Data owners responsibility for cloud outsourcing

Image for post
Image for post
what companies should consider in cloud migration projects — iStock

Cloud computing and the benefits it brings are well known to almost all businesses (including the private sector) and are leading to a rapid increase in cloud usage across all businesses and sectors. The advantages include, for example, the so-called infinite computing power, fast provisioning and de-commissioning, pay as you go etc. (see NIST definition)

But when a company decides to move to the cloud, the entire governance framework within which a company operates changes. Successful cloud projects are always associated with a cultural change in the company, which requires a clear strategic direction. An important element in the evaluation phase of cloud migration — part of the strategic direction — is that the most important part of cloud outsourcing is the outsourcing of corporate data and data processing. Especially for regulated companies (financial institutions PCI-DSS, insurance companies HIPAA etc.) it is necessary to justify each of these points to the controlling supervisor and to ensure data protection in every point. The first step should therefore be to identify the legal requirements for corporate data. This includes:

  • Personal information covered by GDPR (or similar) must be considered. This then corresponds to PII (Personally Identifiable Information)

The essential element of data processing outsourcing is the place where the data is processed and where it is stored. This is similar to, for example, renting a data centre, where all aspects of the location are also considered (fences, personnel, CCTV etc.). The following points must be taken into account:

  • Data is processed outside the country of the company → Other legal bases exist
Image for post
Image for post

Especially important: Outsourcing to a cloud provider does not outsource the responsibility for the data! The responsibility remains with the company and therefore the company is also legally liable for the data: The CSP is the data processor, the company remains the data owner. Therefore, the following selection criteria for the CSP must be considered:

  • The focus must be on information security and data protection

Compliance with ISO/IEC 27018:2019 can serve as a guideline here. This defines specifications for additional controls and guidelines for PII within the public cloud:

  • First International Code of Conduct

Prior to cloud outsourcing, data classification is necessary, which the data owner (so the company = cloud user) must perform in order to carry out a meaningful, strategic and secure outsourcing. This includes the following components:

  • Data Retention — data retention time must be defined: legal requirements — defined by business unit and type of data; GDPR; HIPAA; PCI-DSS; etc.

Based on legal and regulatory aspects, technical measures that the CSP can offer are therefore added, which are to be understood as risk mitigation measures. For the data at rest these are for example

  • Encryption of data media (AES, Rijndael, Twofish etc.)

In addition, cloud outsourcing changes the data flow that previously took place within the company:

  • East-West traffic = network traffic between the individual systems within a data centre Within the company data centres or within the cloud data centres

In addition to the technical measures listed above, the secure construction of the cloud architecture should therefore also take the following into account:

  • Micro-segmentation of networks (see data flow)

In summary, every company should be aware that outsourcing information to the public cloud always brings benefits, but that these benefits require a risk assessment. I would like to emphasise here that the responsibility for the data remains with the company and that companies remain liable for this data: Data processing is outsourced, but not the responsibility for it. Conversely, for risk assessment and analysis, this means that all CSP measures are risk-reducing measures, which means that the overall risk is reduced, but not the overall risk itself. Cloud outsourcing adds additional outsourcing risks that cannot all be covered by technical measures. In concrete terms, these are, for example, the different legal systems that may arise between the cloud user and the cloud provider, which must be treated as acceptable risks, as they cannot be resolved by the data owner. It is therefore possible to reduce the overall risk by technical implementations to exhaust all risk mitigation measures to allow management to accept the remaining risks. Nevertheless, adjustments to the legal framework can be made at any time, as corporate customers (or other market participants) can take legal action against the accepted risks if they do not consider them acceptable for data protection. For example, the July 2020 decision of the European Court of Justice (ECJ) which declared the US-EU Privacy Shield invalid (following the previous decision against Safe Harbour): it accepts the measures agreed in the CSP contracts, but refers to the data owner’s responsibility to ensure that they are respected (see all the points mentioned above). The actions before the ECJ have so far been initiated by only one private individual (also in the case of Safe Harbour) who has won through the legal requirements of the GDPR (Civil Law System) — which will continue to be the case in the future. The next lawsuit will be against these contractual agreements, which will then certainly be dropped: Contractual agreements between companies are below the legal requirements of the responsible legal system (which should actually make agreements at the level of the privacy shield): The data owner is responsible and accepts risks — if these are demonstrably contrary to the GDPR, one can again sue the ECJ.

It is therefore again a game for time until reliable clarity is finally provided for companies. Therefore: The companies can play along, but they should play strategically, with security and data protection implemented from the beginning and with existing exit strategies to bring substitutes onto the field at any time 😊.

Written by

empower people with IT and cloud — make the data more secure— Educate professionals — CISSP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store