Why encryption technologies alone don’t guarantee data protection and what all this has to do with the commercial duty of care.
The most modern encryption technology alone cannot guarantee the comprehensive protection of sensitive data in the cloud. The cloud location as the physical data storage location therefore has an ever increasing importance. The concept, of course, is not about the partitioning of data within national borders, but much more about giving companies the assurance of knowing where their “gold” is stored.
Imagine the following scene: Automobile manufacturer BMW develops a new vehicle concept and invests millions of euros in this future-proof innovation. If, during its research and development process, BMW simply saved its strictly confidential construction data in the cloud without knowing where the cloud provider keeps their “treasures”, there would be an enormous risk for the security and integrity of this data. If the data happened to have been stored in a data centre in the Crimean peninsula for example, they would now be in Russian hands.
The customers’ assurance of knowing where their company data is being stored is primarily enabled by the service provider granting users the freedom to choose the cloud location for their data according to their security preferences and corresponding contract terms appropriate for their use cases.
Naturally, the cloud location needs the relevant accompanying technological protection mechanisms in order to prevent unauthorised access to confidential company data across the entire infrastructure of the cloud ecosystem: In the cloud itself (the provider’s servers), during transmission and in the gateways of the client’s own IT such as routers, switches and modems. These require high-performance encryption methods, firewalls or intrusion detection systems.
But the most important issue in terms of cloud security remains that the owner of critical and important company data should always have full and exclusive control over their assets. Estonian president Toomas Henrik Ilves, as Chairman of the Steering Boards of the “European Cloud Partnership” expressed his views in January 2014 as follows: “The outsourcing of services and citizen data, for which our country has assumed a responsibility of trust, to providers outside of our country borders is not entirely impossible. The decisive factor is that this data should be stored in the most secure host possible, which cannot be accessed by anyone without the data owner’s authorisation. The cloud provider should have the relevant technical and legal measures in place for this.”
Estonia, the Baltic country leading in e-identity concepts has, together with Finland, established a cross-border cloud project for VAT databases. Toomas Henrik Ilves believes that every EU member state should follow this path to secure a backup of important citizen data beyond their own country borders. Important services and data can only be fully safeguarded through such collaborations.
If the implementation of a pan-European cloud strategy with harmonised technological standards, uniform contract terms and pre-commercial procurement in the public sector – in other words a single digital market for cloud computing – becomes reality, the current obstructive protectionism would automatically disappear.
The fact that commercial duty of care requires a secure cloud location in terms of acceptable risk management is an aspect often entirely disregarded.
The regulations of the Austrian stock corporation law in §§ 81 ff as well as in Rule No. 9 of the Austrian corporate governance codex define the managing board‘s duty to provide information to the supervisory board. This includes risk assessment and the establishment of an efficient and effective risk management. According to these regulations, when outsourcing business-critical data the choice of the right cloud location requires a comprehensive risk assessment by diligent business people, through which all the security requirements regarding the handling of confidential data can be evaluated.
The European market for independent cloud solutions will therefore orientate itself around overall security concepts. For this purpose, clear ownership regulations should apply for data storage, provider-neutral technologies should be used, transfer infrastructures and data centres must undergo further upgrades and contract terms should be harmonised. Implementing the vision of a single digital market will boost Europe’s chances for gaining back its position on the global stage for the production of hardware and software and for strengthening the ICT location Europe as a whole.