Data transfer according to E-Evidence vs Confidential Computing: Are entire professional groups excluded from using the cloud?
With E-Evidence, a new, international set of rules is about to make data available to authorities across national borders. If, for example, the judicial authority in Greece requests user data from a German customer, it should be possible in the future to force the German cloud provider to surrender this data. This affects all information that is available to the cloud service provider about its customers: starting with the stored content up to the metadata regarding the time of the data transfer, the IP address of the sender and the recipient of the data packages.
This draft may be helpful for effective international law enforcement - but the demand raises fundamental questions about the data security of cloud services.
Cloud providers can access customer data
Because technically, access to user data - content data as well as metadata - is basically possible by the provider! Many cloud service providers can access their customers' data stored in the cloud. This means that this access can in principle also take place without an official order. This is an unpleasant idea, especially when companies handle sensitive data. If the cloud operator can access his customers' data at any time - who can do all of that?
For some professional groups (holders of professional secrets according to §203 StGB, such as lawyers and doctors), the possibility of information even represents a disclosure of secrets in the sense of the StGB from the outset from the use of cloud services and exposes them to the economic disadvantages that result from them, ”argues Ulrich Ganz, Director Software Engineering at the Munich TÜV SÜD subsidiary uniscon.
Confidential Computing: Technology vs. Arrangement
Companies that want to reliably prevent access by third parties - including the service operator - are already relying on services that implement the principle of confidential computing. Sensitive data is not only encrypted during storage and transmission, but also remains protected during processing. In addition to a general improvement in data security, the aim of confidential computing is also to make the advantages of cloud computing accessible to those industries that process sensitive data.
In uniscon's highly secure idgard® business cloud, the confidential computing approach is implemented using sealed cloud technology. Thorough data encryption and a set of interlinked technical measures in specially shielded server cages reliably exclude any unauthorized access. Only the customer is in possession of the corresponding key.
Data encryption prevents access
A request from third parties for access to this data is therefore pointless, as the operator also has no access to it. This technology allows professional groups to use cloud services that would otherwise be excluded, such as doctors and clinics, but also tax consultants, auditors and many more.
It is important that legislative action does not cause more harm than good. The cross-border delivery of data should therefore be viewed with great skepticism and should not be rushed to the end.
More on this at uniscon.com
About uniscon - A company of the TÜV SÜD Group
Uniscon GmbH is a Munich-based provider of GDPR-compliant cloud and data room solutions for companies and one of the leading secure cloud providers in Europe. The products from uniscon go hand in hand: uniscons Sealed Platform® offers a secure execution environment for web applications with high security requirements or high data protection requirements.