Cloud computing and the benefits it brings are well known to almost all businesses (including the private sector) and are leading to a rapid increase in cloud usage across all businesses and sectors. The advantages include, for example, the so-called infinite computing power, fast provisioning and de-commissioning, pay as you go etc. (see NIST definition)
But when a company decides to move to the cloud, the entire governance framework within which a company operates changes. Successful cloud projects are always associated with a cultural change in the company, which requires a clear strategic direction. An important element in the evaluation phase of cloud migration — part of the strategic direction — is that the most important part of cloud outsourcing is the outsourcing of corporate data and data processing. Especially for regulated companies (financial institutions PCI-DSS, insurance companies HIPAA etc.) it is necessary to justify each of these points to the controlling supervisor and to ensure data protection in every point. The first step should therefore be to identify the legal requirements for corporate data. This includes:
- Personal information covered by GDPR (or similar) must be considered. This then corresponds to PII (Personally Identifiable Information)
- Access possibilities of the cloud provider (CSP) to the outsourced data
- Ensuring data protection by the cloud provider, e.g. through appropriate compliance measures following industry standards or norms
- Ensure data sovereignty: Geographical boundaries (geofencing); National law; Union law (EU, USA etc.); Cooperation with other companies (contract components that refer to the storage of data exclusively within the company)
- Implement the cloud provider’s security measures against hacking and other attackers
- Contractual agreements with customers — need for possible contract changes (see points Cooperation with other companies)
The essential element of data processing outsourcing is the place where the data is processed and where it is stored. This is similar to, for example, renting a data centre, where all aspects of the location are also considered (fences, personnel, CCTV etc.). The following points must be taken into account:
- Data is processed outside the country of the company → Other legal bases exist
- Determination of the legal system at the place of processing or to which the cloud provider is subject: Common law system (USA, UK, Canada, former English colonies) — here, precedent cases are often used, which are determined by judges in order to create comparability; on the other hand, the civil law system (e.g. EU except UK), which works with the abstraction of the legal requirements by the legislator — here, no precedent cases but pure abstraction of the laws.
- Data processing transparency by the cloud provider: Access restrictions; log entries and security measures etc.
- Influences of changes in hardware and subcontractors on data processing: use of other computer centres; destruction/degaussing of data media etc.
Especially important: Outsourcing to a cloud provider does not outsource the responsibility for the data! The responsibility remains with the company and therefore the company is also legally liable for the data: The CSP is the data processor, the company remains the data owner. Therefore, the following selection criteria for the CSP must be considered:
- The focus must be on information security and data protection
- Compliance with CIA — Confidentiality, Integrity, Availability
- Place of data storage, GDPR
- Data encryption — ‘in transit’ and ‘at rest’
- Certification and pentests: SOC reports, ISO27001/02 etc.
Compliance with ISO/IEC 27018:2019 can serve as a guideline here. This defines specifications for additional controls and guidelines for PII within the public cloud:
- First International Code of Conduct
- Privacy for personalised information in the Cloud
- Based on ISO/IEC 27002
- Provides guidance on implementing controls
Prior to cloud outsourcing, data classification is necessary, which the data owner (so the company = cloud user) must perform in order to carry out a meaningful, strategic and secure outsourcing. This includes the following components:
- Data Retention — data retention time must be defined: legal requirements — defined by business unit and type of data; GDPR; HIPAA; PCI-DSS; etc.
- Data Storage — Where and how the data is stored: Storage location and type — with cloud this must be adjusted accordingly; data carrier encryption; transport encryption
- Classification in data protection requirement classes — The data must be broken down exactly according to the data of the respective specialist areas. Since there are different types of data (e.g. accounting, personnel, sales, customer data, financial transactions, etc.), the protection requirement classification must also be broken down. A consideration is then made according to the business impact of the unintentional publication, destruction or theft of the data: financial impact on the company value, customer migration, national or international media interest, company value impaired, special audits by authorities and/or regulators, involvement of partner companies and communication with corporate customers
- The result of the data protection requirement classes is, for example, data categories such as Secret, Confidential, Internal, Public
- According to the classified data categories, the data can then be tagged automatically or manually to implement technical protection measures
Based on legal and regulatory aspects, technical measures that the CSP can offer are therefore added, which are to be understood as risk mitigation measures. For the data at rest these are for example
- Encryption of data media (AES, Rijndael, Twofish etc.)
- Bring-Your-Own-Key (BYOK) — Root key is generated by the company itself and made available accordingly (not only for data at rest).
- Bring-Your-Own-Key (BYOK) — Root key is generated by the company itself and made available accordingly (not only for data at rest).
- Hold-Your-Own-Key (HYOK) — All key operations are performed by the company itself (not only for data at rest).
- Access rights
- etc.
In addition, cloud outsourcing changes the data flow that previously took place within the company:
- East-West traffic = network traffic between the individual systems within a data centre Within the company data centres or within the cloud data centres
- North-South traffic = network traffic to the Internet to the cloud provider or from the cloud provider over the Internet to the corporate data centre
In addition to the technical measures listed above, the secure construction of the cloud architecture should therefore also take the following into account:
- Micro-segmentation of networks (see data flow)
- Main design, architecture and operation of zero-trust modes
- Protection against dynamic and variable threats: information security measures
In summary, every company should be aware that outsourcing information to the public cloud always brings benefits, but that these benefits require a risk assessment. I would like to emphasise here that the responsibility for the data remains with the company and that companies remain liable for this data: Data processing is outsourced, but not the responsibility for it. Conversely, for risk assessment and analysis, this means that all CSP measures are risk-reducing measures, which means that the overall risk is reduced, but not the overall risk itself. Cloud outsourcing adds additional outsourcing risks that cannot all be covered by technical measures. In concrete terms, these are, for example, the different legal systems that may arise between the cloud user and the cloud provider, which must be treated as acceptable risks, as they cannot be resolved by the data owner. It is therefore possible to reduce the overall risk by technical implementations to exhaust all risk mitigation measures to allow management to accept the remaining risks. Nevertheless, adjustments to the legal framework can be made at any time, as corporate customers (or other market participants) can take legal action against the accepted risks if they do not consider them acceptable for data protection. For example, the July 2020 decision of the European Court of Justice (ECJ) which declared the US-EU Privacy Shield invalid (following the previous decision against Safe Harbour): it accepts the measures agreed in the CSP contracts, but refers to the data owner’s responsibility to ensure that they are respected (see all the points mentioned above). The actions before the ECJ have so far been initiated by only one private individual (also in the case of Safe Harbour) who has won through the legal requirements of the GDPR (Civil Law System) — which will continue to be the case in the future. The next lawsuit will be against these contractual agreements, which will then certainly be dropped: Contractual agreements between companies are below the legal requirements of the responsible legal system (which should actually make agreements at the level of the privacy shield): The data owner is responsible and accepts risks — if these are demonstrably contrary to the GDPR, one can again sue the ECJ.
It is therefore again a game for time until reliable clarity is finally provided for companies. Therefore: The companies can play along, but they should play strategically, with security and data protection implemented from the beginning and with existing exit strategies to bring substitutes onto the field at any time 😊.
