Regarding data protection in the cloud computing environment, there are additional risks due to external service providers and data centers. The data is stored on systems external to the company and, since it is accessible via the Internet, there are additional data protection requirements.
The advantages of cloud services such as savings on hardware and software, flexible tariff models,…. are tempting. The provider’s IT components are used by different companies and you can access them via the Internet from anywhere as soon as you have the access ID. Security holes and vulnerabilities can allow unauthorized access to data.
These risks can lead to the following problems:
- unauthorized access to data by the cloud provider, by state institutions or by unauthorized third parties
- Data loss
- Data manipulation
- Theft of access IDs and misuse of the account
When using cloud services, several parties are involved who have an influence on the data protection-compliant execution. A connection is created between the cloud provider, cloud user, the client of the cloud user and their data protection rights as third parties are affected. The data protection requirements can only be met if the technical data security (hardware and software) is provided by the cloud provider. Encryption techniques for data and access (VPN), special authentication methods such as two-factor authentication, continuous monitoring, intrusion detection (IDS) and intrusion prevention (IPS) systems, sandboxin technologies and firewall components are used. Organizational security regulates physical access to data in the data center.
In addition to technical data security, the legal component of data protection must also be observed. These vary greatly from country to country in some cases. Many cloud providers have their computing centers outside the EU, e.g. in America. The original data protection agreement (Safe Labor Pact) was declared invalid by the European Court of Justice back in 2015. The fact that data from a European company is stored in the U.S. can already lead to a data breach if American authorities request data. Lt. Patriot Act. cloud providers are required to provide data to the U.S. authorities.
Our data protection expert advises you to find out from the cloud provider exactly where your data will be stored and to make the appropriate agreements in good time.
“The cloud user bears primary responsibility for data security to third parties.”