Brook also asserted that the way that data in many European countries, including the U.K., France, Germany and Spain, is collected for government-operated surveillance purposes and wiretaps is actually often less strict than in the U.S.
He said the European Union falls short of even the U.S. requirements in many respects, where in Germany, Deutsche Telekom can even be expected to report its own findings about customers to the German government. Brook said he finds much of the European stance on data privacy to be little more than a "marketing ploy."
But Brook did offer advice on securing data in the cloud, suggesting that enterprise customers using cloud services make use of specialized hardware security modules (HSM) for data encryption that allow the customer — and only the customer — know and retain the encryption key.
The theme of hardware-based encryption for cloud services was taken up by Teresa Carlson, vice president, worldwide public sector at Amazon Web Services, in her own keynote at the Cloud Security Alliance Congress today.
In touting some of the more recent AWS security advances, Carlson spoke about how hardware security modules for encryption are available as a service called "Cloud HSM" for encrypting customer data. Mark Ryland, chief solutions architect at AWS, explained further that Cloud HSM, which has a monthly service change, works based on the SafeNet Luna devices, where the customer is the "administrator of the cryptography appliance." AWS itself cannot access the core cryptographic service on the device and only the customer retains the private key. "On HSM, we don't see anything," added Carlson.
Microsoft also recently announced its "Bring Your Own Key" initiative for Azure Rights Management Service that makes use of the Thales hardware security module for encryption. Brook said he expects other cloud providers to integrate HSM into service offerings in the future as well.
Still, cloud providers continue to face a barrage of questions about how transparent they are about what they do. After the AWS keynote, a member of the audience, saying he was an auditor with a bank, wanted Carlson and Ryland to explain why AWS isn't more open about how they share information about physical security at AWS. Carlson and Ryland indicated that the information is so sensitive, AWS is reluctant to simply make it public since attackers might exploit it, but it is shared when sales negotiations with customers are underway.
Sign up for CIO Asia eNewsletters.