Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

7/16/2019
10:30 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Data Protection in the Cloud Is Still a Big Issue in the EU

Building trust is key to the success of the European cloud market.

Offering cloud services to European companies and users means obeying European Union (EU) legisation like GDPR (General Data Protection Regulation) and proving that data and access in the cloud is protected. If there is any doubt about this, success inside the European cloud market will prove elusive.

Only 26% of the EU enterprises use cloud computing, mostly for hosting their email systems and storing files, more than half of them use advanced cloud services relating to financial and accounting software applications, customer relationship management or computing power to run business applications.

Most of these cloud services handle personal data, so the European privacy regulation GDPR applies. This regulation is not only relevant to EU enterprises but for any company processing personal data of "data subjects" who are in the EU, if the company offers goods or services to a person in the EU, irrespective of whether a payment is required, or the company monitors the behavior of persons in the EU.

The main obstacle for cloud services in the EU is data security: Four out of ten enterprises in the European Union already using the cloud reported the risk of a security breach as the main limiting factor in the use of more cloud computing services, says a study carried out for the European Commission.

Cloud computing raises a number of issues related to the protection of privacy and personal data that need to be properly addressed in service development and rollout, explains the European Data Protection Supervisor (EDPS):

  • First, in cloud environments the specific physical location of the data is usually not known by the client. However, the hosting location of data remains relevant with respect to the applicability of national law.
  • Second, the contractual asymmetry between service providers and clients may make it very difficult or even impossible for cloud clients acting as data controllers to comply with the requirements for personal data processing in a cloud computing environment.
  • Third, in cloud computing different players usually cooperate along the end-to-end value chain in order to deliver the service to the client. This leads to complex questions concerning the allocation of responsibilities.
  • Fourth, cloud computing also leads to a considerable increase of transfers of personal data over networks, involving many different parties and crossing borders between countries, including outside the EU. Depending on the type of service offered, data can be replicated in multiple locations, in order to make it better accessible from anywhere in the world. Where personal data is processed in these services, data controllers and processors must ensure compliance of these transfers with data protection rules.

Data protection in the EU is no longer just an issue for data protection authorities, but also for other regulators, such as those working in consumer protection or competition law. Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said: “Massive scale data processing has serious consequences not only for individuals, but also for society, democracy and the environment. Data has become a geostrategic arena in which disparities in the digital dividend shared between those with power over their digital lives, freedoms and privacy, and those without, only continue to grow.”

European banks, for example, have been slower in their uptake of cloud services when compared to other industries due to the strict regulatory environment where banks operate in, says the European Banking Federation (EBF). Moreover, using, managing and storing customer information faces higher compliance risks, especially in the light of data and security guidelines like GDPR. The European Banking Authority (EBA) also published recommendations for cloud computing which credit institutions must observe.

Many banks in the EU are eager to adopt cloud services. However, the migration from on-premises solutions to a multicloud environment is a meticulous effort for banks that requires thorough assessment of risk and control levels. Only with all the risk, reporting and compliance expectations aligned can banks adopt public and hybrid cloud solutions within a competitive timeframe.

It has never been more true than today to say that without user trust, technology will not be able to advance to reach its full potential, said SCOPE Europe (Self and Co-Regulation for an Optimized Policy Environment in Europe), an association supporting the co-regulation of the information economy. The so-called "EU Cloud Code of Conduct General Assembly" published a revised Code version which has been submitted to the supervisory authorities in the EU for approval. "This Code release is a big achievement for the EU Cloud Code of Conduct, bringing the Code fully up to date with GDPR -- it is an important milestone for achieving high levels of data protection in the Cloud," said Jonathan Sage, chairman of the EU Cloud CoC General Assembly.

There is a huge demand in cloud certification for building the required trust on the customer side in the EU. But this market for cloud computing certification schemes is highly fragmented. Different initiatives have arisen at different levels, international standardization organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. There is still no GDPR certification scheme at hand for cloud providers to proof the protection of cloud data and access.

Having these GDPR certification schemes, data protection will remain a big issue in the EU, but it will be an issue that can be fulfilled. Trust building among the cloud users in the EU by approved certifications and codes of conduct will definitely help to develop the European cloud market in a fast pace.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.