Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

// // //
07:00 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek

Europe Starts to Build Its Own Secure Cloud

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X.

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X. The resulting data infrastructure should strengthen both the digital sovereignty for the demand of cloud services and the scalability and competitive position of European cloud providers. In the meantime, US cloud providers like Microsoft Azure change their contracts to align with the EU privacy regulation, GDPR.

"GAIA-X is one of the most important digital projects to defend the leading position of the German and European economy internationally," said the German Research Minister, Anja Karliczek. "GAIA-X will create a secure European space for data storage and processing. This is urgently needed, because power over data in Europe should no longer be in the hands of a few international corporations. With our project, safe roads are being built in Europe in the digital world. This is of central importance for the further development of the economy in Germany and Europe," said Karliczek.

The project envisages the networking of decentralized infrastructure services, in particular cloud and edge entities, to a homogeneous, user-friendly system. For example, companies in the EU could join forces and offer each other server capacity.

However, the new system should definitely not be set up as a competitor to the major US providers such as Amazon, Google or Microsoft, says the German government. Freedom of choice should be created, especially for European SMEs, on which servers and with which security standards sensitive data is stored.

"Europe will gain sovereignty over the secure economic use of data by building its own structures on cloud servers. This is the prerequisite for companies to be more willing to take full advantage of the opportunities offered by digitization. Only those who are sure that they can fully determine how their data will be used will be willing to save their data in data clouds and share them with others," said Karliczek.

An organization for GAIA-X is to be founded in the first half of 2020, and there will be first applications by the end of 2020.

Privacy could empower the EU Cloud
The EU privacy regulation, GDPR, plays a key role when European companies look for a new cloud service. An EU cloud service based on GAIA-X would have some advantages when it comes to privacy. That is especially true when EU-US Privacy Shield cannot fulfill all the obligations asked of it by the EU privacy authorities.

As things stand, the EDPB (European Data Protection Board) still has a number of significant concerns that need to be addressed by both the EU Commission and the US authorities, as the Third Annual Joint Review report shows. The EDPB says that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.

EU Investigations into Microsoft services and the new Services Terms\r\nIn April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between them are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. \r\nIn November 2019, Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in the commercial cloud contracts. Through the OST update Microsoft wants to increase its data protection responsibilities for a subset of processing that Microsoft engages in when it provides enterprise services.

In the OST update, Microsoft clarifies that it assumes the role of data controller when it processes data for specified administrative and operational purposes involved in providing the cloud services covered by the contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyber attacks on any Microsoft product or service; and complying with the legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses should serve the customers by providing further clarity about how Microsoft uses data, and about the commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

EU Cloud together with US cloud providers?
The European data infrastructure project GAIA-X focuses on the requirement of a European solution that is internationally compatible. Non-European partners are also welcome as they share the EU values and goals -- data sovereignty and data availability, says the German government.\r\n"In this context we need to ask ourselves carefully: Where do we have to protect our digital sovereignty, and where do we have to get it back?" said Achim Berg, president of Bitkom, Germany's digital association. GAIA-X should be pursued as a European project from the start. Additionally, its functionality, user experience and costs need to withstand market competition. "If GAIA-X is to be a success, the public sector needs to play a key role," said Berg.

And, for sure, the EU privacy regulation will play a key role, not only for partnering with GAIA-X, but also for offering cloud services in the EU in general. Large cloud providers like Microsoft have already reacted to this requirement of the EU market; others will follow soon.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
PUBLISHED: 2022-10-02
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
PUBLISHED: 2022-10-01
SonicJS through 0.6.0 allows file overwrite. It has the following mutations that are used for updating files: fileCreate and fileUpdate. Both of these mutations can be called without any authentication to overwrite any files on a SonicJS application, leading to Arbitrary File Write and Delete.
PUBLISHED: 2022-09-30
### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end use...
PUBLISHED: 2022-09-30
Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.