The balance between government oversight and ownership of data for enterprise

Welcome to the Data Sovereignty articles by Cryptyk.

Cryptyk recognizes that achieving data sovereignty (control) is critical to any organization. Looking through the lens of absolute data ownership, this series of articles reviews how specific threats are neutralized by Cryptyk’s hybrid blockchain technology. The most common form of threat is external — think hackers, viruses and malware. However, other vulnerabilities exist, in the form of blind trust of cloud storage providers, the governments that have jurisdiction over them, and trust in those who have internal (granted) access to your data. In spite of these threats, Cryptyk has proven sovereignty is now possible to achieve. Cryptyk’s hybrid blockchain technology creates an architecture for storing data that allows complete peace of mind for an organization that uses their enterprise cloud storage and security services.

In this article we explore how Cryptyk allows user control of their data sovereignty in the case of the administrative subpoena; where traditional cloud storage fails. The ability for governments to put pressure on cloud storage providers puts those companies in a grey area, Cryptyk’s hybrid blockchain technology creates a careful balance between serving their users and compliance with government agencies.

For a comprehensive look at how the Cryptyk platform addresses all threats to data sovereignty, read our anchor article, Achieving True Data Sovereignty.

The power of the government-issued administrative subpoena
Related to our previous article in the Data Sovereignty Analysis series, a major threat to data sovereignty is the administrative subpoena.

Prior to the advent of cloud-based computing and storage, data was either stored on physical documents or maintained electronically on an organization’s servers; stored in-house. Today, cloud storage is cheaper and offers more functionality to organizations; real-time collaboration with access from anywhere in the world. The benefit is obvious and adoption of the cloud has grown as a result.

However, along with increased cloud-adoption has come the ability for government interference by way of the administrative subpoena. According to this report by the Congressional Research Service to the United States Congress, administrative subpoena authority “is the power vested in various administrative agencies to compel testimony or the production of documents or both in aid of the agencies’ performance of their duties.” To break it down more simply, government agencies like the Federal Bureau of Investigation (FBI) or the Drug Enforcement Agency (DEA) to barely name a couple, can bypass the need for a judge-approved court order to investigate information held on cloud servers.

Moreso, they can compel cloud providers to “gag orders” and prevent them from indefinitely notifying the party under investigation, i.e. a client. This places enterprise data at huge risk and limits response time or the ability to protect vital trade secrets that are instrumental to an organization’s success.

The extraction of the data itself is swift and leaves no time for the investigative party to challenge the unwilling surrender of data.

Neither does this sit well with the providers of cloud services — they want the ability to challenge such requests. Nor does it bode well for business or the greater adoption of cloud services in the longer term.

It appears that 2,200 of exigent requests out of 4,400 were illegal. A gross abuse of authority on behalf of these government organizations that demands to be checked.

The earlier referenced report admits that administrative subpoenas are “more likely to lead to unjustified intrusions of privacy, lack the judicial safeguards that accompany the issuance of a search warrant, can be extremely expensive and disruptive for the person or entity to whom they are addressed and are subject to easy abuse when they are issued against third parties who are subject to permanent gag orders precluding disclosure to targets who might otherwise contest the abuse.”

The Cloud Act — Is it enough?
A long-time provider of cloud computing services; Microsoft has tried hard to establish some legal safeguards for clients of cloud providers and cloud providers themselves, via the Cloud Act.

