Part 3 of our series on data residency takes up the issues from the previous parts 1 and 2 and discusses the situations in which encryption improves information protection.
There are only limited ways to adequately protect data. In fact, there are only two basic principles that ensure the necessary data protection: you lock up the data and/or you encrypt it. However, we are convinced that only strong, unrestricted encryption provides the necessary data protection and enables the compliance that allows us to sleep soundly as individuals, companies or public institutions to exchange data securely with each other.
How can data be protected? There are two basic options: "locking up the data" and "encrypting the data". All other methods are then really only based on trust in third parties.
Principles of information protection
Let's start with the zero solution first. Despite all the warnings and risks, there are (still too many) companies, institutions or individual users who do not pay the necessary attention to IT security. Of course, there is always the option of doing nothing and trusting that everything will be fine. In the area of data protection, however, it should have become clear to everyone by now that the zero solution is more of a negligent wait for the IT security incident. If you, dear reader, are nevertheless a follower of blind faith that you are not affected by the problem and will not be affected in the future, then you have extraordinary powers of denial. I congratulate you on your carefree life.
However, we strongly advise you to consider the following principles of information protection:
Including the data
As long as the data worth protecting does not leave your own vault (data center), it is well stored there. Of course, this depends on appropriate protective measures, e.g. against ransomware and data theft. But locking away valuables has been a tried and tested principle for thousands of years.
Encrypting the data
However, the principle of "locking in" is not really compatible with the current era of cloudification. After all, the business model of cloud providers (often based abroad) is based on storing data on third-party devices. Only encryption can offer real protection beyond one's own area of control.
What happens beyond your own area of control?
Cloud providers have not created a fundamentally new universe in which different rules apply. They do something very well in a limited area and offer it to a large number of customers. In other words, they are extreme specialists for usually very limited topics. However, their systems still have to be installed, maintained and operated. Activities that are usually still carried out by people. These providers offer these services, which are basically easily accessible and interesting for us, not because they are generous, but because there is a tough economy of scale business model behind them. The providers want to earn money. It is their primary purpose. In order for these companies to be able to combine their own purpose with the needs of their customers, they must have aligned interests. As a rule, this is achieved by the customer paying the provider for a service. The customer always pays with something. Either with money or with their data.
Only the encryption of data can offer real information protection beyond one's own area of control.
Let's assume, dear reader, that you pay your provider with money and therefore their interest in meeting your needs is high. Your provider is not a homogeneous, indivisible entity. It has employees, subcontractors, shareholders, pursues interests, is based on certain systems, has its strengths and weaknesses, etc. As a rule, it is a complex interplay of many production factors and self-interests. It is practically certain that there will be one or two careless or selfish participants in such a complex system. This is no different than if everything were handled internally. These participants or system components jeopardize the protection of your data. And outside your area of control, there is an even greater risk that the protection of your data will slip away, which is why only data encryption can help. This ensures that whoever wants to do something with this data still needs the key. If only authorized users have the key, control is restored and unwanted use of your data can be prevented.
As mentioned, abuse is possible everywhere. It is in the nature of things and people. There are two objectives:
1. (Cyber)criminals must be stopped and
2. the security and privacy of individuals in their daily lives in the digital world must be protected
- This is why encryption offers the necessary information protection today and helps in the following situations:
- You use a cloud service that is hosted in another country;
- You use a cloud service from a different (economic) policy environment (block);
- You must not or do not want to trust the cloud service;
- You process sensitive personal data from other political blocs that do not correspond to your nationality or
- You simply want to retain control over who accesses your data.
All good reasons why encryption is indispensable in both international and local scenarios.
Find out more in the next trend blog in our series "Data residency"how exactly encryption works and what solutions are available. Cheers.
DE 
EN 