Cloud applications are popular and there are many reasons for this. Cloud users can access their own data from anywhere, save local storage space and do not have to worry about updates and maintenance of the software. However, there is one aspect that plays an important role directly related to the use of a cloud: the issue of data protection. Users are advised to consider whether the provider complies with the applicable data protection requirements when selecting a cloud service provider.
Furthermore, users of a cloud solution themselves are required to take additional measures to ensure data protection. This obligation applies in particular to companies that work with personal data and store it in the cloud. Violations of data protection threaten financial damage through penalties, so data protection and cloud computing always go hand in hand.
What is cloud computing?
In cloud computing, users do not operate their own servers on which they host applications locally. Instead, they obtain digital infrastructures or individual applications via specialized cloud providers such as TeamDrive. Cloud solution providers operate large data centers and offer companies the flexibility to rent storage space or use applications via a browser.
Advantages of cloud services for companies
For companies, data protection-compliant cloud services are often the better choice compared to on-premise solutions on the company’s own premises. They offer better efficiency in terms of costs and more flexibility.
There are no costs for users for hardware, administration and maintenance. Cloud providers ensure that the applications run smoothly and also take care of updates. Easy scalability is one of the biggest advantages. If required, companies can add more memory or new functions, or cancel orders for unused capacities and services. Cloud systems also offer the option of accessing content from anywhere, regardless of location. In the mobile office at home, coworking or for users working remotely, secure access to documents in the cloud is possible across locations.
Risk factors for cloud computing
In a traditional IT infrastructure, corporate data is stored on a dedicated server located within the company. As a result, the data is subject at all times to the control and individual security standards to which the organization itself is committed. With cloud computing, data leaves the company premises, creating a potential security risk.
Hackers are open to unauthorized access to data centers of the cloud provider if they are inadequately protected in order to steal or manipulate data. There is also the risk that data transmission can be spied out if encryption is poor. Cloud providers make cloud applications available, so users are dependent on the operation working. Technical problems, power outages or natural disasters can disrupt the provision of services.
But does that mean cloud use should be discouraged in general? No, if companies can rely on service providers to secure the connection between users and the cloud, there is nothing to be said against cloud computing.
Otherwise, there is a risk of high financial damage if data is misused. This is especially true if personal data of third parties is stored in a cloud. Companies are legally liable for data security and must expect claims for damages if data protection is not observed.
Legal requirements for data protection in the cloud
The legislators have passed binding regulations on data protection in the cloud. They thus create a clear basis for action for providers and users of cloud solutions.
Anyone using or offering a cloud solution in Germany must comply with several regulations and laws at once.
Definition: Data security vs. data protection
What is data protection and what does data security mean? Do both terms mean the same thing or is each term stand-alone? Data privacy and data security are usually used interchangeably, but they describe different issues.
Data protection covers the legal requirements for the secure use, processing and storage of personal data such as name, address and date of birth. Data security, on the other hand, refers generally to measures for protecting personal or non-personal data.
General Data Protection Regulation (GDPR)
All companies with a registered office in the European Union (EU) are subject to the General Data Protection Regulation. The GDPR also applies to companies that offer goods or services in the EU as well as process personal data. It came into force in May 2018 and consists of a series of laws that ensure individuals better protection of their personal data.
The main provisions of the GDPR
Every individual has the right to receive information about what data has been processed about him or her by a company and how, and can request rectification or deletion. Data processing organizations are obliged to collect personal data only if it is necessary for the purpose of processing. The use of data must be designed to be comprehensible to data subjects. Controllers are required to provide evidence that the requirements of the GDPR (Article 5, paragraph 1) are met. In the event of data protection mishaps, information must be provided to data subjects and supervisory authorities without delay. Violations of the GDPR are threatened with fines of up to 20 million euros, depending on the individual case.
Federal Data Protection Act (BDSG)
Parallel to the European GDPR, the new Federal Data Protection Act came into force in Germany in 2018. Both laws have joint validity in each case. The national law substantiates and supplements some of the requirements of the GDPR. However, the General Data Protection Regulation sets the respective limits for the BDSG at all times, because European law generally takes precedence over national law.
Order data processing
What does this mean for companies in Germany that store personal data with a cloud provider? You cannot hold the cloud provider responsible for compliance with data protection requirements. The use of a cloud is considered commissioned data processing. The company must ensure that the cloud provider it engages complies with the applicable legal framework.
The end of the Privacy Shield
In July 2020, the European Court of Justice (ECJ) declared the Privacy Shield agreement between the USA and the European Union, which had previously been in force, invalid. Until now, it served as a legal basis for companies to have personal data stored and processed by cloud providers from the USA. Now, in many cases, it is unclear whether US cloud services meet the required GDPR level. Therefore, companies switched to providers with servers located in Germany or the European Union. This way, they reduced the risk of fines due to inadvertent non-compliance with the GDPR.
