Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

12/5/2019
07:00 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Europe Starts to Build Its Own Secure Cloud

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X.

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X. The resulting data infrastructure should strengthen both the digital sovereignty for the demand of cloud services and the scalability and competitive position of European cloud providers. In the meantime, US cloud providers like Microsoft Azure change their contracts to align with the EU privacy regulation, GDPR.

"GAIA-X is one of the most important digital projects to defend the leading position of the German and European economy internationally," said the German Research Minister, Anja Karliczek. "GAIA-X will create a secure European space for data storage and processing. This is urgently needed, because power over data in Europe should no longer be in the hands of a few international corporations. With our project, safe roads are being built in Europe in the digital world. This is of central importance for the further development of the economy in Germany and Europe," said Karliczek.

The project envisages the networking of decentralized infrastructure services, in particular cloud and edge entities, to a homogeneous, user-friendly system. For example, companies in the EU could join forces and offer each other server capacity.

However, the new system should definitely not be set up as a competitor to the major US providers such as Amazon, Google or Microsoft, says the German government. Freedom of choice should be created, especially for European SMEs, on which servers and with which security standards sensitive data is stored.

"Europe will gain sovereignty over the secure economic use of data by building its own structures on cloud servers. This is the prerequisite for companies to be more willing to take full advantage of the opportunities offered by digitization. Only those who are sure that they can fully determine how their data will be used will be willing to save their data in data clouds and share them with others," said Karliczek.

An organization for GAIA-X is to be founded in the first half of 2020, and there will be first applications by the end of 2020.

Privacy could empower the EU Cloud
The EU privacy regulation, GDPR, plays a key role when European companies look for a new cloud service. An EU cloud service based on GAIA-X would have some advantages when it comes to privacy. That is especially true when EU-US Privacy Shield cannot fulfill all the obligations asked of it by the EU privacy authorities.

As things stand, the EDPB (European Data Protection Board) still has a number of significant concerns that need to be addressed by both the EU Commission and the US authorities, as the Third Annual Joint Review report shows. The EDPB says that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.

EU Investigations into Microsoft services and the new Services Terms\r\nIn April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between them are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. \r\nIn November 2019, Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in the commercial cloud contracts. Through the OST update Microsoft wants to increase its data protection responsibilities for a subset of processing that Microsoft engages in when it provides enterprise services.

In the OST update, Microsoft clarifies that it assumes the role of data controller when it processes data for specified administrative and operational purposes involved in providing the cloud services covered by the contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyber attacks on any Microsoft product or service; and complying with the legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses should serve the customers by providing further clarity about how Microsoft uses data, and about the commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

EU Cloud together with US cloud providers?
The European data infrastructure project GAIA-X focuses on the requirement of a European solution that is internationally compatible. Non-European partners are also welcome as they share the EU values and goals -- data sovereignty and data availability, says the German government.\r\n"In this context we need to ask ourselves carefully: Where do we have to protect our digital sovereignty, and where do we have to get it back?" said Achim Berg, president of Bitkom, Germany's digital association. GAIA-X should be pursued as a European project from the start. Additionally, its functionality, user experience and costs need to withstand market competition. "If GAIA-X is to be a success, the public sector needs to play a key role," said Berg.

And, for sure, the EU privacy regulation will play a key role, not only for partnering with GAIA-X, but also for offering cloud services in the EU in general. Large cloud providers like Microsoft have already reacted to this requirement of the EU market; others will follow soon.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13285
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a cross-site scripting vulnerability exists in the issue reference number tooltip.
CVE-2020-16087
PUBLISHED: 2020-08-13
An issue was discovered in Zalo.exe in VNG Zalo Desktop 19.8.1.0. An attacker can run arbitrary commands on a remote Windows machine running the Zalo client by sending the user of the device a crafted file.
CVE-2020-17463
PUBLISHED: 2020-08-13
FUEL CMS 1.4.7 allows SQL Injection via the col parameter to /pages/items, /permissions/items, or /navigation/items.
CVE-2019-16374
PUBLISHED: 2020-08-13
Pega Platform 8.2.1 allows LDAP injection because a username can contain a * character and can be of unlimited length. An attacker can specify four characters of a username, followed by the * character, to bypass access control.
CVE-2020-13280
PUBLISHED: 2020-08-13
For GitLab before 13.0.12, 13.1.6, 13.2.3 a memory exhaustion flaw exists due to excessive logging of an invite email error message.