IaaS and PaaS: Increased data protection requirements

The IT baseline protection compendium is tailored to the security requirements of companies and public authorities. The aim is to enable users to select the building blocks relevant to them in order to improve information security. The new edition is relevant for certification and thus replaces the 2018 edition. In addition to technical aspects, infrastructural, organizational and personnel aspects are also taken into account. For example, there are also sections on potential pitfalls and "Measures for increased protection requirements" (2.3), which go beyond the state of the art. This also includes the use of encryption (OPS.2.2.M17). The BSI distinguishes between the encryption of data "in motion" (i.e. during transportation) and "at rest" (at the storage location). The document advises that all data transferred between an organization and a cloud provider should be secured using transport encryption. However, this is the minimum requirement that an encryption solution should fulfill. Sensitive data should not only be encrypted "in motion", but also "at use" and "at rest" at all times. The reason is simple: this is the only way a company can ensure that neither attackers nor unauthorized third parties - including administrators from cloud providers, for example - have access to the data.

The BSI also points out that data can also be encrypted either in the company or alternatively in the cloud application. However, there is a crucial problem with the latter: the cryptographic keys and the data encryption process are held by the cloud provider. This gives them access to the unencrypted data. "In addition, it should be agreed that the cloud user can initiate the reallocation of keys if necessary and influence the life cycles of the keys. It should be noted that the cloud service provider is also responsible for key management in the case of encryption by the cloud service provider. Employees of the cloud service provider who have knowledge of the corresponding keys can thus access the institution's data." (OPS.2.2.M17 Use of encryption for cloud use [ISB, IT operations](IA)). Companies should therefore carefully consider whether to give a third-party provider control over their cryptographic keys and data protection processes. Particularly with regard to the European General Data Protection Regulation (EU GDPR), companies must bear in mind that they alone are responsible for protecting their sensitive data. They cannot delegate this to third-party providers - including cloud providers.

In order to keep key management in their own hands, the BSI recommends that companies "use their own encryption mechanisms". HSMs - hardware security modules - are cited as an example. These can handle both key management and encryption. The disadvantage: before the data can be encrypted by an HSM, it is transmitted to it unencrypted. Companies therefore also need a solution that encrypts the data before it leaves the secure company environment and is sent to a third-party provider. So why not kill two birds with one stone? An encryption solution such as the eperi Gateway bundles both the encryption process and the key management and could even be connected to an HSM if the customer so wishes. The gateway also ensures that it can be easily integrated into the existing IT infrastructure. CRM databases can also be easily encrypted via API interfaces.

Companies should keep one thing in mind: No one can prevent data from being stolen. But the eperi Gateway helps to ensure that attackers cannot do anything with the data.