A homage to the Dickens classic, A Cloud Collaboration Carol, is my festive attempt to reflect on the changing role of encryption and privacy in past, present, and future digital workflows whereby hundreds of millions of humans and millions of modern businesses voluntarily exchange sensitive data at mind-boggling scale.
The story follows a day in the life of anyone who, in the interest of getting work done, constantly uses modern collaboration applications and public cloud infrastructure to share data with others —and quite possibly has lost touch with their own sense of digital sovereignty and IT security policies.
My hope is that a bit of perspective will surface when we think about the past, contend with data compliance concerns in the present, and actively digest recent data privacy announcements from Apple and Google, which are certain to impact the future.
Over the past few decades, the world has witnessed an explosion in digital innovation and productivity gains driven in large part by the rise of mobile computing, public cloud infrastructure, and mass adoption of collaboration platforms like Google Workspace and Microsoft Office 365.
During this period, consumers from all walks of life began to embrace the iPhone and other mobile devices. They quickly began to back up personal data in Apple iCloud and other cloud-based storage services. Meanwhile, these same individuals, most of whom were employed with day jobs, witnessed the emergence of a common collaboration pattern at work whereby businesses of all sizes regularly shared massive amounts of sensitive data in the form of emails, file attachments, and SaaS applications. Whether it was in their personal or professional lives, people everywhere began to breathe the ubiquitous web and quickly came to feel the intense pressure to "get stuff done now." Thus, they readily shared data with others, and often did so with minimal regard for security, privacy, or compliance concerns.
During this same timeframe, a subset of early adopters—commonly companies operating in specific industries subject to data protection regulations like HIPAA, ITAR, and CJIS — began to embrace innovative client side encryption solutions, including products from Virtru, which offered end-to-end policy, data access controls, and elegant decryption experiences to govern the flow of sensitive data shared via email, files, and SaaS apps.
It's worth noting that these early adopters deeply understood the concepts of "data flow" and the "information lifecycle," and therefore, they knew that simply relying on cloud service providers to encrypt data at rest and data in transit was not nearly sufficient to meet increasingly sophisticated needs for data privacy and regulatory compliance.
Finally, it was during this period when enterprises first came to appreciate the pros and cons of “client side” vs. “server side” encryption controls. For example, consider a large state government organization with 40,000 employees where only 2,000 of them represent local law enforcement professionals that regularly exchange CJIS data with Federal law enforcement agencies and therefore require true end-to-end data governance. In this use case, only 5% of the state’s employees require client-side encryption controls and associated training for decision making. The remaining 95% of employees could benefit from server-side encryption, which does not require end-user training and decision making, and therefore is much more scalable and easier to implement. Simply stated, it’s not one or the other — but a combination of both, client and server side controls, that enable data centric security for large organizations.
Led by the growing popularity of web-based productivity tools like Google Docs, Sheets, and Slides — the past few years have witnessed a meaningful shift in personal and business collaboration patterns. As a result, we now live in a world where essential documents are less likely to be shared as files attached to emails, or files dropped into Slack. Instead, we operate in an environment where important information is more likely to be shared as a web link embedded in an email or a Slack channel. As a result of this shift, information owners are able to keep more data centralized within a specific domain and still gain the benefit of multiple parties collaborating together in real time via the web.
Of course, this shift in collaboration patterns does not mean that files are completely dead and gone — not yet, at least. Indeed, files will remain relevant to a wide range of collaboration workflows for years to come. How many years exactly? It's hard to say for sure, but the trend from local files to web links is clearly steady.
Furthermore, it seems safe to say that as more and more people and businesses store huge amounts of sensitive data in public clouds controlled by Apple, Google, Microsoft, and Amazon — questions about data sovereignty and privacy will become fundamentally critical to individuals and organizations both.
Just think about it for yourself: If you have sensitive personal data on your iPhone — which is encrypted and stored in Apple iCloud — then who do you think should control the keys necessary to decrypt that data?
Similarly, if your business runs on Google Workspace enterprise edition (Gmail, Docs, Sheets, Slides, Meet, Drive) and all of your sensitive commercial information is encrypted and stored in the Google cloud, then who do you think should control the keys necessary to decrypt that data?
Indeed, in the context of consumer iPhones, you should control those encryption keys, not Apple. And, in the context of enterprise computing on Google Workspace, your business should control those encryption keys, not Google. Furthermore, managing those private encryption keys should be remarkably simple so that your digital sovereignty is affordable, headache-free, and always guaranteed.
I don't know what the future holds, but I know this: Ten days ago, Apple announced Advanced Data Protection, a new service that will soon make end-to-end encryption available to a much wider range of iCloud data, including device backups, messages, photos, and more. The move by Apple was hailed by privacy advocates, but unsurprisingly it was met with concern by the FBI and other law enforcement agencies. While Apple and FBI lawyers will undoubtedly debate the details for months and years to come, one thing seems certain: The genie is out of the bottle with respect to personal privacy and data sovereignty. Thus, society's future relationship with consumer cloud services will be very different from what it is presently.
Adding further momentum to the future drive for privacy-enhanced collaboration, Google announced on Friday the availability of client-side encryption (CSE) for Gmail on the web, allowing enrolled Google Workspace users to send and receive encrypted emails within and outside of their domain.
In specific regard to Gmail, once CSE is provisioned and enabled, the SMIME based feature will ensure that any sensitive data delivered as part of an email's body and attachments (including inline images) cannot be decrypted by Google servers. The email header (including subject, timestamps, and recipients lists) will not be encrypted, thus Google will still control access to that information. An important note: The beta program for CSE for Gmail is currently available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers only.
In the years ahead, whenever Google Workspace customers use CSE for Gmail, Docs, Sheets, Slides, Meet, and Calendar — the relevant content will be encrypted in the client's browser before any data is transmitted or stored on Google's servers. Thus, Google itself will no longer be able to decrypt your data — which itself is a huge step forward in enhancing digital privacy and data sovereignty.
Virtru and Google have been close partners over the past decade. In regard to CSE, our joint efforts began in 2017 when Virtru served as the design partner to inform the initial implementation of CSE for Google Drive in support of key enterprise customers.
Today we're proud to support more than 5,000 shared customers on Google Workspace. Aligning together for the future, we remain 100% committed to making CSE as simple as possible for any and all Google Workspace customers. How will Virtru do this? We will leverage our deep and proven competencies in encryption and secure collaboration to deliver affordable and easy-to-use key management capabilities — which are fundamental to all future CSE implementations.