Asked by many Internet users about the complexity of the cloud offers available in France and the associated challenges in terms of encryption, security, but also performance, Cnil now provides answers. These were concentrated in two sheets that should be followed by others.
There CNIL is far from acting only in the repressive aspect (as in the fine imposed on Amazon) of its activities. The National Commission for Information Technology and Freedoms is also prolific in terms of recommendations, guides and other practical sheets. This last format of the organization’s publications has just been complemented by the last two, on the one hand public cloud encryptionand on the other hand cloud web application security tools. “Security is essential to provide confidence in the management of the company’s personal data. This is also a legal obligation regarding the protection of personal data: in 2022, almost a third of the sanctions imposed by the CNIL were for violations of this obligation. explain the regulator.
Public cloud encryption
In its first practical sheet – for which the CNIL specifies from the beginning that it does not intend to address the issue of the distribution of responsibilities between suppliers and their customers under the GDPR – the commission highlights 4 encryption scenarios. Firstly, three depending on the different states of the data: at rest (persistent storage in a non-volatile memory), in transit (transmitted in a communication network between two locations in the same IS or between two IS) and in processing (access, query, updating, consumption, analysis, etc.). And a last one focused on end-to-end encryption.
“To guarantee the effectiveness of encryption, it is necessary that encryption keys are managed in a way that guarantees their confidentiality and that the encryption algorithms used are of the latest generation”, explains Cnil in particular. “Encryption is an effective and essential measure to reduce the risk of illegitimate access to data. It is essential in many common situations (data flow circulating over the Internet, storage, workstation, etc.).” The authority then clarifies the issues related to the delegation of security services in the cloud, but also the associated risks, such as the fact that a malicious supplier could investigate customer data or be the victim of intrusions themselves. “From the point of view of the protection of personal data, the obligations of each party must be formalized in a clear contract, as provided for in article 28.3 of the GDPR”, he warns. “The customer must also master the tools at their disposal to make the best use of encryption keys. In particular, the customer must be certain that: the services, software or programs that use these keys are solid; these services use the correct keys (that is, theirs and not another client’s); encryption and decryption algorithms are implemented correctly; these tools are properly distributed and self-verifying.”
The CNIL analyzes these four encryption scenarios in an educational and synthetic way. For the first (data at rest), four levels of blocking are detailed: disk, file, databases and application, associated with recommendations, but also with a summary overview of the different encryption approaches with regard to their ease of implementation . , level of access to keys by the supplier, transparency of access to keys, etc. Regarding the second scenario (data in transit), the CNIL warns that “the encryption of data in transit does not correspond to the notion of end-to-end encryption: the cloud service, which can serve as an intermediary between two entities that wish to communicate, may have access to data in clear text. The most commonly used protocols for encryption of communications are TLS, SSH, IPSec and MACSEC. Regarding the 3rd scenario (data in processing), the commission explains that “if the data is not encrypted during processing by the service (which is typically the case with SaaS services), then encryption at rest and/or in transit by the supplier do not constitute effective additional technical measures with regard to the supplier’s access, as the supplier must have clear access to the data when the service carries out the processing. Finally, with regard to end-to-end encryption in the cloud, the regulator warns that encrypting only data in transit cannot be considered end-to-end encryption unless the provider is the only recipient of the exchanged data. And also that the combination of blocking data in transit with encryption of data at rest cannot be considered end-to-end encryption if, at a certain point in the transmission chain, there is a break in encryption, allowing the provider to access the data in Claro .
Secure data in the cloud
In its second practical sheet, the CNIL analyzes the tools and services used to guarantee security, but also the performance of web services: anti DDoS, WAF, CDN and load balancer. And he takes the opportunity to warn that “these solutions are likely to process personal data and create risks to the rights and freedoms of individuals”. Namely, namely IP and/or MAC addresses, timestamps, geolocation and packet sizes related to indicators of compromise, or even packets that transit the network that are not encrypted.
“For a customer using a cloud computing provider, security and performance tools must be taken into consideration when analyzing possible transfers and access. It is therefore essential to obtain from the service provider a precise description of the tools and technologies automatically applied to the subscribed services, request all the information and personal data that these tools process, in order to determine the possible transfers and accesses that “they are misleading”. , says the commission. Hence the importance of checking, when using a cloud service provider, any transfers that may be made by security tools natively integrated into the services provided. This therefore requires asking several questions, such as identifying transfers of personal data and defining an action plan in case of transfers outside the European Union.
“Other technical considerations must be taken into account to evaluate the possibilities of access by authorities from third countries that do not comply with the GDPR”, further indicates the CNIL. “If anti-DDoS tools, load balancing (LB) and application firewalls (WAF) can be placed within the EU to prevent transfers outside the EU due to their use, the content delivery network (CDN) service has the same limits as the traditional functioning of the Internet: such a network is designed to offer, as close as possible to each Internet user, a copy of the requested service/content. If the copy is cached on a server outside the EU, it is possible that the data will pass from a server inside the EU to a server outside the EU. Once again, good practices are promoted to ensure that an appropriate configuration is implemented to limit the movement of data outside the European Union. For example, limiting yourself to content-heavy static data (videos, images, etc.) that does not contain personal information. The issues of decrypting TLS flows and the associated risks are also addressed, first and foremost with regard to the confidentiality of the decrypted data, the increase in the attack surface, the introduction of a single point of failure, the transfer possibilities outside the EU or access by third country authorities. “To minimize the risks associated with decrypting TLS flows, while preserving the security objective initially planned when implementing security devices, appropriate solutions must be considered,” continues the institution. This includes an in-depth analysis of the risks and benefits of TLS decryption.
When necessary, the implementation of security measures at the level of decryption points is then required (implementation of strict access control measures to decrypted data, strong authentication to access decrypted data, configuration of a bastion for decryption, pseudonymization of data, etc. ). But not only because additional measures can also be activated such as minimizing data subject to decryption, storing data “for a period no longer than necessary for security purposes”, without forgetting information to interested parties: “for the purposes of transparency , data subjects must be informed that their data can be decrypted, accessed and analyzed for security purposes. This information must comply with the transparency requirements established by the GDPR.”