Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

12/5/2019
07:00 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Europe Starts to Build Its Own Secure Cloud

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X.

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X. The resulting data infrastructure should strengthen both the digital sovereignty for the demand of cloud services and the scalability and competitive position of European cloud providers. In the meantime, US cloud providers like Microsoft Azure change their contracts to align with the EU privacy regulation, GDPR.

"GAIA-X is one of the most important digital projects to defend the leading position of the German and European economy internationally," said the German Research Minister, Anja Karliczek. "GAIA-X will create a secure European space for data storage and processing. This is urgently needed, because power over data in Europe should no longer be in the hands of a few international corporations. With our project, safe roads are being built in Europe in the digital world. This is of central importance for the further development of the economy in Germany and Europe," said Karliczek.

The project envisages the networking of decentralized infrastructure services, in particular cloud and edge entities, to a homogeneous, user-friendly system. For example, companies in the EU could join forces and offer each other server capacity.

However, the new system should definitely not be set up as a competitor to the major US providers such as Amazon, Google or Microsoft, says the German government. Freedom of choice should be created, especially for European SMEs, on which servers and with which security standards sensitive data is stored.

"Europe will gain sovereignty over the secure economic use of data by building its own structures on cloud servers. This is the prerequisite for companies to be more willing to take full advantage of the opportunities offered by digitization. Only those who are sure that they can fully determine how their data will be used will be willing to save their data in data clouds and share them with others," said Karliczek.

An organization for GAIA-X is to be founded in the first half of 2020, and there will be first applications by the end of 2020.

Privacy could empower the EU Cloud
The EU privacy regulation, GDPR, plays a key role when European companies look for a new cloud service. An EU cloud service based on GAIA-X would have some advantages when it comes to privacy. That is especially true when EU-US Privacy Shield cannot fulfill all the obligations asked of it by the EU privacy authorities.

As things stand, the EDPB (European Data Protection Board) still has a number of significant concerns that need to be addressed by both the EU Commission and the US authorities, as the Third Annual Joint Review report shows. The EDPB says that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.

EU Investigations into Microsoft services and the new Services Terms\r\nIn April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between them are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. \r\nIn November 2019, Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in the commercial cloud contracts. Through the OST update Microsoft wants to increase its data protection responsibilities for a subset of processing that Microsoft engages in when it provides enterprise services.

In the OST update, Microsoft clarifies that it assumes the role of data controller when it processes data for specified administrative and operational purposes involved in providing the cloud services covered by the contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyber attacks on any Microsoft product or service; and complying with the legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses should serve the customers by providing further clarity about how Microsoft uses data, and about the commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

EU Cloud together with US cloud providers?
The European data infrastructure project GAIA-X focuses on the requirement of a European solution that is internationally compatible. Non-European partners are also welcome as they share the EU values and goals -- data sovereignty and data availability, says the German government.\r\n"In this context we need to ask ourselves carefully: Where do we have to protect our digital sovereignty, and where do we have to get it back?" said Achim Berg, president of Bitkom, Germany's digital association. GAIA-X should be pursued as a European project from the start. Additionally, its functionality, user experience and costs need to withstand market competition. "If GAIA-X is to be a success, the public sector needs to play a key role," said Berg.

And, for sure, the EU privacy regulation will play a key role, not only for partnering with GAIA-X, but also for offering cloud services in the EU in general. Large cloud providers like Microsoft have already reacted to this requirement of the EU market; others will follow soon.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20949
PUBLISHED: 2021-01-20
Bleichenbacher's attack on PKCS #1 v1.5 padding for RSA in STM32 cryptographic firmware library software expansion for STM32Cube (UM1924). The vulnerability can allow one to use Bleichenbacher's oracle attack to decrypt an encrypted ciphertext by making successive queries to the server using the vul...
CVE-2020-25683
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. A remote attacker, who can create valid DNS replies, could use this flaw to cause an overflow in a heap-allocated memory. T...
CVE-2020-25684
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in the forward.c:reply_query() if the reply destination address/port is used by the pending forwarded queries. However, it does not use the address/port to retrieve the exact forwarded query,...
CVE-2020-25685
PUBLISHED: 2021-01-20
A flaw was found in dnsmasq before version 2.83. When getting a reply from a forwarded query, dnsmasq checks in forward.c:reply_query(), which is the forwarded query that matches the reply, by only using a weak hash of the query name. Due to the weak hash (CRC32 when dnsmasq is compiled without DNSS...
CVE-2020-35271
PUBLISHED: 2021-01-20
Employee Performance Evaluation System in PHP/MySQLi with Source Code 1.0 is affected by cross-site scripting (XSS) in the Employees, First Name and Last Name fields.