Businesses, institutions and public authorities are increasingly outsourcing their data processing tasks to external companies and thereby use «cloud computing». Applications and data are no longer kept in a private network but in the ‘cloud’. The user then has remote access to data, services and infrastructure which are available in the cloud.
Cloud computing is a term from information technology (IT) and means that software, memory capacity and computer power can be accessed via a network, for instance the Internet or within a Virtual Private Network (VPN), as and when it is needed. In other words, the IT landscape (e.g. data processing centre, data storage facilities, e-mail and collaboration software, development environments and special software such as Customer Relationship Management [CRM]) is no longer owned and run by the company or institution, but is a service which can be rented from one or more cloud service providers.
There are various types of cloud computing, which differ in terms of organisational structure and service model.
A difference is made between private, public, hybrid and community clouds.
In a public cloud, the infrastructure is organised and managed entirely by the cloud provider. The cloud user cannot interfere in any way and has no influence over, for instance, the location of the server. In the case of a private cloud, the situation is different; this is run by the enterprise or by a third party and is always set up solely for the use of the enterprise itself. Such a system is much more secure, but also more expensive. If public and private clouds are used in parallel and at the same time, this is known as a hybrid cloud. Lastly, a community cloud is one in which several organisations have access to the same infrastructure.
There are three types of service model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
IaaS is a hosting service: the cloud provider makes a server available in the cloud on which the cloud user can save data or applications. The cloud provider alone is responsible for the network, access, hardware, etc. PaaS is a data processing service: the cloud provider develops an application and makes this available to the users in the cloud. Users can then manage their own data using this application. With SaaS, the cloud users are simply consumers. They do not manage anything, whether applications or data. They simply have access to a function within the cloud which enables them to process their data.
The main reasons for using cloud computing systems are lower costs for IT infrastructure and software, software updates on demand, greater computing power, dynamic memory (the memory space rented in the cloud increases or decreases with the volume of data stored), mobility, quick and easy access, scalability and in some cases, greater security.
Risks in using cloud computing
There are always risks involved when data is outsourced. The particular risks associated with cloud computing are:
- Loss of control over data: Because of the global network and its virtual nature, the location of the data is often unknown to the user. This is particularly true in the case of public clouds. The cloud user, as a responsible controller of the data file, does not know exactly where in the cloud her data is stored and processed. Frequently she does not know whether or not subcontractors are involved and if there is sufficient data protection. This means that cloud users cannot guarantee that data protection requirements - data security, right of access, correction and deletion of data - are fully met.
- Missing or insufficient separation/isolation of different data processing processes: A key feature of the concept of cloud computing is that various totally unconnected users can put their data in the same cloud and have it processed in the same system (known as a multi-tenant architecture). This increases the risk of being affected by attacks aimed at one of the other users; a user's own data may thus become unavailable due to hacking or Distributed Denial of Services (DDoS) attacks, or the data itself is hacked along with that of other users. It is therefore of vital importance that the different cloud users' data is processed in strict isolation and data cannot be ????
- Compliance risks: In the cloud, there is a danger that different parts of a set of data end up in different data centres around the world. This can lead to problems not only in terms of data protection and data security, but also in relation to other legal requirements (obligation of safe-keeping, burden of proof, confidentiality, etc.). Companies and public authorities which use cloud computing services are often insufficiently aware of the fact that responsibility for meeting data protection requirements lies with them rather than with the provider who saves the data on a cloud server or processes the data in the cloud.
- Access to data by foreign authorities: The processing of data in the cloud often takes place in other countries. This means that data may be stored or processed in countries which do not have (adequate) data protection laws. In certain circumstances, cloud service providers are also required to allow foreign authorities and courts access to data in the cloud, even if the data is not processed or stored in that particular country.
- Lock-in effect: A further risk is the degree of dependence on the cloud service provider and the lack of portability and interoperability. In other words, because standardised technology and interfaces are not used, data cannot be transferred back into a company's own IT system or migrated to another cloud provider - or at least, this can only be done at great expense.
The following risks always exist, regardless of whether data processing takes place in a cloud or not.
- Loss of data: Data can be lost if it is stolen, deleted, erroneously overwritten or altered in some other way. If adequate back-up systems do not exist, this could have serious legal consequences for a company and may threaten its survival. This may be the case when technical know-how, other confidential information (e.g. customer lists or accounting bases) or financial accounting is affected. To prevent data loss, appropriate security systems have to be put in place; such data should rather not be outsourced to the cloud.
System and network failure and non-availability of rented resources and services may lead to loss of data or access by unauthorised persons. As a result, the confidentiality, security and integrity of the data can no longer be guaranteed. Furthermore, when systems and networks fail, this can interfere hugely with the normal running of a company or organisation, resulting in both financial losses and serious damage to its reputation.
- Misuse of data by malicious insiders or employees: in some circumstances, the service provider does not declare how its employees' access rights (physical or virtual) are regulated and correspondingly monitored. A declaration of confidentiality is also often not evident to the user. With regard to cloud computing, more attention must therefore be paid to this issue when using public clouds.
