Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

7/16/2019
10:30 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Data Protection in the Cloud Is Still a Big Issue in the EU

Building trust is key to the success of the European cloud market.

Offering cloud services to European companies and users means obeying European Union (EU) legisation like GDPR (General Data Protection Regulation) and proving that data and access in the cloud is protected. If there is any doubt about this, success inside the European cloud market will prove elusive.

Only 26% of the EU enterprises use cloud computing, mostly for hosting their email systems and storing files, more than half of them use advanced cloud services relating to financial and accounting software applications, customer relationship management or computing power to run business applications.

Most of these cloud services handle personal data, so the European privacy regulation GDPR applies. This regulation is not only relevant to EU enterprises but for any company processing personal data of "data subjects" who are in the EU, if the company offers goods or services to a person in the EU, irrespective of whether a payment is required, or the company monitors the behavior of persons in the EU.

The main obstacle for cloud services in the EU is data security: Four out of ten enterprises in the European Union already using the cloud reported the risk of a security breach as the main limiting factor in the use of more cloud computing services, says a study carried out for the European Commission.

Cloud computing raises a number of issues related to the protection of privacy and personal data that need to be properly addressed in service development and rollout, explains the European Data Protection Supervisor (EDPS):

  • First, in cloud environments the specific physical location of the data is usually not known by the client. However, the hosting location of data remains relevant with respect to the applicability of national law.
  • Second, the contractual asymmetry between service providers and clients may make it very difficult or even impossible for cloud clients acting as data controllers to comply with the requirements for personal data processing in a cloud computing environment.
  • Third, in cloud computing different players usually cooperate along the end-to-end value chain in order to deliver the service to the client. This leads to complex questions concerning the allocation of responsibilities.
  • Fourth, cloud computing also leads to a considerable increase of transfers of personal data over networks, involving many different parties and crossing borders between countries, including outside the EU. Depending on the type of service offered, data can be replicated in multiple locations, in order to make it better accessible from anywhere in the world. Where personal data is processed in these services, data controllers and processors must ensure compliance of these transfers with data protection rules.

Data protection in the EU is no longer just an issue for data protection authorities, but also for other regulators, such as those working in consumer protection or competition law. Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), said: “Massive scale data processing has serious consequences not only for individuals, but also for society, democracy and the environment. Data has become a geostrategic arena in which disparities in the digital dividend shared between those with power over their digital lives, freedoms and privacy, and those without, only continue to grow.”

European banks, for example, have been slower in their uptake of cloud services when compared to other industries due to the strict regulatory environment where banks operate in, says the European Banking Federation (EBF). Moreover, using, managing and storing customer information faces higher compliance risks, especially in the light of data and security guidelines like GDPR. The European Banking Authority (EBA) also published recommendations for cloud computing which credit institutions must observe.

Many banks in the EU are eager to adopt cloud services. However, the migration from on-premises solutions to a multicloud environment is a meticulous effort for banks that requires thorough assessment of risk and control levels. Only with all the risk, reporting and compliance expectations aligned can banks adopt public and hybrid cloud solutions within a competitive timeframe.

It has never been more true than today to say that without user trust, technology will not be able to advance to reach its full potential, said SCOPE Europe (Self and Co-Regulation for an Optimized Policy Environment in Europe), an association supporting the co-regulation of the information economy. The so-called "EU Cloud Code of Conduct General Assembly" published a revised Code version which has been submitted to the supervisory authorities in the EU for approval. "This Code release is a big achievement for the EU Cloud Code of Conduct, bringing the Code fully up to date with GDPR -- it is an important milestone for achieving high levels of data protection in the Cloud," said Jonathan Sage, chairman of the EU Cloud CoC General Assembly.

There is a huge demand in cloud certification for building the required trust on the customer side in the EU. But this market for cloud computing certification schemes is highly fragmented. Different initiatives have arisen at different levels, international standardization organisations and European member states have launched their own public and public-private initiatives, with varying levels of success. There is still no GDPR certification scheme at hand for cloud providers to proof the protection of cloud data and access.

Having these GDPR certification schemes, data protection will remain a big issue in the EU, but it will be an issue that can be fulfilled. Trust building among the cloud users in the EU by approved certifications and codes of conduct will definitely help to develop the European cloud market in a fast pace.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...