Data Protection in the Cloud: Not Your Grandfather’s Data Protection

In 1998 the UK Parliament passed the Data Protection Act, which “controls how your personal information is used by organizations, businesses, or the government.” From the UK’s own definition, data protection is about protecting the personal information of employees and customers. Who has access to it? Where can it be physically located? And how can it be used?

The UK is not alone in creating laws to protect their citizens’ personal information. Several countries around the globe are putting these types of laws into effect. Business use of the Internet and cloud has made customer acquisition across international lines much easier. This has made it easy for even small companies to become multinational companies overnight.  With all of the changes in laws from country to country, it can be very difficult for large and small companies alike to understand all of these data protection laws and their responsibilities to their customers and employees.

I am not going to go through all of the different countries and their laws. However, I will try to uncover some of the lingo and technologies that are being leveraged to adhere to these laws and regulations as data increasingly is stored in cloud environments.

Data Protection Terms and Technologies

There are several terms that you need to understand with respect to data protection. This is not an exhaustive list of terms; however, it should provide a good start as you think about building out your data center and cloud services.

Data Sovereignty

Definition: Data sovereignty is the concept that information which has been converted and stored in binary digital form is subject to the laws of the country in which it is located.

What does that mean? It depends on the country you are doing business in. For some countries it means the data cannot leave the geographical boundaries of the country. Which mean you have to build a data center or contract with a service provider within that country’s borders. For other governments, it just means data must be virtually geo-fenced from other countries’ citizens. The main point is that data needs to be segmented and cannot move just anywhere.

Geo-Fencing

Definition: Geo-fencing (geofencing) is a feature in a software program that uses the global positioning system (GPS) or radio frequency identification (RFID) to define geographical boundaries. A geo-fence is a virtual barrier.

So how does this definition apply to my datacenter? What about my cloud deployment? How can I guarantee that data does not go outside of the boundaries that have been established? Do I put a GPS chip in every server in my data center?

Geo-fencing can be accomplished virtually by using technologies that set up trusted geo-domains, such that only machines that are in the trusted geo-domain can communicate with each other and store information for that geographic region. This can be accomplished using a trusted platform module (TPM) to “geo-tag” servers. TPM is available in most CPUs today.

Roots of Trust

Definition: Roots of Trust (RoT) is a set of functions in the trusted computing module that is always trusted by the computer’s operating system (OS). The RoT serves as a separate compute engine controlling the trusted computing platform cryptographic processor on the PC or mobile device it is embedded in.

This helps guarantee that the machine you are talking to is the actual machine you are talking to. This prevents spoofing and “man in the middle” types of cyber attacks. This is also essential to setting up geo-fencing in your data center.

TXT (Trusted Execution Technology)

Definition: Intel Trusted Execution Technology (Intel TXT) is a computer hardware technology whose primary goals are: Attestation of the authenticity of a platform and its operating system; assuring that an authentic operating system starts in a trusted environment, which can then be considered trusted; and providing a trusted operating system with additional security capabilities not available to an unproven one.

This allows you to basically set up trusted pools of resources that can trust each other. Each machine knows who they are talking to and what kinds of data they can handle. TXT takes advantage of the underlying TPM technology that is available in most CPUs today. This is a core technology to setting up effective geo-fencing.

TPM (Trusted Platform Module)

Definition: Trusted Platform Module (TPM) is an international standard for a secure crypto processor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.

This is the backbone technology to setting up geo-fencing, trusted domains, and establishing Roots of Trust between machines. It has three major functions:

• Remote Attestation: makes sure that the hardware/software running are what is expected by storing a hash key summary of the hardware and software installed on the system.
• Binding: encrypts data using the TPM binding key.
• Sealing: encrypts data using the TPM binding key and the state the TPM must be in, required to decrypt the data.

These three functions can be used to store encrypted geo-tags in the TPM to be used by Trusted Execution Technology to establish Roots of Trust and geo-fencing. In effect, everyone with the same geo-tag can share the same information.

Understanding the Technology

Luckily, organizations can leverage these and other technologies to help meet the increasing demand for data protection.  I have given you only a small glimpse into the technologies that are available to help your company meet ever-changing data protection regulations. Hopefully, this will help you get started in building out your data center and cloud environments.