Can Cloud Service Providers Read/Access Data Stored Within Their Service?

Overview

A question we frequently receive is whether the service provider offering the cloud storage solution are technically capable of reading files stored on that service.

The University of Alaska supports cloud services hosted by Google and Microsoft. A summary of their access to customer data is provided below.

Microsoft

  • Encryption of data in transit: All communication between the customer and the service is encrypted across the Internet using Transport Layer Security (TLS) connections. All TLS connections are established using 2048-bit keys. All communication between the service provider's data centers, typically for geo-replication to facilitate disaster recovery, is transmitted using a private network and further protected with best-in-class encryption.
  • Encryption of data at rest: All data is encrypted twice. First using Microsoft BitLocker for disk-level encryption, and second per-file encryption of customer content. Additionally, every update to every file is encrypted using its own encryption key. Before they're stored, the keys to the encrypted content are stored in a physically separate location from the content. Every step of this encryption uses Advanced Encryption Standard (AES) with 256-bit keys and is Federal Information Processing Standard (FIPS) 140-2 compliant. Furthermore, file-level encryption relays on three separate components - blob store, content database, and the key store - that are physically separate. All three are required to decrypt a file, information held in any one of the components is unusable by itself.
  • Access to data by service provider employees or contractors: Microsoft limits physical access to its datacenters by both outer and inner perimeters with increasing security at each level. By default Microsoft personnel, and subcontractors, do not have default access to any cloud stored customer data. Access to customer data is restricted on business need by role-based access control, multifactor authentication, minimizing standing access to production data, and other controls. All access to customer data is strictly logged and regular audits are performed to attest that any access is appropriate.
  • Access to data by service provider automated processes: 

 

Additional Reading

 

Google

  • Encryption of data in transit: All communication between the customer and the service is encrypted across the Internet using Hypertext Transfer Protocol Secure (HTTPS). Google encrypts Gmail (including attachments) and Drive data while on the move. This ensures that your data is safe not only when they move between you and Google's servers, but also as they move between Google's data centers.
  • Encryption of data at rest: Customer data that is uploaded or created in some G Suite services is encrypted at rest. Gmail messages and attachments, Calendar events and descriptions, Google Drive files and Contacts are all encrypted at rest. For a detailed list of services and which data is encrypted at rest please review Google's Cloud Help Securitydocument. Please note that not all services provided by Google (e.g. YouTube) encrypt data at rest.  
  • Access to data by service provider employees or contractors:
  • Access to data by service provider automated processes: 

 

Additional Reading

 

Is there any additional information I should know about?

For additional assistance contact the IT Services Technical Support Center via phone at (907) 786-4646, toll-free at (877) 633-3888, email us at uaa.techsupport@alaska.edu, or visit the Services section to open a support ticket.