| Autor / Redakteur: Henrik Hasenkamp* / Elke Witmer-Goßner
The Europe Cloud, which was launched last autumn by Economics Minister Peter Altmaier, was discussed in a contrasting way, but in any case it managed to put the topic of cloud security into a broader context.
This is important, because data sovereignty, security and availability are not only important prerequisites for the success of individual companies, they are a political issue. At present, a few companies dominate the international cloud market despite inadequate data protection conditions and play by their own rules.
German companies in particular are critical of the cloud because of security concerns. They complain about a lack of control over the data processed in the cloud and they are unsure who is responsible for what and when. They rightly ask themselves the question of which parties have or can obtain access to company data. And all these doubts exist even though German data protection conditions and security regulations are probably the strictest in the world.
After all, the many questions are a sign that companies are worried about whether their own data and that of their customers is safe in the cloud. The big contradiction arises when, despite the uncertain legal situation, many companies uncritically entrust their data to American cloud service providers such as Amazon, Google and Microsoft. In the end, competitive pressure seems to increasingly eliminate these concerns.
Questioning Cloud Offerings
Despite the growing pressure for digital transformation and the need for cloud solutions as a basis for corporate innovation, it is important to act with deliberation. IT decision-makers should take the time to take a pragmatic view of current risks and clarify fundamental questions and responsibilities in order to find the best possible solution. After all, US data protection regulations in particular leave a lot to be desired in comparison to European regulations. Although there are regulations, they are usually defined sector-specifically and are largely based on the voluntary commitment of companies.
Equally problematic are the extensive powers of the US security authorities, which can demand the release of data with comparatively little difficulty. US cloud service providers may even be forced to surrender data if it is stored on servers in Europe. At least that is what the Cloud Act (Clarifying Lawful Overseas Use of Data Act) signed in 2018 says.
Where and on what basis companies are obliged
The things that make companies concerned about cloud computing and any other data management measure are mainly data loss, unauthorized access, data leaks and hardware failures. In principle, the cloud provider and its customer share responsibility for such incidents and they are jointly responsible for compliance with laws and standards.
The best known and most important standards are the German IT basic protection and the European Data Protection Basic Regulation (DSGVO). The DSGVO also affects all cloud providers as a result of the new requirements arising in connection with customer data. However, it has not been created specifically for the requirements in this area and can therefore only serve as a basis. However, cloud providers do not assume full responsibility for their clients. In case of doubt, they must themselves prove that they have taken the necessary precautions and paid appropriate attention when selecting the provider.
Basic IT protection has become a basic method for the ISO 27001 certification process. It formulates basic requirements for data and information security, for processes and procedures in a company. ISO 27018, in turn, is more specifically tailored to the cloud and describes above all measures for the protection of personal data in cloud infrastructures. In contrast to the DSGVO, basic IT protection is not binding and non-compliance has no direct legal consequences.
The C5 requirements catalogue (Cloud Computing Compliance Controls Catalogue) of the German Federal Office for Information Security (BSI) deals with the requirements for cloud computing in particular. It defines the minimum requirements that professional cloud service providers must meet. Minimum requirements that professional cloud providers should meet are defined in 17 subject areas, including numerous data protection and data security requirements. The C5 catalogue is an excellent checklist for choosing the right provider.
How the European Cloud can improve the situation
European data protection requirements are strict and comprehensive - the envisaged Europe Cloud must naturally meet these requirements. It should ensure data sovereignty and at the same time be highly interoperable through standardized interfaces. What the Federal Government means by this and how it envisages the necessary infrastructure is explained in the paper "The GAIA-X Project".
Certified degrees of protection should, for example, ensure data sovereignty, especially when the DSGVO takes effect. In view of the international legal situation, which is currently difficult to understand, it could in any case make life easier for German and European companies and provide greater clarity. However, their plans must also relate promptly to the application level, as only then can digital business models develop.
* The author Henrik Hasenkamp is CEO of gridscale GmbH
The original article in german can be found here.