General information on cloud usage

Cloud services can be accessed via an internet-enabled device. For example, this can be a PC, a smartphone or an internet-enabled TV. If a device is infected by malware such as a Trojan, the cloud services accessed from this device are therefore also vulnerable. End devices hold sensitive data and should be set up securely.

Data in the cloud is accessed via the cloud provider's website or by using an app, e.g. on a PCor smartphone. In particular, access to cloud services must be given secure protection: missing or weak password protection leaves you vulnerable to data thieves. This is because once they have managed to gain access, all of your data is available unless you have additional encryption measures in place. That's why we recommend you follow our tips for a secure password.

However, many cloud providers also offer two-factor authentication in the same way it is used in online banking. This method requires an object in addition to the username and password to unequivocally authenticate your identity. This can be a one-time transaction authentication number (TAN), a USB stick with a secret key, an ID card or even a fingerprint. The authentication details (username/password) should not be stored on the device, for example as a saved password in the browser, and should be used automatically when the cloud service is accessed. Using two-factor authentication significantly increases security and should therefore be used wherever possible.

Accessing cloud services via insecure networks such as WLAN hotspots at airports also poses a risk. In these networks, attackers are able to intercept and misuse access data. The situation is especially critical if two-factor authentication is not being used. This is why data is ideally only ever transferred to the cloud in encrypted form. For example, if you have drafted a text document on your PC and upload it to your online storage, the transfer that takes place is either encrypted or unencrypted. If the file is not transferred in encrypted form, it can theoretically be viewed by unauthorised persons who latch on to your data transfer. The data transfer can be encrypted by transferring the data via a secure connection with "https". If the provider does not offer this type of transport encryption option, you should question if it is sensible to continue using the service.

In many cases, accessing cloud services via smartphone poses a particular risk. If the access data is stored in the app of the service you use, simply opening the app is enough to access the cloud. While this seems convenient at first, it actually gives any potential malware on the smartphone easy access to the data in the cloud. If the smartphone somehow falls into the wrong hands because it is lost or stolen, the cloud data is only as secure as the access protection on the smartphone. So if, for example, you only protect access to your smartphone with a four-digit PIN, you are setting the security bar quite low. Not to mention there is usually no guarantee that the apps you use transmit the data in encrypted form. While modern internet browsers now make users aware of the risk when a connection is unencrypted, this is not usually the case for apps. As a result, using a smartphone while connected to insecure hotspots can be associated with security risks.

Deleting data and stopping usage

Before you store your data with a cloud provider, you should also check how easy or complicated it is if you want to remove data from the cloud again. This is because deleting data from the cloud is not as easy as doing it at home on your own computer. Cloud providers often store multiple copies of the files in different data centres. It is therefore recommended that you take a look at the terms and conditions of the service provider.

If you want to stop using a cloud service, you can cancel the subscription or simply stop using it if you are using a free service. Unfortunately it can be much more difficult to delete your own data from the cloud provider. Cloud providers often store multiple copies of the files in different data centres to provide high data availability. To add more complexity, some cloud providers keep the data for a period even after cancellation or deletion in case the request to do so is withdrawn (which happens regularly).

Data encryption in the cloud

You can store any type of data you want in the cloud. Sometimes this can be very personal data, such as family photos, digital bank statements or tax documents. Because of the sensitive nature of this type of data, you should pay particular attention to securing your data on the cloud provider's servers. An attack by hackers on a cloud provider's data centre can be lucrative for criminals, as information that belongs to lots of users is stored there. To make matters worse, attackers usually have time to plan how they will gain access and find a backdoor into the data centre.

On top of this, you cannot usually verify if safeguards have been correctly implemented and how secure they actually are. Consequently, the safest option is to encrypt the data and store the key safely outside of the cloud. However, if you choose to protect your data like this, there are disadvantages you will have to accept related to the convenience: the encrypted data shouldn't be decrypted in the cloud. This means that data must be downloaded and decrypted locally in order to continue working on it. A possible option is to sync the encrypted data between several devices, but then the key and possibly also the encryption software must be available on each device. This means that several people cannot simultaneously work on the same document.

Configuration of cloud services

One of the major advantages of using cloud services is that data can usually be easily shared with other people and worked on together. There are different methods for doing this. In the following, let's imagine that we are using an online storage provider that allows us to share our own data with other people. There are usually different methods for doing this. If the person I want to share the data with

• is also registered with the same cloud service, you can often share data by specifically using the other person's username.
• does not use the same cloud service, you can often share things via a link.

When sharing via a link, it is important to remember: every person who has the link has access to the shared data. When it comes to sharing links, there are many ways in which an unauthorized person could find out what the link is, e.g. if the link is sent in an unencrypted e-mail. Since users do not usually need identify themselves when accessing the shared data via a link, it is also difficult to identify who actually accessed the data.

