Why Not Both? A Data-Centric View of Cloud Privacy vs. AI Productivity

It’s a tale as old as time: Every day, security leaders are faced with tough decisions where they must strike the right balance between productivity for their users, and security for their organization’s sensitive data. With the proliferation of AI tools in nearly every business app, this classic tradeoff comes up more frequently than ever before: Should we upgrade our CRM software to a package with AI-powered trend analysis? Should we allow teams to use ChatGPT? Is increased productivity worth the business risk?  

The privacy vs. productivity tradeoff is once again making headlines with the news of Google’s upcoming privacy changes in Gmail. This will reportedly require  users to make a choice:

• Less Privacy, More Features: Allow Google to access more of your private information, and gain more “smart features,” like AI-powered productivity tools and inbox sorting.
• More Privacy, Fewer Features: Limit Google’s access to your private information, but accept that certain productivity features will be limited. 

Here’s a look at those Smart Features as they appear in Gmail Settings: 

The middle ground? More privacy (fewer features) for sensitive data, and less privacy (more features) for non-sensitive data. What if the sweeping privacy vs. productivity tradeoff is unnecessary, and we could instead get a little smarter about our data decisions? 

The Data-Centric Decisioning Lens

Not all data is created equal, and not every email is sensitive. You might decide that you’re comfortable with opening up 90% of your emails to Google for the productivity benefits you’ll gain. But when it comes to that 10% where sensitive data is present? That’s when you’ll want to proceed with caution. 

That’s where tools like Virtru for Gmail (and, for Microsoft or hybrid environments, Virtru for Outlook) become vital: Client-side encryption can shield that 10% of emails from your cloud provider, without sacrificing your broader ability to leverage AI within your productivity suite. 

The ultimate goal is to maximize the productivity benefits of Workspace and Microsoft 365 without sacrificing your privacy where you really need it. The ideal state is the ability to shield your data in the right context, at the right time — which you, yourself, can choose.    

When to Trust Your Cloud Provider with Data

We talk a lot about Zero Trust in cybersecurity: The idea that you don’t implicitly grant trust to any entity or person who wants to gain access to your organization’s sensitive data. They must prove that they are, indeed, who they say they are. This happens through authentication and strong security controls that must be fulfilled before a person or system can gain access. 

But what does this look like for your cloud provider? If you’re using either Google or Microsoft with your business productivity suite, there must obviously be some trust there. You are managing your sensitive data in that cloud provider’s systems, and trusting them to do the right thing with respect to protecting your data.  But, in this context, what does “trust” really mean?  Here’s what that could look like: 

“Total Trust” in Cloud Provider

In the “Tradeoff” scenario, this is “Less Privacy, More Features.” You take your cloud provider agreement at face value, defaulting to the native security capabilities that are in place when you buy the software. It’s “Set it and forget it.” You trust your cloud provider with your content as well as the encryption keys to that content. (Historically, this has not gone well for Microsoft customers.) 

In Zero Trust, there’s a common phrase: “Assume breach.” You assume that a bad actor has already gained access to your network. In this cloud provider context, you could frame this idea as “Assume access.” Assume that Microsoft or Google could access any of your data, at any time. What could be done with that data? What would happen if that data was handed over to the government in a blind subpoena? These are questions to consider.  

“Some Trust” in Cloud Provider

Here’s that middle ground, where you can leverage some productivity benefits (like Gmail’s “Smart Features,”) while still shielding sensitive data from your cloud provider. This is where client-side encryption like Virtru for Gmail can provide reassurance that, in the cases where you’re sharing sensitive data, Google cannot access it or feed it into AI tools. You could also use Google CSE and Virtru Private Keystore to apply client-side encryption only to protected content. Whether you use Virtru for Gmail or Google CSE + Virtru Private Keystore, you can have the best of both worlds when it comes to productivity and privacy for sensitive data. 

“Zero Trust” in Cloud Provider

Here’s the thing: Encrypting every single email and file you share is just not practical or necessary, unless you’re working in national security or another extremely sensitive field. (In that case, please do treat that data with the utmost respect and care!)

For most organizations, even those in the defense industrial base and other sensitive fields, you’ll want very strong controls and security that leans on the side of “More Privacy, Fewer Features.” You’ll happily disregard those productivity features in favor of heightened security and control.  This could also mean dialing up your data loss prevention (DLP) controls to err on the side of “over-encrypting” rather than “under-encrypting.” 

For the greatest control over your encrypted data, you’ll want to make sure that you are managing your encryption keys for sensitive information externally from  your cloud provider. If your cloud provider manages both your content and your keys, then there’s nothing stopping them from decrypting your sensitive data, or from potentially handing it over to the government in response to a blind subpoena. 

With Virtru Private Keystore, you can host your own keys, under your control, either on-prem or in a virtual private cloud — separately from your cloud provider. This way, Google and Microsoft (and even Virtru) have no way to decrypt your protected data. You can use the Virtru Private Keystore in conjunction with Virtru’s client-side email security, or with Google CSE for Gmail and Workspace — including Google’s upcoming E2EE for Gmail. 

The Path Forward: Data-Centric Cloud Decisions 

Plotting a path forward will look different for every organization, depending on the kinds of sensitive data they manage and how that data needs to be stored and shared as part of daily workflows. Thankfully, a data-centric security lens can provide clarity on how to strike the right balance between privacy and productivity, where you can make the best decisions on specific data objects, in the appropriate context.

At Virtru, we work with thousands of customers who are adopting data-centric strategies for securing their data stored and shared in the cloud via emails, files, and SaaS apps. If you’re interested in learning more about how Virtru can nimbly add layers of additional security to your cloud environment, contact our team for a demo.