Home / Business / Unexplained risks with cloud computing

Unexplained risks with cloud computing

US access to data outside the US interferes with companies using cloud computing solutions from major US vendors. Potentially, they will conflict with the EU's new data protection legislation. Experts recommend a segmented procedure and a risk assessment.

Giorgio V. Müller [5april2019] 07:00

  Cloud computing uses the IT infrastructure of third-party providers over the Internet, which serves their own computer only as an access device. (Photo: Karin Hofer / NZZ)

In cloud computing, the IT infrastructure of third-party vendors is used over the Internet, its own computer only serves as an access device. (Photo: Karin Hofer / NZZ)

For companies, cloud computing, the rent of IT infrastructure and software, enjoy an unstoppable demand. This has to do with companies wishing to bind to smaller capital and prefer variable costs instead of the previously fixed IT costs. Depending on your needs, you only pay for the actual IT resources you need.

  Cédric Moret, Head of Elca Informatics (Image: Jean-Bernard Sieber / ELCA Informatics AG)

Cédric Moret, Head of Elca Informatics Jean-Bernard Sieber / ELCA Informatics AG)

In addition, there are many new offers which is part of the ongoing digitalization of business processes in the form of a software as a service alone, says Cédric Moret, CEO of the French-Swiss company Elca Informatik, for example, he quotes organizers as football clubs who wanted to regain control of their core business from major wholesalers such as Ticketmaster or Starticket. At ticket sales, they would no longer worry about infrastructure and maintenance, but would have direct access to the fans again. Such cloud solutions have become standardized in many business processes and become indispensable in everyday life.

It is therefore not surprising that the companies of the corresponding vendors (cloud service providers) are flourishing and giving their corporate customers a fee and infrastructure. The largest among them, also called Hyperscaler, are major US companies (Amazon Web Services, Microsoft Azure, Cloud Platform, IBM SoftLayer, Oracle Cloud, Salesforce, VMware).

There are even 3000 to 4000 cloud providers worldwide. They are particularly popular with companies in technology and telecommunications as well as financial institutions. But the industrial companies are increasingly growing into cloud services, especially the big companies, but increasingly also the remaining companies.

Longer arm in US justice

In contrast to their name, the data in cloud computing is not stored in any cloud but stored on servers in a data center of concrete and steel. The legal handling of these data depends on where the data center is physically located. Consequently, the case law of the country in question is relevant. However, this does not always stop at the country's borders. For more than a year, the US authorities have, under certain conditions, had access to locations outside the United States, thanks to Clarifying Lawful Overseas Use of Data Act (US Cloud Act),

Trigger for this delicate adaptation, which has then plagued companies, was the frustration of US law enforcement agencies. In one year's case, they did not have access to email traffic from two US drug dealers because it was stored on a Microsoft server in Ireland. Cloud Act has created the legal basis for extraterritorial access. A profit for US law enforcement agencies, a potential explosive device for companies that handle cloud vendors.

  Cloud computing also stores data in concrete and steel buildings (image: Google data center Southland in Council Bluffs, in Iowa state. (Image: Brian Snyder / Reuters)

Even in the cloud Computer stores data in concrete and steel buildings (image: Google Southlands data center in Council Bluffs, Iowa.) (Image: Brian Snyder / Reuters)

The benefits of fighting crime shared by the cloud The law already makes a vague reference to the United States so it can be used, for example If an American cloud provider is involved, just defending it, if in this specific case is not US citizens or people in the United States, even with the publication, no national law can be harmed calling for an American cloud provider to decide if he would rather would violate US law or violate the EU General Data Description Ordinance (DSGVO).

And the customer himself, who uses such a cloud service and whose information is concerned? no defense because he is not a legal party. How the law is interpreted in practice is open, as there are still no court decisions based on the US Cloud Act. Last month, the US Department of Justice wrote a letter aimed at addressing the most pressing issues in law and promoting understanding. However, uncertainty is not resolved.

Even the American Hyperscaler is trying to smooth the waves. A spokesman for the AWS appealed that the law be applied only to a very narrow category of crime, for example: in the event of terrorism or organized crime. It also needed a formal authorization from an independent court to get the data out. And before this happens in the given case, customers will receive a message.

Weigh the risks

What options are there? But saving data in a data center in Switzerland is not enough. Even US companies that store data in Switzerland would be covered by the US Cloud Act, confirms Moret of Elca Informatik. For this reason, Swiss executives are calling on Swiss managers to segment their data – that is, to divide them into sensitive and less sensitive ones.

Secret data and information about individuals should not only be stored in encrypted form, but preferably in place at the company or in its own data center. There are also national solutions from third parties, ie. h. Swiss contractors who store data in Swiss data centers. And if the data is not US-related, it should prevent all US government access.

Financially, national solutions are not more expensive, according to Moret. Otherwise, in terms of privacy, harmless information may also consider offers from a large US cloud provider. The downside to this hybrid approach, however, is that different contacts would be involved and the monitoring of data storage would be more demanding. Yet most companies choose this way.

According to the US market research institute IDC, more than 70% of companies already use several cloud environments worldwide. To keep the management of the various cloud services manageable, there is an extensive set of solutions that enable centralized management of such fragmented cloud environments. The mother is convinced that a multi-cloud approach makes things more complex, but also provides a company with the flexibility it needs today.

In addition to the usual cyber risks and compliance with stricter data protection rules, cloud computing also has potential legal pitfalls. However, with this remaining risk, the companies would have to live, says Moret. This also applies to the choice of hardware and software, as the risk of espionage is real. The only option would be close control over the entire value chain, which is extremely difficult.

This requires transparency in the hardware plans and in the open source software, where the source code, the used programming language, is visible and changeable by third parties. "We spend a lot of time deciding what kind of hardware we use to prove to the customer that we are protecting their data," explains Moret the importance of the subject.

Source link