Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

07:00 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek

Europe Starts to Build Its Own Secure Cloud

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X.

The German Federal Government wants to join forces with other European partners to create a secure cloud for Europe called GAIA-X. The resulting data infrastructure should strengthen both the digital sovereignty for the demand of cloud services and the scalability and competitive position of European cloud providers. In the meantime, US cloud providers like Microsoft Azure change their contracts to align with the EU privacy regulation, GDPR.

"GAIA-X is one of the most important digital projects to defend the leading position of the German and European economy internationally," said the German Research Minister, Anja Karliczek. "GAIA-X will create a secure European space for data storage and processing. This is urgently needed, because power over data in Europe should no longer be in the hands of a few international corporations. With our project, safe roads are being built in Europe in the digital world. This is of central importance for the further development of the economy in Germany and Europe," said Karliczek.

The project envisages the networking of decentralized infrastructure services, in particular cloud and edge entities, to a homogeneous, user-friendly system. For example, companies in the EU could join forces and offer each other server capacity.

However, the new system should definitely not be set up as a competitor to the major US providers such as Amazon, Google or Microsoft, says the German government. Freedom of choice should be created, especially for European SMEs, on which servers and with which security standards sensitive data is stored.

"Europe will gain sovereignty over the secure economic use of data by building its own structures on cloud servers. This is the prerequisite for companies to be more willing to take full advantage of the opportunities offered by digitization. Only those who are sure that they can fully determine how their data will be used will be willing to save their data in data clouds and share them with others," said Karliczek.

An organization for GAIA-X is to be founded in the first half of 2020, and there will be first applications by the end of 2020.

Privacy could empower the EU Cloud
The EU privacy regulation, GDPR, plays a key role when European companies look for a new cloud service. An EU cloud service based on GAIA-X would have some advantages when it comes to privacy. That is especially true when EU-US Privacy Shield cannot fulfill all the obligations asked of it by the EU privacy authorities.

As things stand, the EDPB (European Data Protection Board) still has a number of significant concerns that need to be addressed by both the EU Commission and the US authorities, as the Third Annual Joint Review report shows. The EDPB says that the same concerns will be addressed by the Court of Justice of the European Union in cases that are still pending before it.

EU Investigations into Microsoft services and the new Services Terms\r\nIn April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between them are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. \r\nIn November 2019, Microsoft announced an update to the privacy provisions in the Microsoft Online Services Terms (OST) in the commercial cloud contracts. Through the OST update Microsoft wants to increase its data protection responsibilities for a subset of processing that Microsoft engages in when it provides enterprise services.

In the OST update, Microsoft clarifies that it assumes the role of data controller when it processes data for specified administrative and operational purposes involved in providing the cloud services covered by the contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyber attacks on any Microsoft product or service; and complying with the legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses should serve the customers by providing further clarity about how Microsoft uses data, and about the commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

EU Cloud together with US cloud providers?
The European data infrastructure project GAIA-X focuses on the requirement of a European solution that is internationally compatible. Non-European partners are also welcome as they share the EU values and goals -- data sovereignty and data availability, says the German government.\r\n"In this context we need to ask ourselves carefully: Where do we have to protect our digital sovereignty, and where do we have to get it back?" said Achim Berg, president of Bitkom, Germany's digital association. GAIA-X should be pursued as a European project from the start. Additionally, its functionality, user experience and costs need to withstand market competition. "If GAIA-X is to be a success, the public sector needs to play a key role," said Berg.

And, for sure, the EU privacy regulation will play a key role, not only for partnering with GAIA-X, but also for offering cloud services in the EU in general. Large cloud providers like Microsoft have already reacted to this requirement of the EU market; others will follow soon.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW07 allows an attacker to change some special parameters without authentication. This issue affects: WAGO 750-852 version FW07 and prior versions. WAGO 750-880/xxx-xxx version FW07 and prior versions. WAGO 750-881 ve...
PUBLISHED: 2020-09-30
Improper Authentication vulnerability in WAGO 750-8XX series with FW version <= FW03 allows an attacker to change the settings of the devices by sending specifically constructed requests without authentication This issue affects: WAGO 750-362 version FW03 and prior versions. WAGO 750-363 version ...
PUBLISHED: 2020-09-30
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.