Cloud security in focus: strategies, architectures and contract models for protecting sensitive company data in a digitalized world

Data is a tool of the modern digital economy—or the “new gold” for companies (the private sector) as well as for the government (the public sector). In today’s digital world, there is an unstoppable flood of new data sets, many of which end up on the Internet. Some of these data sets contain personal information that constitutes a digital identity. The real challenge for a company is to carefully filter this data and, above all, to store it securely. This short paper aims to examine data storage in the cloud and its processing from a corporate perspective. In addition, this short paper highlights the types of contracts, architectures, and appropriate security measures against cyberattacks that the industry implements to ensure a solid foundation for its own data processing.

Before we delve into the topic of cloud security, it is first necessary to understand a few key aspects of so-called “cloud computing,” how it works, and the structure of a cloud: “Cloud computing is a data processing model that allows users to conveniently access a shared pool of configurable computing resources (e.g., networks, servers, storage systems, applications, and services) via a network anytime and anywhere as needed. These resources can be provisioned quickly and with minimal administrative effort or minimal interaction with the service provider. The cloud can be used in three variants: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The type of cloud varies depending on the deployment model (private cloud, community cloud, public cloud, hybrid cloud).» [1]

In the field of cloud computing, there are various deployment models that determine how cloud providers make cloud services available to their users. There are four main models associated with cloud computing:

1. Public Cloud

The public cloud allows all users to access computing resources such as hardware (operating system, CPU, memory) or software (application server, database) on a subscription or pay-as-you-go basis. Common use cases include the development and testing of applications for both critical and non-critical tasks, such as file sharing and email services.

2. Private Cloud

The private cloud is typically used exclusively by a single organization and can be managed either internally or by an external IT service provider. Although private clouds are often more expensive than public clouds due to investment costs for procurement and maintenance, they more effectively address organizations’ security and data protection concerns.

3. Hybrid Cloud (a combination of a physical data center or an external private cloud and/or a public cloud)

The hybrid cloud utilizes both private and public cloud infrastructures. Companies choose this model to rapidly scale their IT infrastructure as needed. For example, an online retailer can use public cloud resources during the holiday season to supplement or offload capacity from its private cloud.

4. Community Cloud

The community cloud supports multiple organizations that jointly use computing resources. These include, for example , universities collaborating in specific research areas, or government entities such as police departments within a county that share resources. Access to a community cloud is restricted to members of the community.

For end users, public clouds typically involve low costs without requiring significant additional investment. Private clouds , on the other hand , do require an initial investment but generally offer cost savings compared to the operating costs of maintaining one’s own infrastructure . Private clouds also provide greater security and compliance support than public clouds. For this reason, some organizations use private clouds for business-critical or more sensitive data and applications, and public clouds for basic tasks such as application development, test environments, and email services. [2]

A hybrid cloud solution is ideal for mitigating or diversifying the risks associated with a cyberattack. It offers greater control over an organization’s own security compared to relying solely on a public cloud. In addition, a hybrid cloud infrastructure allows organizations toestablish custom security standards and configuresoftware on private servers to meet their specific needs. This distribution leads to increased system reliability and better assessment of system issues.

Furthermore, it is more cost-effective than purchasing and maintaining on-premises servers. [3]

Cloud Service Architecture Models

Given these advantages of a hybrid cloud solution—which range from enhanced security controls to improved reliability—it is important to understand the various cloud service architectures. These architectures—namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—offer different levels of service delivery and define different responsibilities for compliance.

1. Infrastructure as a Service (IaaS)

IaaS providers supplybasic computing, storage, and network infrastructure ,as well as the hypervisor for virtualization. Users are responsible for creating and managing virtual instances, installing operating systems, deploying applications and data, and handling all configuration tasks. IaaS is attractive for both small businesses and SMEs. The ease of use of a cloud infrastructure that is not self-operated represents a cost-effective alternative to purchasing your own hardware.

