Over the years I've had the opportunity to deal with the German Data Protection and Privacy Laws (Bundesdatenschutzgesetz, or BDSG) many times, including recently in a cloud computing context.  I thought it would be helpful to share some of the key things that are required, and how you can address these in the context of cloud.

The basic premise of the German Data Protection laws is to protect privacy.  The rules go something like this:

• Don't collect any data that can identify an individual without express permission (this includes obvious things like name and date of birth, as well as less obvious things like phone numbers, address, etc.)
• The permission that an individual grants must specify how, where, how long, and for what purposes that data may be used
• The individual can revoke that permission at any time
• Where personal data is processed or used, the organization needs policies, procedures and controls in place to protect this data that meets the BDSG data protection requirements
• These policies, procedures and controls need to take in account the different types and categories of personal data being stored, and how they are protected
• There are real penalties for breaking the law

The key areas of control that relate to Cloud Computing are:

• Ensure only authorized access to the systems where personal data is stored, processed or used (access control)
• