From a privacy perspective, using cloud services always involves certain risks. If companies save data on Internet-based storage systems operated by an external service provider, they must comply with a number of requirements stipulated by applicable privacy law. Cloud computing means that companies no longer save their applications and files at their own data center, but instead with a service provider engaged for this purpose whose services can be accessed via the public Internet. This saves companies from having to purchase and manage their own hardware and software, and they no longer need to operate their own IT infrastructures. This, in turn, allows them to cut costs, but also creates privacy and data security risks. These result from the fact that the shared IT components in the cloud can, in principle, be accessed by everyone over the Internet and are only protected by an access control system (such as a user name, password, and encryption techniques).
Furthermore, security breaches can allow unauthorized individuals to access the company’s data. All of these vulnerabilities can cause the following issues:
When using cloud services, several parties are contractually bound to each other, each of which has an impact on privacy aspects. This creates relationships not only between the cloud provider and the cloud user, but also between the cloud user and its business partners and customers, whose rights pursuant to privacy law are also affected.
Generally speaking, privacy requirements can only be met if the cloud provider can offer a specified level of technical data security. This is determined by the hardware and software used by the service provider. This includes the use of encryption technologies for data and access credentials, authentication methods, as well as firewall components. In addition, organizational security policies are used to restrict physical access to the cloud provider’s IT components.
In addition to providing the technical resources needed for data security, cloud providers must also comply with the legal privacy requirements. These are laid out for the entire EU in the GDPR. An important point to note here is the legal fact that in cloud computing, the company that uses a cloud service is responsible for data security vis-à-vis its customers.
The details of the agreement between the cloud provider and the cloud user are defined in a data processing agreement between the two parties. The cloud user should have the service provider guarantee compliance with contractually stipulated requirements, for example through privacy certification. The cloud customer remains the owner of its data, which is not always the case with some cloud services.
If a company saves its customers’ data with a cloud provider, e.g. one in the United States, applicable privacy law could end up being violated. US cloud providers are legally obligated to hand over customer data to US authorities upon request. In these cases, the GDPR no longer applies and supplementary agreements must be reached with the provider. For example, cloud providers in the United States must ensure that they meet the requirements of the EU-US Privacy Shield. In this framework designed to ensure compliance with European privacy requirements, the US government guarantees to meet EU privacy standards when data is transferred to and from Europe. Whether this will prevent the transfer of data to US authorities is doubtful, however. This is why using European cloud providers who operate their data centers within the EU is highly recommended.
As a German solution, DRACOON offers maximum flexibility – and a system that fully complies with the GDPR at the same time. As a result, users regain control over their data. Our product DRACOON was developed in accordance with the principle of “privacy by design.” This means that data security and privacy were already taken into account during the development of the software. Various certifications and seals such as ISO27001, EuroPriSe, and BSI C5 certification are also proof that our system is extremely secure.
To ensure that data is sufficiently protected, the following aspects should also be taken into account.
The primary goal of IT security is to protect against risks that could result in financial damage.
But nowadays, a company’s IT department can hardly be expected to guarantee the security of all of its IT systems by itself. This is why more and more services are being outsourced to the cloud. The advantage of this is that cloud service providers specialize in IT security. DRACOON is an expert in the field of cloud security and works day in and day out on further improving IT security in the cloud and helping users regain control over their data.
Virtual data rooms offer the ability to share company data within the scope of due diligence, a process subject to more stringent privacy requirements. In this context, a company that is up for sale provides access to a comprehensive document management system, enabling prospective buyers and potential investors to gain a clear overview of all of the company’s relevant data and, if necessary, to collaborate on joint documents.
These mostly cloud-based data rooms must be secured by special measures, such as multi-factor user authentication, to prevent unauthorized access to the company’s files.
IT security concepts have been shaping our digital work environment long before the EU’s General Data Protection Regulation came into force. They have a significant impact on the IT infrastructure and privacy.
End-to-end encryption plays just as important a role as modern access control mechanisms which ensure that internal and external employees only “see” the files they are allowed to see and require for their work.
“I’ll e-mail you the contract as soon as we get off the phone” – everyone has heard this at least once. After all, e-mail is still the most popular way to send information and files.
But hardly anyone is aware that all of the information is sent in plain text.
This is particularly risky in a business context, as e-mails and e-mail attachments can be intercepted with relatively little effort. As a result, many companies are looking for a solution that allows them to send sensitive files via e-mail securely and in compliance with the GDPR.
Ransomware refers to malicious software that encrypts data and systems, making them unusable. Ransomware blocks the infected systems and computers until the owner pays the ransom demanded. This means that an entire company can be crippled as a result of a single user’s mistake. With DRACOON, you won’t ever lose a single file.
When using client-side encryption, a user encrypts their data with their own key and then transfers the data to the server. In this process, the key that encrypts the data never leaves the user’s computer. As a result, it is impossible to decrypt the files on the server itself, as the key needed for this purpose is only saved on the client. In other words, the data and the key used to encrypt and decrypt it are saved in to two physically separate locations. This means that no third party, not even the platform operator, can access the saved data.