Always consider the following things when sharing::

• If possible, do not share sensitive data via a link. You can increase the security of sharing if the provider allows an additional layer of protection to be added with a password. If you do this, it is recommended that you share the link and password with the other party via different media (e.g. e-mail and telephone call).
• If possible, add a limit for how long you want to share the data for. If the cloud provider does not let you do this, you should regularly check who has access to your data and whether this access is still required.
• Sharing should always be specific and restrictions should apply, i.e. if a file is shared, only this file should really be shared and not the folder in which the file is located.

Checking the default settings of a cloud service before you start using it is recommended. A good strategy is to choose settings that provide as much protection as possible to begin with, i.e. disable the transfer of data to third parties and disable features that you don't need. If you require a certain feature further down the line, it can then be reactivated.

Protection from third-party access, security ID and cloud provider selection

By using a cloud service, we are outsourcing the storage of private and sensitive data to the cloud provider. In doing so, we hand over control and responsibility to the cloud provider and need to therefore trust them to protect the data. In the following, we describe the approaches users can take to select a provider on the basis of rational facts and to protect their data from third-party access.

Security ID (certificates and attestations)

How can users be certain that cloud services handle the data they share is handled correctly from an IT security perspective? The maxim: trust is good, control is better. Private users cannot check this themselves by visiting the data centre. However, users can verify if a cloud provider meets defined security standards or complies with the legal regulations in force by checking various security marks (certificates or attestations) awarded by independent institutions.

Cloud providers are not obligated to get these certifications; it is always voluntary. Despite this, many providers display a number of certificates and other security marks. The cloud provider should be able to demonstrate that the certificates are renewed through regular audits. You should also question if only individual parts of the cloud service are certified or if, in an ideal scenario, the entire service offering is certified.

The BSI has developed its audit catalogue (C5) as its own standard for cloud security, which is designed for the auditing of cloud providers by auditors. After an audit is successfully passed, the auditor issues a certificate to the cloud provider and prepares a detailed audit report. This audit report can then usually be requested and analysed by customers. However, this system is mainly geared towards professional users, as analysing this type of report requires considerable expertise.

For private users, the following certificates and standards are currently worth looking out for and provide relevant guidance:

• The Trusted Cloud Skills Network website has a directory of various cloud providers and the services that they offer. In addition to informative details about the service offerings that have been verified by Trusted Cloud, there are also reliable details available about the security certificates of the cloud services.
• EuroCloud SaaS certification: the issuer of this is EuroCloud, an association of European cloud service providers. In Germany, EuroCloud Deutschland_eco e.V. represents the association of the German cloud computing industry and thus awards the certification mark. The benchmark for certification in Germany is the applicable German laws on data protection and IT security, as well as international standards.
• The TÜV test mark: TÜV companies, such as TÜV Rheinland and TÜV Saarland, award special cloud-related test marks that confirm providers are adhering to certain security standards. Cloud-specific security aspects are tested and compliance with relevant standards and laws is verified.
• Providers often have a certificate issued in accordance with the international standard ISO/IEC 27001, which proves that the cloud provider has structured processes to guarantee information security. However, this unfortunately does not relate to the security safeguards used.

Premises of the cloud provider

Information about the premises of the cloud provider and the servers provides the user with information on which data protection law their data is subject to once it is stored. As is the case with many cloud services, it is not immediately clear in which country the provider is based or where its data centres are located.

Essentially, a company based in Germany may actually run servers abroad. The data may then be under the jurisdiction of the foreign country. This is particularly worth noting because each country has different regulations for data access rights to files by companies and public authorities, based on the data protection laws and other regulations that apply in that country. In certain countries, public authorities may analyse the data or seize computers, while this is prohibited by law in others. For users, it is usually impossible to know where their data is stored if the cloud service provider does not explicitly state this.

Beware: each provider can, within the applicable legal framework, create its own terms of use and data protection policies. These terms and policies can be worded in such a way that you may grant the provider access and usage rights for the stored files, even though you do not want this to be the case.

For the cloud providers or cloud services listed on the Trusted Cloud directory, the data location and the applicable law are specified, which have both been verified by the Trusted Cloud Skills Network.

In particular, using cloud computing becomes highly critical if you choose to store the personal data of third parties with a provider. This can quickly result in a violation of the Federal Data Protection Act (BDSG). All it takes is storing appointments with the addresses and data of customers in a cloud calendar. If you want to store third-party data in the cloud of a foreign provider for business purposes, you should seek legal advice before doing so. The Technology and Media Work Groups of the Conference of State and Federal Data Protection Officers has published an Orientation Guide on Cloud Computing.

On May 25, 2018, an EU-wide General Data Protection Regulation for regulating the processing of personal data came into force. Further information and lots of other useful tips on data protection are available on the website of the Federal Commissioner for Data Protection and Freedom of Information.