Security and privacy issues in the cloud

Hybrid Cloud, IT & Management Consulting, Security & Compliance

Cloudy outlook?

In recent weeks and months, publications on the subject of security and data protection in the cloud have sprung up like mushrooms in late summer. Almost all well-known institutions and companies have thrown their opinions into the ring and outlined the necessary steps for secure operation or use of cloud services. Nevertheless, it is worth taking a look at the similarities and differences between the positions and what conclusions a company can draw from what has been said when considering the options for moving parts of its IT to the cloud.

Worry written across the face

According to a study by, security concerns topped the ranking of the biggest concerns when dealing with the topic of cloud computing as early as 2008. If you consider the stricter legal requirements in Germany and Europe, especially in comparison with the legal situation in the United States, you can certainly understand the recent intensification of the focus on this topic. This is also confirmed by an IDC survey of IT decision-makers conducted in March of this year. The study shows that security concerns are still seen as the biggest barrier to the use of IT services from the cloud.

At the latest since the German Federal Ministry for Information Security (BSI) published its key issues paper with security recommendations for cloud computing providers, the question of information security in cloud computing has finally landed on the agenda of all those who have already outsourced their IT or parts of it to the IT cloud or are considering doing so. The aim of the BSI's comments is to summarize the state of the discussion and define a basic framework of security requirements that are also flexible enough to adapt to the frequently changing circumstances in the cloud computing environment. The potential of the cloud is seen by the authors as a matter of course, but in the view of the BSI, the necessary security considerations are what make it possible to actually exploit the advantages such as flexibility and efficiency.

BITKOM, as the IT industry association, also sees the issue of security as the most important success factor of cloud computing. According to the authors, "cloud computing as a basic innovation" stands or falls with the achievement of the security specifications necessary for the service user. A similar position is also taken by itSMF Deutschland e.V. in its position paper on cloud computing.

Even in the industry media, such as Computerwoche or CIO Magazin, hardly a week goes by without new articles or commentaries appearing on the subject of cloud and security. There are two main areas that are addressed time and again.

Firstly, there is the area of using cloud services bypassing the IT department. Particularly when it is becoming easier and easier to use and no further technical requirements need to be met apart from a browser with Internet access, it is a simple matter for the specialist departments to also use such offerings. Circumventing the security requirements present in the company is thus an easy task, whereby it is added that not only the tools are used online, but then often the data is also stored 'somewhere' with the provider. .

The second major task area is that of compliance issues. And there the focus is primarily on the data protection issues that arise from the distributed architectures in the cloud environment.

Data protection in the cloud: the new confusion

The fact that data protection requires a great deal of attention after the recent scandals is not a new insight. Depending on how the cloud is used, whether private, hybrid or public cloud, the requirements can vary. A thorough analysis of the situation is therefore generally recommended in order to be on the safe side legally.

In the case of a private cloud, the issue can still be considered relatively simple. The usual laws and requirements for the company's industry apply, including the German Federal Data Protection Act (BDSG). With the other forms, the situation becomes much more difficult.

For companies that intend to obtain IT services from the cloud, it is important to know that the BDSG defines the holder of personal data as the 'responsible party'. The consequence is in fact that the company holding the right to the data always remains responsible for compliance with data protection. This also applies if the actual collection, processing or utilization of the data is outsourced to the cloud. Responsibility cannot therefore be delegated. Since every use of personal data is purpose-bound under the BDSG, the company must ensure that the data is also only used for the purpose previously consented to by the data subject (i.e., the individual described by the data). This can be very difficult with data that is not located in the company's own IT systems, especially since it is not necessarily possible to know where the data is located.

The question of the data storage location immediately gives rise to the next sore point. The BDSG stipulates that personal data may only be used and stored in the EU and some countries. This in particular can be difficult to understand for service providers with global operations. One option then is for the cloud provider to submit to safe harbor regulations, i.e., to commit to increased security measures even if data protection laws in the country where the data storage is located are rather lax. However, this does not absolve the outsourcing company from ensuring that this is the case and actively informing those affected in the event of violations.

Conclusion: It's possible, but watch out!

Even if it seems at first glance that German data protection law puts a stop to the use of cloud services, there are enough scenarios in which recourse is possible. There are just a few points to keep in mind. First, the question should be asked as to which data is suitable at all or whether there are other alternatives. Distributed solutions with an application hosted in the cloud and an in-house database holding the data are also conceivable. And if you still want (or even have to) obtain certain services from the cloud as commissioned data processing, you should clarify how the supplier guarantees an appropriate level of data protection and how you can check this. Separate agreements on the subject should also be considered in individual cases.

Torsten Kanngiesser

Go back