Cloud security is tedious, a discussion about it all the more

vom 23.12.2019


With the planned Europe Cloud, Minister of Economics Peter Altmaier has taken up the cause of a project that will reignite an urgently needed discussion. It is about security in the cloud and the considerable market power of a few companies that dominate the cloud market despite inadequate data protection conditions. Data sovereignty and data availability are not only important basic requirements for companies, they are a political issue.

German companies are still critical of the cloud. The main reasons are still security concerns and lack of control over data processed in the cloud. It is often unclear who has to take responsibility for what in a cloud infrastructure and which parties have been given access to company data. And all these concerns and questions exist, even though German data protection and security regulations have the reputation of being the strictest in the world. But the criticism voiced by IT decision-makers is also a good sign, because it shows that they are concerned about whether their data (and that of their customers) is safe in the cloud. On the other hand, they prevent possible innovations in companies and thus intensify many a competitive situation. The paradox here is that despite the uncertain legal situation, many companies entrust their data to American cloud service providers such as Amazon, Google and Microsoft. In the end, competitive pressure seems to be increasingly eliminating the concerns.

The US approach

From a European perspective, the US data protection regulations in particular leave much to be desired. Although there are regulations, these are mostly defined sector-specifically and are largely based on the voluntary commitment of companies. If they do not comply with the self-imposed security level, sanctions may be threatened, but the Federal Trade Commission (FTC), which is anchored in the economy, is responsible for monitoring and auditing them. Equally problematic are the extensive powers of the US security authorities, which are comparatively free to demand the release of data, including personal data. The Cloud Act (Clarifying Lawful Overseas Use of Data Act), signed in 2018, extends these official possibilities even further: US cloud service providers may be forced to release data even if it is stored on servers in Europe.

Despite the growing pressure for digital transformation and the need for cloud solutions as a basis for corporate innovation, it is important to act carefully. The pragmatic consideration and assessment of current risks helps IT decision-makers to clarify fundamental questions and responsibilities, to gain clarity and to find the best possible solution. So what security features would a service provider have to provide and where does the company need to protect itself?

The responsibility for compliance never shared by one party

The things that create concern for companies in cloud computing and any other data management activity are data loss, unauthorized access, data leaks and hardware failures. All of this can happen for many different reasons. Basically, the cloud provider and its customer share the responsibility for such incidents and they are jointly responsible for compliance with laws and standards.

The best known and most important standards are the German IT basic protection and the European data protection basic regulation (DSGVO). The latter aroused public opinion when it was introduced last year and was put into force to regulate the processing of personal data by private companies and public bodies within the EU. Many people criticised the much higher costs for data processing companies in the EU resulting from the higher level of data protection. There is, of course, a good argument about proportionality. The DSGVO also affects all cloud providers as a result of the new requirements arising in connection with customer data. It was not, however, created specifically for the requirements in this area and can therefore only be seen as a basis. With regard to cloud computing, however, it means that cloud providers based in Europe must take measures to comply with the DSGVO. But: In doing so, they do not assume full responsibility for their clients. In case of doubt, they themselves must prove that they have taken the necessary precautions and paid due attention when choosing a provider.

Basic IT protection has developed into a basic method for the ISO 27001 certification process. It formulates fundamental requirements for data and information security, for processes and procedures in a company. ISO 27018, on the other hand, is more specifically tailored to the cloud and primarily describes measures for the protection of personal data in cloud infrastructures. In contrast to the DSGVO, basic IT protection is not binding and non-compliance has no direct legal consequences.

The C5 Requirements Catalogue (Cloud Computing Compliance Controls Catalogue) of the Federal Office for Information Security (BSI) deals specifically with the requirements for cloud computing. It defines the minimum requirements that professional cloud service providers must meet. When creating the C5 Catalogue, it was important to the BSI not to create a new work from scratch, but to use established test schemes and guidelines and to supplement them. The catalogue is based on ISO 27001, the Cloud Controls Matrix of the non-profit organization of the Cloud Security Alliance and the BSI IT-Grundschutz. Minimum requirements that professional cloud providers should meet are defined in 17 subject areas, including numerous data protection and data security requirements. The C5 catalogue is an excellent checklist for choosing the right provider.

What is the idea behind the Europe cloud

European data protection requirements are strict and comprehensive - the envisaged Europe Cloud must of course meet these requirements. It should ensure data sovereignty and at the same time be highly interoperable through standardized interfaces. What the Federal Government means by this and how it envisages the necessary infrastructure is explained in the paper "The GAIA-X Project". For example, each node is to form an independent unit that can be clearly identified and controlled. A self-description is to be linked to this, containing specifications on the storage location and processing of the data as well as the technologies and performance parameters used. Certified degrees of protection should ensure data sovereignty, especially when the DSGVO applies. Public cloud providers such as gridscale have the unique opportunity to actively contribute their expertise to the further development of the GAIA-X platform. In view of the international legal situation, which is difficult to understand, it could in any case make things easier for German and European companies and provide more clarity.

In any case, the existing German and European data protection regulations are only of limited use if the cloud provider has its headquarters in the USA or China, for example - because then it is subject to the respective national law and the data of its clients are also subject to the same, even if the data centre is located in Europe. This also applies if the cloud provider itself is a German company, for example, but uses the resources of Amazon and others for its services. In this context, the discussion about an independent European cloud is more than necessary. The German government's plans are not yet mature enough to allow itself to judge their viability and practical relevance. Moreover, the plans must not be limited to the infrastructure itself. They must also extend promptly to the application level, as only then can digital business models develop

The original article in german can be found here.

    Back to overview