Can Cloud SaaS Providers Read Your Data?

Here’s the thing about the cloud. The moment you subscribe to a CSP, you are effectively choosing to trust them as much as you trust your own people, your own processes, your own data security.  But one thing that a lot of cloud customers don’t realize is that in many cases, your CSP can read you data…meaning real people, real eye balls, and a real trust you are giving them. Unlike your own employees, CSP employees may or may not be as loyal or careful with your data.

But what can you do when all you are ever given by your CSP is an SLA, and if you are lucky, some high-level documentation concerning how they implement security?  The short answer is ‘not much’, but here are two things to know:

*If your SaaS CSP uses a desktop client, and also has a website you log into, and if you are able to use the same username and password credentials to gain access to both, then there is a good chance that the CSP can potentially see your data.  The reason is because your password credential is what is being used to encrypt your data, and the fact that you can use the same password for both, means that the CSP is killing two birds with one stone, to both encrypt your data as well as authenticate to the website.

*If you are able to access your account from any device, and the service doesn’t require a second factor / token, then it’s a good indication that they can read your data.

So how is that CSP’s that store your data encrypted, are able to read your data?  The simple answer is because they are also the ones that are managing the crypto keys! They aren’t encrypting the data to protect it from being seen by THEM.  Rather, the encryption is just there to mitigate the risk of a hard drive walking off.

So at the end of the day, remember:  You are choosing to trust your CSP, and it’s people, just as much as you have entrusted your own employees and IT staff.  That may indeed be an acceptable risk, but one that should be acknowledged and factored in to any business decision concerning cloud SaaS services.  And if you really want to make sure only you can read your data, consider encrypting the data before you ever send it to the cloud. This way you own (but also must manage securely…) the keys.  Remember, “the key to crypto, is the key to crypto…”.