German CEPIS Member Society GI Present Ten Points on Secure Cloud Computing

Gesellschaft für Informatik e.V. (GI) recently presented ten points on the theme of security and privacy issues of cloud computing. According to GI President, Stefan Jähnichen, it is important to know the risks in order to provide responsible and helpful guidance to use “clouds”. The GI points deal with various risks and challenges including Identity Management, Access Control & Integrity Control, Logging & Auditing, Risk Management and Compliance (from both legal and technical perspectives).

The ten points can be found below:

1. Cloud computing may be a security risk because of the lack of possibilities to check and enforce corporate security policies, strategies, procedures, and measures. The overall security level of cloud computing cannot be higher than the level of security within an enterprise, as the enterprise is involved in the pre- and post-processing anyway.

2. Therefore already today many organisations are using public clouds only for data considered harmless and only process valuable data in private clouds.

3. Private clouds don’t differ from usual corporate IT systems with regard to their security because they can be entirely controlled according to the corporate security policies and legal prescriptions for internal corporate information processing.

4. Certain organisations and industry sectors may not use clouds because public (and also hybrid) clouds are not exempt from the implementation of national laws and sector-specific self-regulation. Risk management policies and security concepts are to be adjusted when cloud computing is used. Constraints arise especially from privacy regulation that restricts the transfer of personal data into jurisdictions outside of the EU; privacy regulation is also relevant within the EU and defines obligations for subcontracted data-processing that limits the usage of public clouds.

5. Transmitting the data to be processed to public clouds using the extremely insecure Internet can only be secured through expensive means.

6. Data can be encrypted to increase its confidentiality when stored within a cloud, but encrypted data cannot be processed - it has to be decrypted before processing, which enables third parties to read the data (at least in public clouds). No standard or individually programmed program is free from errors. In cloud computing this especially refers to programs for transporting data into clouds, for administering clouds (virtualisation, load balance, geographic distribution, security measures) and for encryption programs and protocols. These programs may well have critical security gaps, that can be exploited via the Internet and that allow (unknown) third parties to copy or intercept the data.

7. Any security incident needs to be investigated thoroughly but due to the large number of IT systems that are widely geographically distributed, this is difficult to impossible. Seizure of localized data (carriers) by investigating authorities does not solve the problem: Either the operation of the cloud (that is based on virtualisation and the support of multiple clients) is affected, or a data snapshot from the cloud is taken, that delivers only insufficient evidence before the Courts, as it could have been manipulated.

8. Cloud providers may stop their service, e.g. due to economic difficulties. Even in those cases full control by the client needs to be secured not only in the contract but also via technical means e.g. the so-called vendor-lock-in could be avoided by sector-overarching standards. Free cloud-based services often have no warranty so the data being processed can be exposed to extra high risks. Moreover contracts currently give the advantage to the cloud providers and don’t appropriately value cloud users’ interests.

9. Discrepancies also arise between contracts and their actual technical enforcement e.g. it is technically impossible to delete all data from a cloud when a contract ends or if an organisation goes bankrupt.

10. Cloud computing must be protected according to the value of the data processed to cover the risks of the joint use of hardware and software (Internet, infrastructure, processes) together with unknown third parties. Public clouds must be treated like critical infrastructures, if their use is to be generally widespread. This includes the consideration of cartel law and competition regulations such as the Essential Facilities Doctrine.

In conclusion, according to GI, the ten points above show that there are increased requirements for the protection of proprietary and also private data processing within cloud computing regarding the confidentiality, integrity, accountability (e.g. authentication of authorized parties), and availability of processed data and used IT systems. Furthermore the demand for legal protection has greatly increased.

Please click here for the original published article (in German)