The European Court of Justice declared the Safe Harbor agreement between the European Union and the United States to be null and void. Following the decision, you probably said, “I knew it all along!”. After all, Safe Harbor has roots in the year 2000 – according to Forbes – and it enforced privacy regulations on the transfer of data between the U.S. to the EU, but we’ve figured for a long time now that Safe Harbor wasn’t enough. Now, many around the world question the security of European user data in the U.S., and many more worry that personally identifiable information (PII) and sensitive data is at risk of exposure when sent overseas.
“Cloud service providers should take the Safe Harbor ruling as a wake-up call.”
Cloud service providers – especially those in the U.S. – should take this as a wake-up call and as a signal that they must improve their data security standards if they want to remain a relevant cloud vendor in today’s megabreach market. EU companies and consumers will be paying attention to U.S.-based CSPs in the coming months, and we wouldn’t be surprised if CSPs are increasingly asked to show their adoption of accepted cloud security standards.
The current chatter about Safe Harbor and its weaknesses in regard to actual data security only confirms what the EU has thought for a long time: Data security and privacy is a big deal, and therefore, stricter regulations that ensure that protection of personally identifiable information and other sensitive information are exactly what Europe – and the rest of the world – need. This is particularly important given the recent megabreaches from the past few years and the abundance of data being sent across global public networks everyday. We cannot just ignore mobility and other disruptive technologies, but too often EU businesses weigh in favor of security over the cloud. This is especially apparent in Germany, where data security is of the highest importance in the digital realm. Therefore, data security standards must improve, and getting rid of Safe Harbor was just the first step in the right direction.
EU Model Clauses as an alternative to Sale Harbor
After all, there have been serious alternatives to Safe Harbor for some time now. Specifically, the EU Model Clauses are better at protecting data than Safe Harbor. Developed by the European Commission in the early 2000s and frequently updated since then, EU Model Clauses regulate job data processing and the transmission of personal data to non-member countries outside of the EU as well as within the EU. Corporations who want to legally protect their data in accordance with European data protection standards should examine whether the Cloud Service Provider of his choice is already offering the EU Model Clauses.If cloud providers adopt and adhere to the EU Model Clauses, they are bound even closer to the EU data security. The important aspect to note about these regulations is that the legal framework enforces both technical and organizational measures.
It’s up to CSPs to protect data, and right now, adherence to the EU Model Clauses is a best bet.
The most important thing for CSPs to understand is that a company may not adapt these regulations themselves but, instead, has to adopt them without modifications as a supplement to the service agreement.Despite being a pioneer for technological development, CSPs in the U.S. are far behind those in the EU, as evidenced by the dissolution of Safe Harbor. This means that American cloud vendors currently lack a legal framework that is not only relevant in today’s data protection climate but achievable without large investments. In this regard, U.S. CSPs should adhere to the EU Model Clauses. This will help them earn the trust of organizations that are both stateside and in the EU, and by complying with those standards; the nullified Safe Harbor agreement is no longer an issue for businesses that transmit data overseas.
“The EU Model Clause is only a foundation.”
Encryption and control are required
That said, the EU Model Clause is only a foundation, for both EU organizations and U.S. companies. Agreements alone are insufficient enough to secure sensitive data, regardless of which development may come out of the elimination of Safe Harbor.
Instead of waiting for politicians, governments or service providers to rectify data protection issues with regulations, companies should just take more responsibility for the security of their clouds. Anyone who wants to restrict unauthorized access by third parties, in regard to sensitive data in the cloud, will not be able to do so without encryption, particularly when it concerns public cloud environments. Of course, when it comes to encryption, cloud users need control over the keys and the ability to encrypt information before it reaches the cloud. The user should be able to manage the keys himself and not to leave this competency to the cloud provider. CSPs that offer such functions in their standard package are moving ahead of their competition in the key area of cloud security.
Promoting trust through certification
Today’s provider market is characterized by a variety of solutions and standards. Certificates can be an orientation aid in deciding on the cloud and promote the trust of cloud users – above all, the nervousness in Europe surrounding the current jurisdiction has shown that trust is an important success factor. Among the international most comprehensive standards of value for quality, security and compliance in the cloud is the certificate “Certified Cloud Service” from TÜV Rheinland. Renowned international cloud service providers have already undergone the demanding audit.
For this certification, our specialists examine every technical detail to establish whether the provider keeps to his promises with respect to security. The compliance factor is one of the most important factors for us: The implementation of data protection requirements is also being checked, not least and specifically with respect to the EU Model Clauses. Possible changes in the data protection environment are followed through using the validity-period of the certificate, and the requirements for maintaining the certificate are adapted.
TÜV Rheinland examines cloud services on the basis of different, internationally recognized standards of information security as well as quality and risk management. Among other things, the requirements from the German Federal Data Protection Act, which imposes the most extensive requirements on data protection and data security worldwide, have been incorporated. In addition, all the important standards such as the ISO standard for information security, 27001, as well as best practices have been taken into account. Own research results, as well as the experiences of TÜV Rheinland auditors from many international projects have also been incorporated in the “Certified Cloud Service” certificate.
Underneath the important inspection areas that are being analyzed are the location and separation of data, network security and access controls. Besides examining concepts and documentations and conducting interviews, our experts also subject the cloud architecture itself to an in-depth examination by scrutinizing the service in a technical analysis. The “Certified Cloud Service” certification contains several advantages. It creates international comparability. At the same time, the company also demonstrates to the outside that the protection of customer data is of the utmost importance. That creates trust.
The future of enterprise IT, consumer technology, and much more lies in the cloud, however, the implementation and daily use of cloud services will only succeed if contracts are reliable, CSPs have adopted cloud security standards and businesses use encryption.
Read Related Blog Article: “Cloud Security: Data Stewardship Guidelines”
Source: Sky Chat IT Blog