NSA leaker Edward Snowden is in the news again and this time his comments are directed towards cloud service providers. The politics of Mr. Snowden aside, the world has been reacting to his revelations that certain data privacy and security violations may be taking place on a global basis, and that certain public cloud vendors may be complicit. In his recent interview, Snowden states that cloud providers (this would also apply to managed service providers) should adopt a “zero knowledge policy” when it comes to customer data coming into their possession. What is zero knowledge policy you ask? Let’s explore.
What is Zero Knowledge Policy?
MSPs have been the guardians of customer data and security for decades. This is not new. What is new, however, is the idea that a MSP or cloud provider would be able to perform their jobs without having access to or knowledge of the data belonging to their customers. Imagine if a MSP were to perform their managed services for their customers and never have access to customer data. This would be a zero knowledge policy.
Can Zero Knowledge Policies Apply to MSPs?
The question remains whether the majority of MSPs would be able to perform their duties while never having access to customer data. Still, it is an interesting philosophical question. A zero knowledge policy would eliminate a lot of risk for MSPs because if they never have access to customer data then there would be no threat of the MSP losing, divulging, or in any way compromising the data.
If a zero knowledge policy seems too difficult to imagine, then maybe a partial zero knowledge policy may be more suitable and realistic. The majority of MSPs may not be able to effectively deliver their services without having, at least sometimes and in some scenarios, access to customer data. MSPs could, however, realistically incorporate some zero knowledge policies and procedures into their services in order to offer customers a zero knowledge safeguard for certain data which is deemed to be highly sensitive to the customer.
I think a zero knowledge policy concept makes a certain amount of sense. It would, after all, be the ultimate demonstration of proof to customers that their cloud and managed service provider is incapable of leaking their data to unauthorized parties.
Would your MSP practice consider implementing such a policy? Maybe you have already? We’d love to hear from you if you do.