AWS and IDC united to defuse the scope of the Cloud Act

If in France the government and actors like Hexatrust and Outscale do not miss an opportunity to stand up against the Cloud Act, US cloud providers do everything possible to demonstrate to French companies that they risk nothing. This is particularly the case for AWS, which launched a mine clearance operation this summer alongside IDC.

Since its entry into force in March 2018, the Cloud Act has thrilled many French companies. Their obsession: that this regulation allows government agencies (CIA, NSA ...) to access in all discretion their data stored in data centers of foreign suppliers, GAFAM in mind. This fear, fueled by the fears of members of the government as well as actors like Hexatrust or Outscale would it in fact be disproportionate? In an attempt to address this thorny issue, AWS and IDC brought the press together on a security and compliance point to clear the ground and restore business confidence in foreign clouds.

"The Cloud Act is not a surveillance tool for US agencies but is just for criminal investigations," said Theodore Christakis, professor of international law at the University Grenoble Alpes invited by AWS on the occasion of this point. "The Cloud Act is not a tool for haggling trade secrets." Between the lines, companies would not have to fear that agencies and law enforcement agencies in the United States come to delve into their data from the moment they are in no way connected, from near or far, to criminal cases ... "Over the past 12 months, we have received 25 requests from US law enforcement agencies, most of them targeting US clients, none of which concerned public organizations,

Encryption keys encapsulated in a hardware security module deemed inviolable

Even if US government agencies and law enforcement agencies would have the means to access the data of French companies held in American clouds, the latter benefit from a security lock presented as virtually inviolable. "There is not a sort of magic law enforcement decoder to decipher data with the Cloud Act," said Dominic Trott, associate research director for European security at IDC. Stéphane Hadinger said: "We provide our customers with tools to secure their data, encryption is one of them [...] when customers encrypt the data on AWS we use HSM technical mechanisms ( Hardware Security Module) making it impossible to extract keys. The physical location has only a few

To finally reassure French companies that would look wary at making their data unusable by a third party just by checking a box in the settings of their AWS console, the US cloud provider recalls that it leaves the possibility of outsource the management of encryption keys outside of its infrastructure. For example, AWS works with partners around the world such as Thales to delegate the management of these keys to trusted third parties. However, if the suppliers, in the context of a request identified as legal and legitimate, are required to deliver the data to American security agencies and security forces, no regulation forces them to decipher them. "Technically it's just impossible for us to give the keys," assures Stéphane Hadinger.
The truth about the Cloud Act stifled?

While AWS - but also the other major US cloud providers including Microsoft and Google - try by all means to show their legacy in their ability to make every effort to secure the data of their customers, in France, some do not hesitate not to lift the carpet. "For the first time, we realized that GAFAM issues, their omnipresence on service offerings used daily by European citizens, could also pose problems in terms of freedom of expression and plurality. When some professional organizations refuse to mention the Cloud Act because it can annoy members, or if we have forums of great leaders who do not say the reality of things and tend to minimize the Cloud Act, Olivier Iteanu, vice president of Hexatrust, had pointed out in our columns.