The US Clarifying Lawful Overseas Use of Data (CLOUD) Act was quietly enacted into law on March 23, 2018. I say quietly due to the controversial nature of how it was passed - snuck into the back of a 2,300 page Federal spending bill on the eve of Congress' vote. While debate rages on about both the way the bill was passed, and about the wide latitude the Act gives to the President and the State Department, the fact remains that it has been signed into law, and organizations need to start planning how to respond. For many, both in the US and abroad, that planning has drawn increased interest in Cloud Access Security Brokers (CASBs), and specifically, in cloud encryption.
The CLOUD Act is meant to expedite law enforcement access to online/cloud data, specifically when that data is stored abroad. CLOUD is an update to the Electronic Communications Privacy Act (ECPA), which was passed in 1986, long before cloud was even a twinkle in any entrepreneur's eyes. Under ECPA, the only way for the US and a foreign government to exchange such data was under a Mutual Legal-Assistance Treaty (MLAT), which must be passed by a 2/3 vote of the Senate.
Enough Four or Five Letter Acronyms (FFLAs) in this post for you yet?
Under the CLOUD Act, US Law Enforcement Agencies, at any level, can require tech companies to turn over user data, whether that data is stored in the US or abroad. CLOUD also allows the President and/or State Department to enter into law enforcement data sharing agreements with ANY foreign government without approval from Congress.
The CLOUD Act eliminates the need for the foreign entity to show probable cause or obtain a search warrant to request access to this information. While a CSP can deny this access, forcing the requester back to the much more time consuming MLAT process, there is no assurance to enterprises that they will do this, putting the onus on the enterprise to take additional security measures to control access to their data.
The fix? Cloud Encryption, typically implemented via CASB solutions.
Cloud encryption allows an organization to leverage cloud applications, while at the same time encrypting sensitive data with keys that the enterprise controls. Such a scheme combines the mobility, productivity and agility advantages of using the cloud, with the security of a private data center.
Not only does encryption help mitigate concerns over rogue CSP admins or hacking attacks by malicious outsiders, but in the event that a CSP turns over data as part of a now lawful request by US or Foreign Government agency, that data is useless to the third party without the cooperation of the enterprise.
What to look for in an encryption solution?
2) Full strength, peer reviewed encryption algorithms
3) Full enterprise control over encryption keys