Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

7/16/2019
10:30 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Data Protection in the Cloud Is Still a Big Issue in the EU

Building trust is key to the success of the European cloud market.

Offering cloud services to European companies and users means obeying European Union (EU) legisation like GDPR (General Data Protection Regulation) and proving that data and access in the cloud is protected. If there is any doubt about this, success inside the European cloud market will prove elusive.

Only 26% of the EU enterprises use cloud computing, mostly for hosting their email systems and storing files, more than half of them use advanced cloud services relating to financial and accounting software applications, customer relationship management or computing power to run business applications.

Most of these cloud services handle personal data, so the European privacy regulation GDPR applies. This regulation is not only relevant to EU enterprises but for any company processing personal data of "data subjects" who are in the EU, if the company offers goods or services to a person in the EU, irrespective of whether a payment is required, or the company monitors the behavior of persons in the EU.

The main obstacle for cloud services in the EU is data security: Four out of ten enterprises in the European Union already using the cloud reported the risk of a security breach as the main limiting factor in the use of more cloud computing services, says a study carried out for the European Commission.

Cloud computing raises a number of issues related to the protection of privacy and personal data that need to be properly addressed in service development and rollout, explains the European Data Protection Supervisor (EDPS):

  • First, in cloud environments the specific physical location of the data is usually not known by the client. However, the hosting location of data remains relevant with respect to the applicability of national law.
  • Second, the contractual asymmetry between service providers and clients may make it very difficult or even impossible for cloud clients acting as data controllers to comply with the requirements for personal data processing in a cloud computing environment.
  • Third, in cloud computing different players usually cooperate along the end-to-end value chain in order to deliver the service to the client. This leads to complex questions concerning the allocation of responsibilities.
  • Fourth, cloud computing also leads to a considerable increase of transfers of personal data over networks, involving many different parties and crossing borders between countries, including outside the EU. Depending on the type of service offered, data can be replicated in multiple locations, in order to make it better accessible from anywhere in the world. Where personal data is processed in these services, data controllers and processors must ensure compliance of these transfers with data protection rules.

Data protection in the EU is no longer just an issue for data protection authorities, but also for other regulators, such as those working in consumer protection or competition law. Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said: “Massive scale data processing has serious consequences not only for individuals, but also for society, democracy and the environment. Data has become a geostrategic arena in which disparities in the digital dividend shared between those with power over their digital lives, freedoms and privacy, and those without, only continue to grow.”

European banks, for example, have been slower in their uptake of cloud services when compared to other industries due to the strict regulatory environment where banks operate in, says the European Banking Federation (EBF). Moreover, using, managing and storing customer information faces higher compliance risks, especially in the light of data and security guidelines like GDPR. The European Banking Authority (EBA) also published recommendations for cloud computing which credit institutions must observe.

Many banks in the EU are eager to adopt cloud services. However, the migration from on-premises solutions to a multicloud environment is a meticulous effort for banks that requires thorough assessment of risk and control levels. Only with all the risk, reporting and compliance expectations aligned can banks adopt public and hybrid cloud solutions within a competitive timeframe.

It has never been more true than today to say that without user trust, technology will not be able to advance to reach its full potential, said SCOPE Europe (Self and Co-Regulation for an Optimized Policy Environment in Europe), an association supporting the co-regulation of the information economy. The so-called "EU Cloud Code of Conduct General Assembly" published a revised Code version which has been submitted to the supervisory authorities in the EU for approval. "This Code release is a big achievement for the EU Cloud Code of Conduct, bringing the Code fully up to date with GDPR -- it is an important milestone for achieving high levels of data protection in the Cloud," said Jonathan Sage, chairman of the EU Cloud CoC General Assembly.

There is a huge demand in cloud certification for building the required trust on the customer side in the EU. But this market for cloud computing certification schemes is highly fragmented. Different initiatives have arisen at different levels, international standardization organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. There is still no GDPR certification scheme at hand for cloud providers to proof the protection of cloud data and access.

Having these GDPR certification schemes, data protection will remain a big issue in the EU, but it will be an issue that can be fulfilled. Trust building among the cloud users in the EU by approved certifications and codes of conduct will definitely help to develop the European cloud market in a fast pace.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.