Encryption, the key to sovereignty ?
Data sovereignty is not limited to geographic location. There are many other dimensions to consider, but let us focus on who can technically access the data stored by a Cloud Service Provider (CSP).
Too often, data is stored in plaintext, meaning that any CSP can technically access it. And when the CSP has operations in the United States, foreign jurisdictions may also gain access to the data — without any form of notification to the data owner. In an extreme scenario, it is even conceivable that attackers could escalate privileges up to the hypervisor layer to access the data.
Now let us encrypt the disk of a virtual machine (VM) using the vTPM (virtual Trusted Platform Module) provided by the CSP. The disk containing the data is indeed encrypted, but has the level of sovereignty truly improved ? In reality, it is enough for the hypervisor — controlled by the CSP — to observe the exchanges between the vTPM and the VM, much like it was once possible to read the SPI (Serial Peripheral Interface) bus on laptop motherboards (with €15 worth of equipment, this type of encryption could effectively be rendered useless).
So at what level of security can we begin to reduce the need to trust the CSP? Bring Your Own Key (BYOK) infrastructures are becoming increasingly popular. While this approach can be meaningful when implemented seriously, it is not the ultimate solution, as it still requires trusting the CSP, which remains responsible for the implementation of the Hardware Security Module (HSM). Improving this posture would involve hosting one’s own HSM (physical or virtual), although many attack vectors would still remain very real.
A more advanced approach, Hold Your Own Key (HYOK), provides stronger guarantees of trust by establishing a clear boundary between the CSP and the end customer through hosting the Key Management Infrastructure (KMI) separately from the production environment that consumes it. Typically, the KMI is then hosted on-premises (by the customer) or by a sovereign CSP.
As soon as the KMI is dissociated from the production environment, the level of data sovereignty becomes genuinely robust.
In conclusion, the simplest solutions are not necessarily the safest. Encrypting a disk with a password entered by the user is far more secure than relying entirely on embedded technology. The same principle applies to IT infrastructures.
To guarantee data sovereignty with certainty, the HYOK approach proves highly relevant.