Why encryption doesn't solve the data sovereignty debate

Why encryption doesn't solve the data sovereignty debate

Summary: If encrypted data is random, then sending it to the cloud should be able to sidestep the data sovereignty debate. But the necessary cost of encrypting everything has simply put this solution out of reach.


There is a long-standing argument that encrypting all data sent to the cloud could make the data sovereignty debate irrelevant, enabling Australian companies to make use of cheaper, offshore clouds.

The basis of the argument is that data, once encrypted, is random and cannot be read, so the problem is shifted toward the issue of key management — which can be solved by ensuring that keys remain onshore.

But security vendors Trend Micro and Sophos, and systems integrator CSC, have argued that encrypting everything isn't necessarily the answer for everyone, and that doing so would come at too high a cost.

At a media briefing, Trend Micro vice president for Data Centre and Cloud Security Bill McGee stated that encryption brings about additional challenges that have flow-on effects in terms of scaling a cloud solution, and the financial implications that brings.

"At some point, deduplication does not work on encrypted data, so then you're going to pay a storage cost," he said. He added that this could blow out significantly for larger datasets, and doesn't even take into consideration the additional network costs.

CSC Global Security Solutions CTO Gordon Archibald said that his company's role, as a systems integrator, is to ensure that the level of security meets the risk profile of the businesses. This includes covering a minimum level of risk, but also not over-covering the business, so that they don't pay for what they don't need.

"If they did pay for it, what we would do is help them understand [things like their] risk profile — where is your data, how is it encrypted, where is it used, where is the key — and we'd create them a risk profile that's right for their business. What's right for [the Department of] Defence is slightly different to what's right for a health fund [or] for manufacturing."

Archibald said that it would be rare to see anyone whose business is at such a high risk that they need complete encryption.

"Depending on what your threat profile is, you may want to go down the full-encryption path, but at the moment, what we're selling in our datacentres, we're not fully encrypting the data," he said.

In fact, Sophos managing director for Asia-Pacific, Stuart Fisher, told ZDNet that he has never seen anyone even consider the idea.

"I don't think every piece of information in an enterprise needs to be encrypted under any circumstance. That's not the intent, and I don't think there's any organisation, government or otherwise, that would consider encryption of every piece of data."

To make matters more complicated, McGee said that even if a company were serious enough to undertake such measures, technology changes so quickly that entire datacentres may need to be updated, as processing power could increase to a point where encryption becomes easy to break.

"It's a slightly more esoteric argument, but it is fair that the data can be around for years and years ... when it comes to a disk drive. So there's the 'is it strong today, is it going to be strong 10 years from now'."

All three organisations agreed that while encryption is an important tool in the security industry, its real power comes in the form of protecting data that is not at rest.

"Do you need to encrypt every piece of data in the datacentre? No, I don't think that's the case, but you don't have to have a physical breach of a physical datacentre to have a loss. That's not the risk. The risk is a mobile user that leaves their laptop in a hotel room unsecured, [or] an email that's misinterpreted or caught," Fisher said.

Topics: Security, Cloud, Data Centers

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • But It Does

    To overcome data sovereignty issues simply relates to two things a) where the encryption keys are held and b) the persistence of data.

    There are products in the market place that do this at object (file/document) level already and are cost effective starting at as little as $20 per month

    It will not be long and solutions from these organisations will include options at a data level.

    But in general terms, the Cloud is fantastic for many reasons, just not the place to store personal and business critical information...
    Paul Waite
  • Security outsourcers huh?

    of course they are against it as all they want is to get a touch of your data pretending to be protecting it
  • Encryption is a great thing to use...

    "Archibald said that it would be rare to see anyone whose business is at such a high risk that they need complete encryption."

    I have to completely disagree about this statement. Anyone who has seen the news reports each week about the latest companies and governments that have been cyber attacked and hacked, should realize the 'better to be safe' attitude is much wiser than the 'worry about it later' attitude, or 'it's not going to be us' attitude, or the 'we can't afford it attitude' and any other excuse which can be given to not do as much as you can to safeguard your computer data.

    This is a very small sample of places that have been hacked:
    Automatic Data Processing Inc. (ADP)
    Baker Hughes Inc.
    Bank of Swiss
    Booz Allen Hamilton, a frequent contractor for the US military
    CIA (Central Intelligence Agency)
    Citigroup Bank
    Commerce Bank
    Domino’s Pizza (www.dominos.co.in)
    HBGary, a technology security company and frequent contractor for the US government.
    Hyundai Card/Hyundai Capital Co., an auto finance provider in South Korea
    InfraGard and IRC Federal, both are F.B.I. contractors
    Lockheed Martin
    Marathon Oil Corp.
    Mitsubishi Heavy Industries, a Japanese military contractor
    Mobil Corp.
    Oak Ridge National Laboratories
    Public Broadcasting Service (PBS)
    Royal Dutch Shell
    Sovereign Bank
    The International Monetary Fund
    The United States Senate
    US Bank
    Visa and Mastercard credit card accounts in the US
    World Health Organisation (WHO)
    Zappos, a division of Amazon
    **List copied with permission from the Nuwave Backup Blog: http://nwbackup.net/wordpress/computer-security/

    The simple fact is that Everyone is a target, no matter if you are one person, a small business, a business as large as Google and even government agencies around the world. So it is best to encrypt all your data or encrypt as much as possible.

    And as Paul Waite states, encrypted backups can cost under $20.00. In fact, Nuwave Backup has a plan for $13.00 a month, for example. So it really is affordable for those who are serious about their computer data security.
    • Hacking as suggested by sg1efc...

      Of course hacking has very little to do with encryption in the ways of how hackers think. Even if your backups is encrypted or if you employ encryption data at rest and in motion for your entire estate; it does NOT stop your company regardless of what size from being hacked or faced with cyber attacks. Some of the companies which you have mentioned I know personally have implemented many forms of encryption but still got hacked.

      So I think the questions simply are whether is your information important? do you employ some form of data classification? Is it necessary to encrypt then?
      • I agree...,

        encryption will not prevent hackers from gaining access to your computer systems. The benefit and main purpose of encryption is to scramble your data so that it is in a format which is unitelligble. So if a hacker gains access to your encrypted data, the hacker can not read it at least right away, if ever, depending on which encryption format you used.

        The reason why I advise people to try to encrypt everything, if possible, is that if you encrypt only a part of a hard drive, for example, but sometime you accidentally or inadvertantly save something 'important' to a section of your hard drive that is not encrypted, then that saved data is vulnerable (a hacker can read it) if you are hacked. My policy is encrypt everything you can, to be on the safe side, whenever possible. :-)
  • Re: as processing power could increase to a point where encryption becomes

    Seems a bit far-fetched. Something like AES-128 will serve you for decades to come. And if you don't believe that, consider that triple-DES was invented back in the 1980s, and still hasn't been broken; the only reason not to use it is that it's too slow.

    And you don't have any business data that needs to remain confidential for longer than, say, 5-10 years, anyway.
    • Yep,

      good points. :-)
  • but please

    Don't encrypt your data. The Google's of the world will thank you, as they won't have to spend expensive supercomputer time to just decrypt it - that can be used to better analyze and correlate it, so they "know you better".