft was around the practicality of managing privacy and compliance across their organisations was very rewarding."
Delaney said there is a considerable amount of complexity around these issues from a legal and technological standpoint.
“Data does not recognise international borders. It flows very freely. Data sovereignty issues are often too complex to comply with all at once thinking in traditional means.”
Delaney believes that the industry often asks the wrong questions about security and data sovereignty.
“People get wrapped up in the technical details around encryption, what level of encryption and the different types. The more fundamental issue is where the encryption keys are held," he said.
“The fundamental thing that gets overlooked and doesn’t get talked about in an Australian context is issues surrounding encryption key management.
“Encryption key sovereignty should be one of the front and centre issues of the debate around privacy, security and data sovereignty.”
Delaney explained that the industry as a whole, and big vendors in particular, are implementing key management functionality within their products. This is usually based on an IT standard key management interoperability protocol (KMIP).
“A lot of vendors are starting to supply products with that functionality because they are leading the charge in some ways because they can see that this is going to be an important area.”
He sighted some major players, like Thales in its hardware security module (HSM) used by most major banks and airports to manage encryption keys, are starting to build in functionality into these devices to enable encryption key management.
The Keys to the Intellectual Kingdom
Encryption key management remains important from both a customer and service provider standpoint.
“Cloud offerings are premised on the fact that a vendor can move data anywhere in the world it chooses and can off set the cost by scaling demand. The data can be in Singapore at one time or in Ireland at another, but the whole offering is built around the idea that they can move data around freely," he said.
“Customers are subject to local laws and requirements around how data can be transferred inside and outside of a jurisdiction. The customer wants to retain control over their data when it is in the Cloud, but they also want the cost savings of using public Cloud solutions.
“From the Cloud service provider side, they want to offer encryption to customers because they don’t want to be subject to data breaches and encryption is a way of mitigating data breaches.
“It looks bad from a PR standpoint. If AWS has a breach, everyone will be banging the war drum on that. So they want to encourage customers to use these sorts of things.”
The difficult part, according to Delaney, is the issue of who holds the encryption keys themselves. Cloud Service Providers don’t necessarily want to hold encryption keys for customers.
“There are two reasons for this. Firstly, holding encryption keys is risky. If the service provider loses the encryption key, the data is gone. Secondly, if the service provider holds encryption key, they effectively control that data.”
This gives the service provider no choice but to relinquish that data if a government department, like the Australian Federal Police, come knocking with a court order.
“More often than not, organisations are not considering what laws exist in those locations where data is being stored. They don’t really know how those laws would treat confidential information or intellectual property.”
Peace of Mind for both sides
Delaney claims that, with appropriate use of encryption technology, this problem can be overcome and work for both sides of the coin.
“If you can say to both the customer and the Cloud provider, you can have encryption in the Cloud and by the use of encryption key management tools you can push the encryption key down to the customer, then customer is happy because they hold the key and the provider is happy because they absolve themselves of responsibility.”
Using this type of system, the provider only holds encrypted data, but not the encryption key associated with it. That means if a government department wants access to that data the provider can’t hand it over anyway.
The customer retains full control over their data because they hold the encryption key. The data with the Cloud provider is encrypted and of little use on its own.
“If a company has stored someone’s personal data in the Cloud and that data is encrypted, as long as they haven’t given the encryption key to the CSP, no matter where the data sits geographically, the company hasn’t disclosed personal information because all they have given is encrypted data.”
Delaney explained this doesn’t even fall within the definition of personal information to begin with, so organisations are not obligated to comply with that provision under The Privacy Act.
“It solves a lot of problems because it places responsibility for the data back with the client.”
When It gets personal
He believes that these issues are especially concerning from a legal perspective when it comes to privacy and personal information.
“For those worried about personal information and issues around metadata retention, or concerned about warrants for personal information to your Cloud service provider, if that provider had a solution like we discussed, then they would have no relevant data to hand over to authorities," he said.
“The only way government can get that data is to serve the individual with a court order that has the device so the encryption key can be matched to the data. Otherwise it is useless.”
Companies like Apple have washed their hands of this sort of responsibility. They have created what Delaney describes as an elegant engineering solution to a legal problem.
After the highly publicised iCloud breaches last year, Apple used software updates and new product releases to house encryption keys on individual devices. This way Apple relinquish responsibility for the data they hold back to the user.
Delaney said with Apple looking to release payment systems on its phones, that same technology they used to deliver privacy and security can also be used to make money.
“Any company that wants to use public Cloud should be concerned with government action because we know post Snowden, governments have been accessing company information not just for security but for commercial needs and in relation to talks between governments.”
Delaney argues that IT professionals and lawyers need to form closer working relationships because the law is increasingly trying to deal with problems created, in part, by technology.
“The main thing I bring back from the conference is a heightened sense of how important it is for lawyers and IT professionals to work together and have a clear dialogue in order to grapple some of these complex legal, and dare I say, ethical issues," he said.
“Legal professionals have certain tools that we can deploy to try and mitigate risk, but IT professionals also have a different skill set. To properly cover the field, both of them need to talk together and compliment one another to deliver security to an organisation.
“As well as delivering that security you can also deliver informational privacy to your users and by doing so, make the legal and compliance issues like The Privacy Act and data breaches easier to manage.
“It is an area that is becoming increasingly complicated from a legal perspective. The law requires certain things and I think it is incumbent among legal professionals to understand the more fundamental issues around how technology can help deliver privacy, security and mitigate risk for organisations and individuals.
“Lawyers are about mitigating risk and IT professionals are about mitigating risk. If the two can work together and understand one another, they can deliver much more effective solutions for clients."