As such, the legal battles it has fought over the years have resulted in the following:

  • A framework for reciprocal international agreements in the access of data for the investigation and prosecution of crimes
  • The protection of privacy and other human rights by establishing agreements only with those countries that respect these matters and are willing to undergo congressional review
  • The creation of strong norms to govern surveillance requests within new international agreements
  • The assurance that these agreements will not require cloud service providers to create backdoors to break encryption

The granting of direct legal rights to cloud providers to protect privacy via (a) ability to inform foreign governments when their citizens are impacted by U.S. warrants and (b) the ability to go to courts to address a warranty that goes beyond the scope of an established agreement or one that conflicts with a foreign law

Even with attempts to protect data privacy, there remains one undeniable factor that cannot be overcome:

Traditional providers of cloud-based services remain a central point of failure. They are still subject to pressure from governments or law enforcement. This puts the storage providers themselves in a undesirable, grey area of allegiance. What if the data being stored does not belong to a national of the country that the service provider is in? In an increasingly distributed world, it is difficult to draw national boundary lines with international users of any cloud service.

Should there ever be a court order that bypasses the Cloud Act, enterprise data and international users are at risk.

Enterprise clients and other organizations, including governments, will appreciate and require the data sovereignty that Cryptyk is built to provide. It removes the potential for legal grey areas for service providers while allowing for controlled compliance by enterprise users.

When organizations are required to disclose data to governmental regulatory agencies
In order for some businesses to remain operational, data disclosure to governmental agencies is routinely required. Examples of such business include those in the financial, labor and health services industries.

The Blockchain industry is no stranger to these requirements. Existing and emerging cryptocurrency companies are required to undergo a review by the Securities and Exchange Commission (SEC) before going into Initial Coin Offering (ICO). These reviews help the SEC determine whether a cryptocurrency is or a security in disguise. Even Ethereum was recently subject to this review and Ether (ETH) was eventually deemed to be a utility token. Cryptyk itself is no stranger to this review process; its CTK token was also deemed a utility token that meets SEC Reg D securities exemption requirements.

In such cases, the information provided to governmental agencies is organized and presented in compliant fashion. As such, all parties are reasonably prepared to face decision-making committees with adequate time.

Disclosure to governmental bodies is a need that exists across nations.
Cryptyk understands that it is necessary for organizations to be compliant with regulations stipulated by their member-nations. Cryptyk also understands that it is critical for those organizations and governments to be certain their data is secure from unwanted access. If information must be shared, it must be in a secure manner with intended parties, on a case by case basis. To this end, Cryptyk’s hybrid blockchain architecture is designed such that:

  1. ) Data is only accessed by private keys controlled by the user, never stored on the cloud, and those with shared access.
  2. ) How one user shares their keys can not compromise any other users on the platform.

Achieving data sovereignty on the cloud is possible with Cryptyk’s hybrid blockchain solution
In the next section, we will explore how Cryptyk’s hybrid blockchain architecture is completely secure from external hacking and covert access (for whatever reason) by storage providers and governments. Before that, it is important to understand is that the Cryptyk platform itself can not be compromised by any form of external pressure.

The design of Cryptyk’s internal architecture was overseen by Daniel Floreani, previously of CISCO systems and the Australian DoD, and Dennis McMasters, who led the team that digitized the New York Stock Exchange. Cryptyk’s platform is designed to be hosted on international servers across the globe in strategic geographic locations: no individual government body can attempt to compromise the platform. While it is possible for Cryptyk to retain a copy of a user’s private keys for backup purposes, a “zero knowledge” option exists. If users select this option, they will generate a new set of keys that Cryptyk never has access to. Thus, unlike traditional cloud service providers, Cryptyk would safely be released of any liability that could arise from a subpoena.

As such, Cryptyk can not be coerced to supply any user’s information to a governmental body acting within or outside of its rights.

For a comprehensive look at how the Cryptyk platform addresses all threats to data sovereignty, read our anchor article, Achieving True Data Sovereignty.

Cryptyk’s Hybrid Blockchain Technology: A system free of blind trust.
Cryptyk is the first single vendor platform to offer enterprise-level cloud storage with a full integrated security suite. Cryptyk’s hybrid blockchain technology is built by integrating two separate, decentralized platforms: VAULT and SENTRY. Together, these platforms create a passively secure, “safe-to-hack”, architecture with guaranteed uptime. The concept is simple:

Cryptyk VAULT
VAULT is a decentralized cloud storage platform. Files stored with VAULT are encrypted once, then split into five separate pieces (using intelligent randomization). Each piece gets a full second encryption, and is then stored on five of the major independent cloud storage providers or nodes — Google, Amazon, IBM, Rackspace and Box. Only a user with specific keys, which are stored offline, can assemble the pieces correctly and undo the double decryption.