Examples: DigitalOcean, AWS, Azure, Google Compute Engine, Hetzner Cloud

2. Platform as a Service (PaaS)

PaaS providers extend the application stack more extensively than IaaS by including operating systems and middleware (e.g., databases). Users focus more on application development, while the platform manages the underlying infrastructure.

Examples: AWS Elastic Beanstalk, Google App Engine.

3. Software as a Service (SaaS)

SaaS providers offer a complete application stack. Users can access the fully hosted application via a web browser. The management of workloads and IT resources is entirely under the control of the SaaS provider, while users explicitly retain control over data generated by the application.

Examples: Salesforce, Dropbox, Google Workspace, aBusiness Suite [4]

The Cloud in Contract Law

SaaS contracts have not yet been explicitly addressed by lawmakers. To date, a SaaS contract can only be legally classified as a mixed contract that incorporates aspects of service, work-for-hire, and lease agreements. The applicable area of law therefore depends on the specific performance phase of the contract. The central component of a SaaS contract lies primarily in lease law, because the provision of software is most comparable to the transfer of possession under lease law. Since software is not considered a “thing” within the meaning of lease law, the prevailing view is currently that SaaS contracts constitute a time-limited transfer of the right to use. This is consistent with the provisions and the objective pursued by lease law. [5]

PaaS contracts are largely shaped by Service Level Agreements (SLAs), which specify minimum performance standards and define the rights and obligations of both contracting parties.

Data protection and data security play a crucial role, as PaaS services often involve the processing of sensitive data. The contract must containclear provisions regarding the protection of personal data. Furthermore, it is essential to specify in the contract who owns the intellectual property rights to the applications created, whereby the user typically retains ownership of the applications and the provider retains ownership of the platform. [6]

Conclusion

Regardless of whether it is a startup, a venture capital firm, an SME, or a larger enterprise, cloud security is of critical importance to every company.

It is important not only to consider which cloud providers a company wishes to workwith , but also what framework conditions are established in this regard.

Ultimately, security is not solely the responsibility of the cloud technology service provider per se; rather, a company’s employees play an equally important role in the security aspects of the cloud.

It is essential to invest regularly in employee training and awareness to ensure that employees have the necessary expertise to adhere to security policies and procedures. However, to fully realize the potential of the cloud, companies should invest not only in maintaining their own systems or those of external partners but also in recruiting new IT staff. This allows a company to ensure system security and thereby increase customer satisfaction, which in turn enhances the company’s reputation in the long term.

A major sticking point when selecting an external cloud provider has always been the dependence on foreign providers and their data protection regulations. Companies address this challenge through measures such as thoroughly reviewing data protection policies, adopting hybrid cloud approaches to minimize risk, evaluating providers’ security measures and certifications, conducting data protection impact assessments, performing regular monitoring and audits, and preparing for potential data breaches. These strategies vary depending on company size and industry, but they all serve the goal of ensuring data protection compliance and minimizing potential risks associated with the use of external cloud services.

Bibliography

Cloud Computing
https://www.swissbanking.ch/de/themen/digitalisierung-innovation-cyber-security/cloud-computing

Cloud Deployment Model (2014)
https://www.sciencedirect.com/topics/computer-science/cloud-deployment-model

Understanding the Cloud—Do You Know the Difference Between a Public Cloud and a Hybrid Cloud? (2023)
https://www.speechlive.com/at/blog/die-cloud-verstehen-wissen-sie-was-eine-public-cloud-und-was-eine-hybride-cloud-ist

What is IaaS? Definition and Key Facts
https://bsh-ag.de/it-wissensdatenbank/iaas-infrastructure-as-a-service/

Platform as a Service (PaaS) (2022)
https://www.computerweekly.com/de/definition/Platform-as-a-Service-PaaS

What to Look for When Drafting SaaS Contracts (2022)
https://www.top.legal/wissen/saas-vertraege

Platform-as-a-Service (PaaS) Contracts: A Guide (2023)
https://www.anwalt.de/rechtstipps/platform-as-a-service-vertraege-paas-vertraege-ein-leitfaden-216904.html