Data protection requirements when using cloud computing services
- If personal data is processed in cloud computing, in data protection terms this is normally considered to be data processing by a third party under Art. 10a of the Data Protection Act (DPA). Under this Act, the processing of personal data may be assigned to third parties (in this case, cloud service providers) by agreement or by law as long as the data is processed as the instructing party (i.e. cloud user) would be permitted to process it, and it is not prohibited by any statutory or contractual duty of confidentiality. The cloud service provider must therefore be required to comply in full with the data protection laws applicable in Switzerland. This also applies to any subcontractors employed by the provider. However, in practice it is difficult to enforce this requirement, as in cloud computing applications the cloud service provider's subcontracting relations are often not transparent to the cloud user. The instructing party must in particular ensure that the third party guarantees data security.
- The cloud user must also ensure that the cloud service provider as a third party protects data in accordance with data Art. 7 DPA and Art. 8 ff. and 20 ff. DPO. This means that personal data must be protected by appropriate technical and organisational means against unauthorised interference. The confidentiality, availability and the integrity of the data must be guaranteed. The cloud service provider must protect the data against the following risks: unauthorised or accidental destruction or accidental loss; technical faults; forgery, theft or unlawful use; unauthorised alteration, copying, access or other unauthorised processing. These measures should be checked periodically on site. The manner in which the data protection requirements are applied depends on the company or public body, on the type of data involved, and also on the organisation and cloud layer (i.e. private or public, IaaS, PaaS or SaaS). Basically, the more confidential, secret, important (business-critical) or sensitive (particularly worth protecting) the data is, the less the use of cloud computing is recommended, in particular of a cloud abroad. Furthermore, security measures and the control of such should be all the more stringent and comprehensive.
- In many cases, the use of cloud computing involves the disclosure of data abroad, as data is frequently processed on servers spread all over the world. Subcontractors are often involved, as are countries which have less stringent data protection laws than Switzerland. There is therefore a risk that data will be processed in a way that is not permitted in Switzerland. Personal data may not be disclosed abroad if the privacy of the data subjects would be seriously endangered, and in particular if there are no safeguards guaranteeing adequate protection (Art. 6 para. 1 DPA). If this is the case, personal data can only be disclosed abroad if one of the provisions under Art. 6 para. 2 DPA applies. In the main, cloud users will have no choice but to obtain a contractual data protection guarantee from the cloud service provider, including any subcontractors involved. This poses practical problems, as all users of the cloud where the personal data is processed must enter into the contract. However, it is essentially the party transferring personal data abroad who must prove that all requirements to ensure an appropriate level of protection have been met.
- The cloud user is also responsible for guaranteeing the right to information under Art. 8 DPA and the right to have data deleted or corrected under Art. 5 DPA at all times for implementing them according to the data protection requirements. It may prove very difficult to meet these requirements, as the use of cloud applications often involves loss of control over data and the cloud user no longer knows which data is processed where. However, it is not possible to avoid these legal obligations.
If a person wishes to use cloud computing to process their data, it is essential to choose the cloud service provider carefully (and carry out a risk assessment), and to instruct and monitor the provider accordingly. As the instructing party, cloud users are ultimately responsible towards the persons affected for respecting data protection laws, and can be held liable if these are infringed. Cloud users should therefore think carefully about which applications and data will remain at their own location and which are to be put into the cloud. A careful check of the cloud service provider must be made and a complete risk assessment of the organisational, legal and technical aspects carried out. A thorough analysis of the data protection requirements should also be conducted early on when choosing the type of cloud (private, public clouds specific to one enterprise or hybrid cloud). This will ensure that the cloud is used in compliance with data protection laws from the very beginning. Particular attention should be paid to the processing of personal data, including all steps from saving to processing and deletion. If after the risk assessment there is any doubt about the processing of data in the cloud, then outsourcing should be avoided.
- ANSSI L'Agence nationale de la sécurité des systèmes d'information, ‘Maîtriser les risques de l'infogérance', December 2010, available in French at: http://www.ssi.gouv.fr/IMG/pdf/2010-12-03_Guide_externalisation.pdf
- BSI Bundesamt für die Sicherheit in der Informationstechnik, Sicherheitsempfehlungen für Cloud Computing Anbieter - Mindestsicherheitsanforderungen in der Informationssicherheit, Mai 2011, available in German at: https://www.bsi.bund.de/DE/Themen/CloudComputing/Eckpunktepapier/Eckpunktepapier_node.html
- CSA Cloud Security Alliance, ‘Security Guidance for Critical Areas of Focus in cloud computing V2.1', December 2009, available at: https://cloudsecurityalliance.org/csaguide.pdf
- ENISA European Network and Information Security Agency, about cloud security, available at: https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security
- ENISA European Network and Information Security Agency, ‘Security & Resilience in Governmental Clouds', January 2011, available at: http://www.enisa.europa.eu/act/rm/emerging-and-future-risk/deliverables/security-and-resilience-in-governmental-clouds
- Fraunhofer Institut, ‘Cloud-Computing für die öffentliche Verwaltung - ISPRAT-Studie', November 2010, available in German at: