Good data custodiansCompanies like law firms, accountancy firms, insurance companies, health providers and research institutes (with intellectual property) use different Software as a Service (SaaS) solutions to process, store and share sensitive case information with their partners and clients. As good data custodians they want to, and in some cases must by law, protect their client data. These companies rely on the SaaS provider to cater for the protection of their client data and to do whatever is needed to avoid situations like the Panama papers scandal. This reliance allows the SaaS providers to distinguish themselves from the competition based on security. Much effort is therefore put by the SaaS provider to improve the security of the SaaS application. However, the landmark decision of where to host the SaaS solution is more than often too quickly made. While protection of client data has its technical challenges, it is first and foremost a legal challenge.
Data sovereigntyAs for the legal challenge, it makes a big difference where you host your data. It is sometimes even a legal requirement that data doesn’t leave a country to maintain the local jurisdiction. Such policy is crucial in preventing foreign law from ruling over your data only because it resides on foreign ground. SaaS providers are unfortunately not always transparent about where they host their customers’ data. Some US companies won’t be happy to see that their SaaS provider hosts their data in China at a Chinese cloud provider, for example, at Alibaba cloud. Or the other way around: some Chinese companies won’t be happy to realise that their data is hosted at a US cloud provider. Secondly, a SaaS provider should offer you as a customer the possibility to choose where you want your data to be stored and processed. This geolocation or data residency service ensures data sovereignty and thus that your data is protected according to your chosen jurisdiction. If you don’t know where your data is currently, ask your SaaS provider. If he doesn’t know and can’t offer you geolocation options, you might want to consider another SaaS provider.
Cloud providers are subject to law enforcementLet's assume that you can choose your data residency. Moving your data to your preferred location is still only partly solving the data sovereignty challenge. If your data is hosted in your chosen country but by a US cloud provider, ie a US registered company, such as AWS, Digital Ocean, RackSpace, Azure, then data sovereignty can still come under pressure. This is because both the USA Foreign Intelligence Surveillance Act and the USA Patriot Act allow US authorities to force US companies and access your data without permission and notice no matter where it is stored or whom it belongs to. Recently also the Cloud Act has been enacted to overcome some challenges with the previous acts. These acts impact for example an Australian law firm that has chosen to host their data locally in a datacentre in Australia. But if that datacentre is owned by one of the aforementioned US registered companies, such as AWS in Sydney, their data can still be accessed by the US authorities. A SaaS provider should therefore not only store your data locally where you want, but also offer you the choice to opt out from some specific datacentres based on their country of registration.
Encryption, your last resort when your legal defence has failedAs for the technical challenge, a SaaS provider should ensure that all customer data is encrypted when it is in transit, ie that is when it is traversing the network between you and your partners or customers, and when it is stored on the cloud. Only you and your relations (partners and customers) that you have explicitly authorised should have access your specific dataset when you share the encryption keys with them. Most SaaS providers offer this level of encryption nowadays by using third party Key Management Systems (KMS) to generate your keys. And that is where the caveat is. This also means that these third parties that create your keys can keep a backdoor key to have access to your or your customers data. These third-party key makers can, if they want or if required by law, access your and your customers’ data at any time without your permission. Think of a locksmith carving a key for your house, but also keeping one for himself to break in when you are on holiday or when the police ask for the key to search your home. Using a third party KMS undermines, therefore, the whole security architecture to protect your data despite all the security certifications some of those SaaS solutions advertise on their website. Therefore, a SaaS provider should have their own Key Management System for encrypting your data and as such avoid backdoors by third parties.
Let's take it a step further and give clients even the assurance that even the SaaS provider who owns the KMS cannot keep backdoor keys. This means that their proprietary KMS system should be able to generate the private key at the client-side (your computer) and not at the SaaS provider’s server. This requires a client-side script to be executed, but now it is even impossible for the SaaS provider to see and copy a client’s key. Furthermore, the private key is generated based on a unique paraphrase that only the client knows. Now that the key generation happens at the client-side, A SaaS provider also has to make sure that using that key to perform the encryption and decryption doesn’t happen at the server side. The solution should perform the encryption and decryption of your data at the client side so that during any transaction with your data no one can see and copy your keys.