Data protection and cloud: characteristics of a secure cloud provider
The probability that cloud providers based in the European Union and Germany meet the GDPR criteria is generally high. Nevertheless, it is worth taking a closer look at potential partners. After all, there are black sheep in every industry. Below, some criteria have been compiled to facilitate decision-making for a cloud that complies with data protection:
Certifications and test certificates
The German Federal Office for Information Security certifies cloud service providers that meet certain standards for data protection with a C5 test certificate. International certifications, such as ISO/IEC 27001, also provide reliable guidance on the quality of data protection achieved by a provider.
Server locations
If a cloud service provider names Germany or an EU country as its location, for example, this does not necessarily mean that its servers are also located in the EU. Companies should therefore ask or ask to be shown the relevant documentation.
References and public ratings
Ratings in online portals are not always reliable. However, by comparing different platforms, companies can get an impression of which provider has repeatedly been given good ratings so that they can shortlist it. In addition, a look at references helps to see which companies are working with the favored provider.
Specialized cloud providers
Some providers offer cloud services as one of several IT services. However, legal requirements for data processing and security issues are becoming more complex and demanding. Therefore, a specialized cloud provider for which cloud computing and cloud hosting are part of the core business is recommended.
Existing security concept
Companies that decide to work with a cloud service need a security concept. This defines standards, technologies and processes, and describes how to deal with risks and incidents of damage. Providers of secure cloud systems also have such a concept for data protection and data security.
Google, Microsoft, Dropbox: Data protection in public clouds
Despite the legal uncertainty, the market of cloud providers is still dominated by US companies. Well-known names such as Google with Google Drive, Microsoft with OneDrive or Dropbox are widely used as cloud services. Even after the GDPR came into force, these companies offer their services in the European Union, emphasizing their high security standards and data protection measures.
Physical security
All three providers employ various security measures to ensure the physical security of their data centers. Mirrored data centers ensure that data is not lost even if a data center fails. Dropbox also hires third-party providers to operate its data centers, while Google and Microsoft operate their own data centers.
Encryption
For encryption of data stored on the servers, OneDrive and Dropbox use 256-bit AES encryption. Google uses the AES standard with 128-bit encryption for Google Workspace and Google Drive. All of them thus use the strongest form of encryption method currently available.
SSL/TLS encryption is used by all three providers to transfer data to and from the cloud. This is now standard. Perfect Secrecy Forward provides additional security. This technology prevents SSL keys from being tapped by hackers.
Users have the option of additionally encrypting their data end-to-end, but this does not protect the data from access by US authorities. In case of doubt, the providers grant access to sensitive data on the basis of the US Patriot Act. This also applies to the providers themselves, who could still access the data. None of the three providers mentioned has complete end-to-end encryption and the zero knowledge principle. Users must therefore expect that when they use cloud services such as Google Drive, Dropbox or OneDrive, they will not be using a cloud that automatically meets all the requirements of the GDPR and thus of data protection.
TeamDrive as a GDPR-compliant alternative to US cloud service providers
TeamDrive is one of the cloud service providers in the German-speaking world that scores where the other cloud services reveal their weaknesses. We meet the highest security standards and all requirements of the GDPR.
Data protection in accordance with German legislation is already considered in the development of the software (Privacy by Design). Protective measures against cyber attacks are also standard (Security by Design). Users do not have to retrofit these functions or add them via additional add-ons.
TeamDrive data protection at a glance
– true E2E encryption (zero knowledge without backdoor for authorities)
– GDPR-compliant by default
– GoBD-compliant for audit-proof archiving
– locations of all cloud servers in Germany
– configurations for hybrid IT infrastructures
– modular structure for individual company requirements
– German-speaking customer support available by phone (test winner of the Cloud Provider 2020 service study)
Five tips for secure use of the cloud
One hundred percent security does not exist, regardless of whether companies rely on on-premise solutions or cloud architectures. However, those who choose a trustworthy and secure cloud service provider and also establish internal company protection measures will achieve a high level of security. This makes it possible to implement reliable data protection.
Many effective protective measures are relatively simple, but their consistent implementation is crucial to success.
1. Backup
Use alternative methods of data backup in addition to cloud storage. You are then prepared for the (unlikely with a reputable provider) event that data is lost in the cloud. The same applies if no data is available for a longer period of time due to technical problems.
2. Restrict access rights
Introduce an authorization management system for your cloud and grant access rights only on an as-needed basis and, if possible, in granular increments. The more employees handle data, the greater the risk of misuse and data protection breaches.
3. Use strong passwords
Require all employees to use strong passwords. Systems offer the option to have credentials updated automatically and regularly. This simple measure effectively makes cyberattacks more difficult.
4. Collaborate with the cloud provider
Work closely with the cloud provider and proactively keep abreast of current advancements in security measures. Also, agree on a clear and defined course of action in case of security issues.
5. Smart anti-virus protection
Use anti-malware software that employs machine learning to indicate suspicious and potentially unauthorized data movement or network activity. This way, you can secure not only the corporate network, but also connections to cloud applications.
In addition, it is recommended that every company develops an IT security concept. This regulates all technical and organizational measures for protecting the company’s digital data, systems and processes. For an introduction to the topic, the compendium on basic IT protection from the German Federal Office for Information Security is recommended.