In December 2021, Australia signed an agreement with the United States on cross-border law enforcement arrangements for data hosted by service providers under the United States’ Clarifying Lawful Overseas Use of Data (CLOUD) Act.
This comes as a follow-up to the framework created by the Australian Government, which facilitates international cooperation for enabling access to certain electronic data, for law enforcement and national security purposes under the Telecommunications Legislation Amendment (International Production Orders) Bill 2021.
What Does It Mean?
While the agreement has not yet come into force and isn’t expected until late 2022, its intends to reduce barriers that would prevent law enforcement and national security agencies from obtaining electronic data directly from overseas providers.
In essence, this agreement clears a pathway for US and Australian Government agencies to share data hosted in public cloud environments – including social media and messaging apps, backup and storage services – without the need to directly ask the owner of the data.
Ostensibly this will enable faster reactions to urgent situations by law enforcement. However, it does augment the risk profile of cloud and potentially raises concerns for organisations who rely on public cloud infrastructure.
Why Should You Care?
Firstly, such a framework is incredibly complicated to navigate as evidenced by some of the carve outs both parties have had to make provisions for. Australia for example has concerns about circumstances in which data accessed would be used in cases of Capital Punishment, or detainment at Guantanamo Bay, whereas the US has call-outs about “freedom of speech” which is constitutionally enshrined in their country— but maybe not so in Australia. Naturally, this arises the potential for conflicts when enacted and interpretated.
Additionally, the way the agreement backs on to domestic laws means it may not be immediately apparent if your data was accessed by a foreign agency. This immediately strains your organisation’s internal data classification processes, as it should now be assumed that all data is externally accessible.
Secondly, any notion of confidentiality of data hosted in Australian clouds now comes with a big asterisk. Privileged communications, employee data, and commercial in confidence information are susceptible to access from outsiders under this arrangement—opening the possibility of exposure to third parties and potentially breaching your contractual obligations.
Lastly, and perhaps most importantly.
For some this change will not see any substantial difference in their data security practices, but for many, this potential exposure will exceed an organisation’s risk tolerance which fundamentally changes their reliance on public cloud for sensitive data.
The Road Ahead
The good news is that Encryption is still a viable defence! It may however require add-on’s over your current practices which I will expand upon here.
The CLOUD Act on which this is based states that “the terms of the agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”.
This means encryption remains the best method to secure your data. The generally accepted practice of using cloud-native encryption tooling however must now be seen as akin to leaving the keys under the mat with a note pinned to the door saying, “The Key is under the Doormat!”
If your keys are stored in the same tenancy as any data sought under this Agreement, they can be handed over along with the underlying data they were supposed to protect.
As a result, we’ve seen an industry shift towards Bring Your Own Key (BYOK) and Bring Your Own KMS (BYOKMS) solutions such as that offered by Fortanix DSM-SaaS. These technologies allow consumers of public clouds to externalise their encryption keys to a secure third-party solution – kind of like putting your keys in a secure vault that’s only accessible to you.
This methodology adheres to the principle of least privilege and also simplifies encryption in hybrid and Multicloud environments as the same Vault can be used to secure keys for AWS as well as Azure and GCP, and your on-premises environments alike, enhancing your crypto-agility and eliminating the lock-in associated with cloud-native encryption options which only operate within the bounds of single clouds.
Whilst with BYOK/BYOKMS your data is of course still subject to subpoena, your organisation now has separate controls over the means of decryption — rather than giving carte blanche to the entirety of your cloud infrastructure as might be possible under the CLOUD Act Agreement.
As such BYOK is a relatively straightforward technology which is being adopted as part of the cloud security maturity curve for modern Organisations. It protects your most valuable assets (your data) by ensuring the correct protections are in place to uphold the integrity of your encryption practices, all whilst making data and applications more portable and usable across environments.
If you’d like to learn more, please contact us on this link.