A thumbprint almost ended our vacation, or GDPR and the cloud

A few years ago, we surprised our youngest with a trip to Florida. We did the whole pickup-from-school-with-our-luggage-in-the-car bit and drove straight to the airport. And there was much rejoicing.

It was a heady morning as we set out on the first day of our multi-amusement park weekend. We bought our tickets to the first park and headed to the turnstiles. I was the last of our trio to approach the gate and our trip almost ended right there. Why? They required me to scan my thumbprint, that’s why.

“I’m sorry. You want what?! Why? Where is it stored? What’s your retention policy?” As I peppered the poor kid at the gate with a barrage of questions, I could see the look of exasperation on my family’s faces. So, I made a choice; I gave up a bit of my privacy in order to make memories with my family.

Having control over my privacy has always been important to me, and I applaud the efforts of governments to protect their citizens’ personal information in the possession of businesses. But what happens when different regulations overlap with conflicting requirements, differing views on liability, and impose stiff penalties for non-compliance for those businesses?

Until we see how strictly EU courts interpret the Schrems II decision on current GDPR guidelines on data transfers outside of the EU, European businesses and US cloud providers are both in limbo. Consider this scenario that illustrates the primary concern from the EU’s perspective:

A European company stores EU citizens’ personal data in the cloud hosted by a US cloud provider. Even if the data is encrypted, who possesses the key? What’s to prevent the cloud provider – whether legally compelled, or by the behavior of a rogue administrator, or by an attacker with compromised credentials - from accessing that data? Even if the key is held by a third-party, the European Data Protection Board (EDPB) appears to lack the confidence in encryption to be a sufficient control¹.

The penalties for companies found in violation of GDPR may be as high as 4% of their global revenue and US cloud providers may find themselves shut out of the European market. And if there is an apparent lack of confidence in encryption, how can these organizations protect their data in the cloud? Is there a way to remove the key management issue?

We believe we have an answer to those questions. Would you be surprised if I told you that answer would be to deploy ShardSecure? We invented a patent-pending technology called Microsharding that essentially makes sensitive data unsensitive and unintelligible to unauthorized users. And we do this without any concept of a key. How?

Think of a paper shredder into which you feed a sensitive document:

• First, we make sure the shreds (the microshards) are too small to contain any sensitive data: no birthdates, no phone numbers, no addresses.
• Next, those microshards are randomly mixed into different bags (microshard containers) along with some fake microshards to complicate any attempt at reassembly.
• Lastly, those bags are distributed to different places around the world. If someone is able to look at the contents of that bag, the information is incomplete and doesn’t make any sense. Think what it would take for an unauthorized user to reassemble that one file. Imagine the complexity introduced with trying to enumerate, locate, identify, and reassemble hundreds or thousands of files that had gone through the same process.

Now imagine that this shredder is clustered, can synchronize multiple clusters, and performs data integrity checks. And if a site goes down or the data has in some way been altered, your data is restored automatically, and you continue operating as if nothing happened. (How we do these will be the subject of my next blog post.)

Nobody, including us, can predict which way the courts may rule, and we can’t say that we will make you compliant. No vendor can claim that. What we will say is that we believe we can offer you a more secure way to protect your sensitive data in single cloud, multi-cloud, multi-region, multi-datacenter, or hybrid storage configurations.

Want to learn more?  Schedule a demo or meeting to discuss your requirements today. 

¹ https://www.lawfareblog.com/will-eu-lose-access-us-data-flows-and-software#