Cloud usage is booming worldwide and, thus, the abundance of cloud providers and certification authorities. The current market is like a jungle of offers and quality seals – transparency of quality standards is in short supply. The research project “AUDITOR” wants to counteract this: An interdisciplinary team of scientists and companies is working on a data protection certification of cloud services, which is to be used as a standard in practice across Europe on the basis of the new EU General Data Protection Regulation.
Sharing photos, making project work available anywhere and creating hourly distributed backup copies of data – Cloud Computing is taking on more and more central tasks in private and professional life today. Especially small to medium-sized companies often forego the acquisition and operation of their own, high-performance data centers for cost reasons. Instead, they book virtual computing power from cloud providers. In so-called private clouds, they can often provide the bulk of everyday work resources – from their data to specialized software. By outsourcing to the network, these are then available at the company location as well as on business trips worldwide via remote access.
However, despite the many benefits, there are still concerns about booking cloud services as a substitute for an own IT infrastructure. Increased reports of cyber-attacks on e-mail or Internet providers increase the distrust to save your own private photos in the cloud and thus on the Internet. The outsourcing of sensitive processes and data for business success – especially in the case of professional secret holders – is viewed critically due to the loss of control over the processing server. Which offers are safe? How reliable are the different providers?
Research project against lack of transparency in cloud offers
“Who wants to shed some light on the matter and would like to create an appropriate evaluation and classification of the cloud providers acting on the market, cannot avoid a uniform, legally certified certification of cloud offerings. However, the diversity of the quality labels and certification authorities currently seems like a jungle, which only promotes the lack of transparency on the market and thus the user’s concerns “, Dr. Marius Feldmann from Cloud&Heat Technologies in Dresden describes the current market situation. According to him, it is of primary importance for the future viability and trustworthiness of cloud services, and thus of the entire industry, that a uniform system develops from the mass of offers and classifications. A system that provides users and operators with a clear, all-encompassing offer-rating tool according to the latest legal regulations for data protection in Europe and Germany.
Under the direction of Prof. Roßnagel and Prof. Sunyaev of the University of Kassel, more than ten German companies and research institutes have set themselves the goal of developing and practically testing an EU-wide standardized data protection certification for cloud services. The two-year AUDITOR (European Cloud Service Data Protection Certification) project aims to examine all relevant aspects, such as responsibilities, transparency requirements, liability and control mechanisms, in the light of the new EU General Data Protection Regulation.
“The AUDITOR project aims to improve the comparability of cloud services offered by companies from different EU member states, thereby creating transparency. This is made possible by a sustainable applicable EU-wide data protection certification of cloud services in accordance with the EU General Data Protection Regulation (DSGVO). In the interests of all players involved in the market, we are working on a market development in the cloud area”reports Prof. Dr. med. Ali Sunyaev (Director at the Scientific Center for Information Technology Design (ITeG) of the University of Kassel). In addition to his Chair of Business Informatics and Systems Development, the Chair of Public Law with a focus on Law of Technology and Environmental Protection of the University of Kassel is also involved in the project. There are also project partners from the field: German cloud providers such as ecsec or Cloud&Heat Technologies or the association EuroCloud Deutschland_eco e.V as well as TÜV Informationstechnik GmbH, TÜV NORD GROUP (TÜViT) and Datenschutz cert GmbH will be involved in shaping the pilot project.
Comprehensive benefits for all stakeholders through EU-wide certification
The certification, which has been designed in accordance with the EU General Data Protection Regulation (DSGVO), offers advantages for all groups involved. On the one hand, it guarantees private cloud users better protection of personal data in accordance with legal regulations. Companies, in turn, are advised to base their data and processes through legal justification on those cloud providers who have reasonable assurance that technical and organizational measures will ensure privacy. At the same time, the certificate offers users better comparability of the individual cloud offers. On the other hand, the providers benefit themselves by being able to demonstrably provide this security with a meaningful certification. And for the group of certifiers and auditors as well as supervisory authorities, a uniform standard simplifies the evaluation and auditing processes. “Data protection certification will help SMEs in particular to gain transparency and provide legal certainty in data processing in the European internal market,” says Andreas Weiss, Director EuroCloud Deutschland_eco e.V.
The role of Cloud&Heat in the funded project
The cloud provider Cloud&Heat Technologies GmbH, founded in 2011, has been operating an Infrastructure-as-a-Service (IaaS) solution since 2012 based on the open source product OpenStack. From the beginning, the company has focused on data security and data protection to a special degree – in particular, in order to provide cloud prospects with a secure alternative to well-known American cloud providers in accordance with German data protection law. Above all, the Dresden-based company incorporates its years of accumulated experience and know-how in the operation of secure cloud solutions. Based on the existing IaaS solution from Cloud&Heat Technologies, the elaborated certificate will be thoroughly tested for its suitability for use before it can be brought to market maturity throughout the life of the project.
The aim of the research project “AUDITOR” is the conceptual design, exemplary implementation and testing of a sustainable applicable EU-wide data protection certification of cloud services. In the context of the cloud industry, the EU General Data Protection Regulation (DSGVO), which came into force on 25 May 2016, plays a significant role. The new regulation requires major changes in the processing of personal data. In addition, however, further EU-wide and national regulations must be observed for the individual cloud providers, such as measures for a high common level of security of network and information systems across the Union (EU) 2016/1148 (NIS-RL, adopted in Germany on 27.04. 2017) or the Cloud Computing Compliance Controls Catalogue (C5) of the German Federal Office for Information Technology Security. Internationally agreed technical standards (eg ISO / IEC 27018) are also relevant. The joint project runs from 01.11.2017 to 31.10.2019 and is supported by funds from the Federal Ministry for Economic Affairs and Energy (BMWi).
About Cloud&Heat Technologies
Cloud&Heat is a provider of OpenStack-based public and private cloud solutions. With secure, easy-to-use, sustainable and scalable solutions, the company offers IT infrastructures that meet the key requirements of the cloud future. Since 2012, the company has been running its own distributed cloud infrastructure, on which classic cloud computing (IaaS) is offered. With the conception, commissioning and maintenance of tailor-made cloud solutions for companies, Cloud & Heat completes its portfolio with the Datacenter in a Box, responding to the rapidly growing demand for in-house cloud infrastructures. His extensive know-how over many years in dealing with “OpenStack” is passed on by the company in the form of classical consulting, tailor-made courses or the implementation of individual OpenStack projects. The trick: the server waste heat is taken up directly from the thermal hotspots, such as CPU or RAM, discharged and can be used for heating real estate and for hot water treatment. The energy- and cost-efficient concept has been awarded multiple times, e.g. by the German Datacenter Prize in 2015 & 2016.