Information Technology Reference
In-Depth Information
Cloud Security and Privacy in the Light
of the 2012 EU Data Protection Regulation
Andreas Kronabeter and Stefan Fenz
Vienna University of Technology,
Institute of Software Technology and Interactive Systems,
Favoritenstraße 9-11, 1040 Wien, Austria
Abstract.
The essential characteristics of cloud computing such as elas-
ticity or broad network access provide many economic benefits for their
users, but with these benefits also many security and privacy risks come
along. These risks can be generally classified into legal and technical risks.
The upcoming general data protection regulation by the European Com-
mission (COM (2012) 11) strengthens the consumer's rights with changes
like a single set of European rules and more data protection obligations
for organizations. Once the general data protection regulation becomes
effective, organizations will have to fulfill more requirements to com-
ply with the law, especially in situations of security breaches or issues
about the life cycle and the processing of data. In this paper we describe
a framework for the evaluation of cloud service providers in regard to
the upcoming EU data protection regulation. The framework shall help
service providers to comply with the new regulation, and shall enable
consumers to evaluate the security and privacy competencies of cloud
service providers.
Keywords:
cloud computing, European Union data protection regula-
tion, security, data protection, privacy, evaluation framework.
1
Introduction
Security and privacy issues which come along with cloud computing have grown
in significance. The rapidly technological progress makes it dicult for legal
regulations, laws and security provisions to be up to date. Virtualization, multi-
tenancy, and outsourcing raise many questions according to how a provider runs
his security policy and how he is handling security issues as well as the respon-
sibilities of the user. Relevant work about cloud security risks and recommenda-
tions was published by Gartner [5], the National Institute of Technology (NIST)
[6], the Cloud Security Alliance (CSA) [7] and the European Network and In-
formation Security Agency (ENISA) [8]. According to Gartner the seven cloud
computing security risks users have to face are: (i) privileged user access, (ii) reg-
ulatory compliance, (iii) data location, (iv) data segregation, (v) recovery, (vi)
investigative support, and (vii) long-term viability. NIST defines trust, multi-
tenancy, encryption and compliance as the key issues of cloud computing [9].
