Why encryption doesn't solve the data sovereignty debate

If encrypted data is random, then sending it to the cloud should be able to sidestep the data sovereignty debate. But the necessary cost of encrypting everything has simply put this solution out of reach.
Written by Michael Lee, Contributor

There is a long-standing argument that encrypting all data sent to the cloud could make the data sovereignty debate irrelevant, enabling Australian companies to make use of cheaper, offshore clouds.

The basis of the argument is that data, once encrypted, is random and cannot be read, so the problem is shifted toward the issue of key management — which can be solved by ensuring that keys remain onshore.

But security vendors Trend Micro and Sophos, and systems integrator CSC, have argued that encrypting everything isn't necessarily the answer for everyone, and that doing so would come at too high a cost.

At a media briefing, Trend Micro vice president for Data Centre and Cloud Security Bill McGee stated that encryption brings about additional challenges that have flow-on effects in terms of scaling a cloud solution, and the financial implications that brings.

"At some point, deduplication does not work on encrypted data, so then you're going to pay a storage cost," he said. He added that this could blow out significantly for larger datasets, and doesn't even take into consideration the additional network costs.

CSC Global Security Solutions CTO Gordon Archibald said that his company's role, as a systems integrator, is to ensure that the level of security meets the risk profile of the businesses. This includes covering a minimum level of risk, but also not over-covering the business, so that they don't pay for what they don't need.

"If they did pay for it, what we would do is help them understand [things like their] risk profile — where is your data, how is it encrypted, where is it used, where is the key — and we'd create them a risk profile that's right for their business. What's right for [the Department of] Defence is slightly different to what's right for a health fund [or] for manufacturing."

Archibald said that it would be rare to see anyone whose business is at such a high risk that they need complete encryption.

"Depending on what your threat profile is, you may want to go down the full-encryption path, but at the moment, what we're selling in our datacentres, we're not fully encrypting the data," he said.

In fact, Sophos managing director for Asia-Pacific, Stuart Fisher, told ZDNet that he has never seen anyone even consider the idea.

"I don't think every piece of information in an enterprise needs to be encrypted under any circumstance. That's not the intent, and I don't think there's any organisation, government or otherwise, that would consider encryption of every piece of data."

To make matters more complicated, McGee said that even if a company were serious enough to undertake such measures, technology changes so quickly that entire datacentres may need to be updated, as processing power could increase to a point where encryption becomes easy to break.

"It's a slightly more esoteric argument, but it is fair that the data can be around for years and years ... when it comes to a disk drive. So there's the 'is it strong today, is it going to be strong 10 years from now'."

All three organisations agreed that while encryption is an important tool in the security industry, its real power comes in the form of protecting data that is not at rest.

"Do you need to encrypt every piece of data in the datacentre? No, I don't think that's the case, but you don't have to have a physical breach of a physical datacentre to have a loss. That's not the risk. The risk is a mobile user that leaves their laptop in a hotel room unsecured, [or] an email that's misinterpreted or caught," Fisher said.

Editorial standards