Cloud Codes of Conduct Get the EU Green Light, but More Is Still Needed

On May 20^th, 2021 it was announced that the EU Cloud Code of Conduct had received official approval by the Belgian Data Protection Authority, following the positive opinion issued by the European Data Protection Board.  At the same time, the European Data Protection Board (EDPB) comprised of all the European Data Protection Authorities (DPA) provided a favourable opinion that the CISPE Data Protection Code of Conduct complies with the General Data Protection Regulation (GDPR).

This has been a long journey – in 2017 we published a Leadership Brief Cloud Provider Codes of Conduct and GDPR.  This compared how the 2 codes of conduct at that time would match the obligations from GDPR which had yet to come into force.  Four years on, what is the significance of this announcement to organizations using cloud services?

When using a cloud service, the tenant does not have control over how the service is designed, secured, and run.  Therefore, the tenant needs to trust that the cloud service meets their security needs and compliance obligations.  These Cloud Codes of Conduct provide transparent frameworks that define the technical and organisational measures that a cloud service must implement to ensure that its processing of tenants’ data will meet the requirements of GDPR.

The good news is:

“The EDPB is of the opinion that both draft codes comply with the GDPR and fulfil the requirements set forth in Art. 40 and 41 GDPR. According to the GDPR, adherence to approved codes of conduct may be used as an element to demonstrate legal compliance.”

However, there is still more work to do. The key caveat in the EDPB announcement is:

“They [the codes of conduct] are not to be used in the context of international transfers of personal data”.

When looking at the two codes there are many similarities but some differences. The CISPE Code only covers Infrastructure as a Service while the EU Code of Conduct is more general. To some extent this explains the difference between the CSPs that support the different codes. Unsurprisingly, the CSPs supporting EU Code of Conduct include those providing several different kinds of service (SaaS and PaaS as well as IaaS) which are all covered by this code.  Nevertheless, the existence of 2 codes increases the burden on the end user organizations.

The major remaining challenge for organizations using cloud services to hold and process the personal data of EU residents in compliance with GDPR when this involves international transfer of data to Third Countries.  This challenge stems from the so called Schrems II judgment and the subsequent EBPB recommendations 01/2020 relating to this.

Much has been written on the subject of Zero Trust in the context of cyber security.   Zero Trust is often defined to mean never trust always verify.

When highly regulated industries use cloud services and for certain kinds of data processed in them it essential for the tenant to be able verify the existence and effectiveness of service controls to demonstrate compliance.  However, it is not practical for large CSPs (Cloud Service Providers) to allow tenants to individually audit the services they use, and so tenants must rely on independent third-party attestations that the services comply with standards and regulations.

The Cloud Codes of Conducts described above provide frameworks that have been validated by the EDPB and accepted by EU Data Protection Authorities.  This is an important step towards what is needed but validation of the framework is not the same as verification of service compliance.

Currently the CSPs that are members of the framework bodies agree to provide self-certification of compliance.  What is needed is independent verification.  Setting up the processes for independent verification of compliance with the Codes of Conduct will be the next key step along the journey.

The EDPB has not approved the Codes of Conduct in the context of international transfers of personal data.   Under these circumstances what is needed is Zero Trust Data Processing – Never Trust the Cloud Service where this involves international data transfers.

During processing of the data there are three points at which the confidentiality, integrity or availability of the personal data can be compromised by public authorities in Third Countries:

• During its transfer across networks, it may be accessed by third parties including governments. This access may be passive where the contents of the communication are simply copied. However, public authorities may also interpose themselves into the communication process and not only read the content, but also manipulate or suppress parts of it.
• During its storage, by either accessing the processing facilities themselves, or by requiring the recipient of the data to locate, and extract data of interest and turn it over.
• During processing, the data could be accessed while it is being used or analysed. For example, when a service is being provided remotely.

Cloud services currently provide controls for the first two of these areas of risk through strong encryption where the tenant has full control over the keys.  However, protection during processing depends upon what is being termed as “Confidential Computing”.  Confidential Computing is an essential element of Zero Trust Data processing and there are several basic approaches to Confidential Computing:

• Trusted environments – such as Intel SGX enclaves and AMD EPYC 3rd Generation CPUs where the data is only decrypted in a protected environment.
• Pseudonymization – as opposed to anonymization - providing that the addition data needed to reconstitute the relevant (usually personal) data is adequately protected. But not the ENISA recommendations for data pseudonymization advanced techniques and use-cases.
• Homomorphic encryption – where the encrypted data can be processed without decryption but with additional computing overheads and usually the need to change the application.
  • Multi party computing – protocols that split the data into parts that can be processed independently without any of the processors being able to reconstitute any personal data. 

To overcome the concerns processing personal data in third countries under GDPR, as well as those of regulated industries, CSPs will need to provide industrialised and easy to use approaches based on one or more of the above approaches.

It is good news that both of these cloud codes of conduct have received approval from European Data Protection Authorities.  However, the boards behind these codes of conduct cannot afford to rest on their laurels - they must now work to define and set up independent verification processes to enable cloud tenants to have greater confidence than that provided by self-certification.  It is also essential that cloud services provide greater levels of controls – especially for confidential computing - for tenants to implement Zero Trust Data Processing.

For more information see KuppingerCole Buyer’s Compass IaaS Tenant Security Controls and register for the KCLive Event Cloud Strategy Optimization – Ensuring Efficient and Secure Collaboration on Cloud on July 7^th.