Protecting Your Sensitive Data in the Public Cloud: Why Encryption (and Key Control) Matter More Than Ever
Cite this article
Sensitive data protection is a business-critical necessity in today's cloud-first world, not just a compliance checkbox. The risk profile changes significantly as more businesses move their workloads to the public cloud.
Whether you're keeping track of financial transactions, customer information, medical records or intellectual property, the security of your data depends on the controls you put in place.
The Public Cloud Is Powerful—but Shared
Cloud Service Providers (CSPs) like Amazon AWS, Microsoft Azure, and Google Cloud Platform offer massive scalability, global reach, and innovation velocity. But they also come with a harsh reality: you're operating in a shared environment.
And most major CSPs are headquartered in the United States. That matters!
Why Data Protection in U.S.-Based Clouds Raises Eyebrows
The U.S. government, under laws like the CLOUD Act, (Clarifying Lawful Overseas Use of Data Act) can compel U.S.-based technology companies to provide access to data through a subpoena or warrant—even if that data is stored on servers located outside the United States.
That’s a serious concern for organizations bound by EU regulations like GDPR, or those operating in countries with strict data sovereignty laws. So how do you maintain control in a world where your cloud provider might receive a knock on the door?
Encryption: Your First and Best Line of Defense
The answer starts with encryption—done right.
- Encrypt your sensitive data both at rest and in transit.
- More importantly: hold the keys yourself. If your CSP controls the keys, they control access.
- Implement encryption key lifecycle management that’s separate from the data plane—ideally in a system you own or control directly.
When properly applied, encryption transforms data into something undecipherable without the key. If you control the key, you control the data.
Enter Fortanix DSM: (EU-Based) SaaS with Zero-Trust Architecture
Now let’s focus on Fortanix Data Security Manager (DSM) SaaS—especially when deployed in the EU region.
One of the most common questions we hear is:
“If we use Fortanix SaaS hosted in the EU, could the U.S. government subpoena Fortanix (a U.S. headquartered company) to hand over our encryption keys?”
It’s a fair concern. But the good news is: Fortanix can’t access your keys. By design.
How Fortanix Keeps Your Keys Safe
Fortanix DSM is built on a zero-knowledge, zero-trust architecture that puts you in control:
- Encryption keys are generated, stored, and used within FIPS 140-2 Level 3 HSMs and Intel SGX secure enclaves.
- Fortanix enforces strict key access and export controls—which you configure.
- No Fortanix employee or system can view or retrieve your key material in plaintext.
- You manage access using fine-grained Role-Based Access Control (RBAC) policies and can monitor all activity with built-in audit logging.
So even if Fortanix received a subpoena, there would be nothing to hand over.
And What About the CLOUD Act?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), passed in 2018, gives U.S. law enforcement the authority to compel U.S.-based tech companies to hand over data even if the data is stored outside of the United States.
This law was designed to modernize how digital evidence is accessed in criminal investigations but has raised significant concerns about data sovereignty and international jurisdiction.
So yes, in theory, U.S. authorities can request data from U.S.-headquartered companies like Fortanix.
But here’s the critical distinction:
- Fortanix DSM SaaS hosted in the EU cluster ensures data residency within the EU, governed by EU privacy and data protection laws, like GDPR.
- Fortanix would challenge jurisdictionally conflicting requests and push back on inappropriate demands.
- Most importantly, Fortanix’s zero-knowledge architecture ensures it cannot decrypt or access your encryption keys or data-even if compelled by law
This makes any such subpoena ineffective in practice when proper key controls are in place.
Best Practices to Stay in Control
To fully take advantage of the Fortanix architecture, we recommend:
- Use non-exportable keys wherever possible
- Apply least privilege access with RBAC
- Monitor usage with audit logs and alerting
- Enforce network-based restrictions (IP allowlisting, geofencing)
The Bottom Line
The public cloud offers scale. Encryption offers control.
And when you combine both—on your terms—you unlock the true value of cloud computing without sacrificing data sovereignty.
Fortanix DSM SaaS in the EU puts you in full control of your encryption keys, backed by a zero-trust platform and compliant with EU data regulations. Even in the face of U.S. government subpoenas, your data and keys remain exclusively yours.
Because security isn’t just about where your data lives. It’s about who controls the keys.