VAULT’s unique architecture achieves the much needed data sovereignty free from blind trust in service providers or government.

It offers immunity from all breaches; including unchecked government interference based on the file treatment mentioned above. Even if an attempt to compromise data was successful, any file shard obtained would be entirely unintelligible, and impossible to relate to its other 4 components (which are each hosted by entirely different storage giants). This holds true for the companies that host your data. Even if one of Cryptyk’s storage nodes looked into their folder architecture, all they would see is unintelligible, double encrypted shards of millions of files. Only the user has keys that can locate the shards across all 5 platforms, and decrypt them into a readable file.

This removes any situation where the service providers themselves have to choose between loyalty to their users and cooperating with local governments.

VAULT’s raid architecture guarantees 24/7 up-time and access to data.

Cryptyk users are never dependent on a single point of failure. VAULT uses a security method called erasure coding to create multiple backups of each of the 5 pieces before they are stored on one of the 5 storage nodes. It then distributes the backups amongst the other 4 nodes. If an entire storage node goes down for any reason (Bot attacks, hardware failures, etc), files on Cryptyk can be seamlessly assembled from those backup shards. Even if two nodes failed simultaneously, Cryptyk users would not notice a change in data accessibility or speed.

Cryptyk SENTRY
SENTRY is a robust decentralized security platform that seamlessly integrates with VAULT. At its core, it is a secure portal that uses blockchain technology to control permissions and record all user activity and access to VAULT’s files and data. SENTRY is not just a blockchain, it is a full security suite with a wide array of features.

Another function of SENTRY is to act as a secure portal to interact with your data. Popular software (Excel, Word, Asana) will plug directly into SENTRY’s API. With a perfect ledger of all activity, (including that of administrators), real-time proof of security can be checked and suspicious activity or behavior will be picked up by AI that have learned what a normal operation looks like.

SENTRY guards access to VAULT’s architecture. It enforces a secure portal where users can interact with their data via its granular file-permissions structure, and complete set of security tools. Additionally, a perfect record of all access to the files and user activity monitored by AI allows a new proactive approach to anticipating threats.

No unwanted access would be allowed, and if detected, it would be recorded and easily addressed using the AI monitoring SENTRY’s blockchain. Those performing surveillance would be under surveillance themselves — and the security teams at organizations would be able to make real time decisions about implementing a quarantine.

This Integration of two distributed platforms delivers the necessary protection required to make enterprise cloud storage possible, and assure data sovereignty for all Cryptyk users.

Together, VAULT and SENTRY eliminate all threats to the enterprise cloud, and remove requirement for blind trust in cloud services providers, governments, and even Cryptyk itself. Cryptyk users can also depend on guaranteed uptime and that no other individual or organization has access to their files without permission.

In this way data sovereignty is guaranteed and organizations can rest assured that their data is safe from unwanted scrutiny and interference.

Subscribe
Click here to join the conversation and get updates directly to your inbox

Discuss and follow
Join our growing community discussion and track updates on our channels.

Bounty Program
We aim to grow our community via transparent, grass root movement. Our goal is to be the gold standard in the cyber security world and community. If you believe in our project, and want to get involved spreading the word, check out our bounty program and earn free tokens from pool of 2.5 million CTKs by sharing us on your networks. See the Cryptyk Bounty page for more information

Investor information
www.cryptyk.io

Spread the word about Cryptyk on
Facebook
LinkedIn
Telegram
Discord
Twitter
Google+
YouTube
Vimeo
Email a friend