Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

7/16/2019
10:30 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Data Protection in the Cloud Is Still a Big Issue in the EU

Building trust is key to the success of the European cloud market.

Offering cloud services to European companies and users means obeying European Union (EU) legisation like GDPR (General Data Protection Regulation) and proving that data and access in the cloud is protected. If there is any doubt about this, success inside the European cloud market will prove elusive.

Only 26% of the EU enterprises use cloud computing, mostly for hosting their email systems and storing files, more than half of them use advanced cloud services relating to financial and accounting software applications, customer relationship management or computing power to run business applications.

Most of these cloud services handle personal data, so the European privacy regulation GDPR applies. This regulation is not only relevant to EU enterprises but for any company processing personal data of "data subjects" who are in the EU, if the company offers goods or services to a person in the EU, irrespective of whether a payment is required, or the company monitors the behavior of persons in the EU.

The main obstacle for cloud services in the EU is data security: Four out of ten enterprises in the European Union already using the cloud reported the risk of a security breach as the main limiting factor in the use of more cloud computing services, says a study carried out for the European Commission.

Cloud computing raises a number of issues related to the protection of privacy and personal data that need to be properly addressed in service development and rollout, explains the European Data Protection Supervisor (EDPS):

  • First, in cloud environments the specific physical location of the data is usually not known by the client. However, the hosting location of data remains relevant with respect to the applicability of national law.
  • Second, the contractual asymmetry between service providers and clients may make it very difficult or even impossible for cloud clients acting as data controllers to comply with the requirements for personal data processing in a cloud computing environment.
  • Third, in cloud computing different players usually cooperate along the end-to-end value chain in order to deliver the service to the client. This leads to complex questions concerning the allocation of responsibilities.
  • Fourth, cloud computing also leads to a considerable increase of transfers of personal data over networks, involving many different parties and crossing borders between countries, including outside the EU. Depending on the type of service offered, data can be replicated in multiple locations, in order to make it better accessible from anywhere in the world. Where personal data is processed in these services, data controllers and processors must ensure compliance of these transfers with data protection rules.

Data protection in the EU is no longer just an issue for data protection authorities, but also for other regulators, such as those working in consumer protection or competition law. Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said: “Massive scale data processing has serious consequences not only for individuals, but also for society, democracy and the environment. Data has become a geostrategic arena in which disparities in the digital dividend shared between those with power over their digital lives, freedoms and privacy, and those without, only continue to grow.”

European banks, for example, have been slower in their uptake of cloud services when compared to other industries due to the strict regulatory environment where banks operate in, says the European Banking Federation (EBF). Moreover, using, managing and storing customer information faces higher compliance risks, especially in the light of data and security guidelines like GDPR. The European Banking Authority (EBA) also published recommendations for cloud computing which credit institutions must observe.

Many banks in the EU are eager to adopt cloud services. However, the migration from on-premises solutions to a multicloud environment is a meticulous effort for banks that requires thorough assessment of risk and control levels. Only with all the risk, reporting and compliance expectations aligned can banks adopt public and hybrid cloud solutions within a competitive timeframe.

It has never been more true than today to say that without user trust, technology will not be able to advance to reach its full potential, said SCOPE Europe (Self and Co-Regulation for an Optimized Policy Environment in Europe), an association supporting the co-regulation of the information economy. The so-called "EU Cloud Code of Conduct General Assembly" published a revised Code version which has been submitted to the supervisory authorities in the EU for approval. "This Code release is a big achievement for the EU Cloud Code of Conduct, bringing the Code fully up to date with GDPR -- it is an important milestone for achieving high levels of data protection in the Cloud," said Jonathan Sage, chairman of the EU Cloud CoC General Assembly.

There is a huge demand in cloud certification for building the required trust on the customer side in the EU. But this market for cloud computing certification schemes is highly fragmented. Different initiatives have arisen at different levels, international standardization organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. There is still no GDPR certification scheme at hand for cloud providers to proof the protection of cloud data and access.

Having these GDPR certification schemes, data protection will remain a big issue in the EU, but it will be an issue that can be fulfilled. Trust building among the cloud users in the EU by approved certifications and codes of conduct will definitely help to develop the European cloud market in a fast pace.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...
CVE-2020-8607
PUBLISHED: 2020-08-05
An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentia...