Encryption is not a Silver Bullet
🤔 We use encryption-at-rest, so we can continue using US cloud providers, right?
🤯 Wrong! Here is why:
😨 The City of Stockholm said “No” to Office 365. Indeed, great features alone won’t help you win EU public procurement. You must avoid discussions around US FISA 702 or US CLOUD Act.
😱 Too often I hear “we use encryption” or the more verbose version of it “we use customer-managed encryption keys”. For better-or-worse, the European Data Protection Board (EDPB) is tech savvy enough to know that your data can still be accessed via official channels.
From EDPB Recommendations 01/2020:
the keys are retained solely under the control of the data exporter […]
“But the EDPB is biased against US cloud providers!”
Well, the US cloud providers can’t really make strong promises either. Here is a quote from a Google Cloud Whitepaper:
If data is encrypted, it will be unreadable to a third party without the encryption key, and cannot be accessed in a meaningful form by a U.S. or other government agency unless they go through formal access channels to obtain the plaintext
⚠️ There is only way for encryption to reduce the risk of a FISA or CLOUD Act request. Make sure encryption is performed before sending data to the US Cloud.
This works, but then you reduced the cloud to a mere archival service. You cannot do any useful processing, since all data is opaque to the cloud. This is great for off-cloud backups, but not very useful for building a healthcare application.
✨ What are your real options?
Fortunately, the EU cloud landscape is maturing rapidly. Avoid the whole FISA/CLOUD Act discussion and host your application in a pure-EU cloud. Open source technologies, such as Kubernetes, make this a lot easier than you think.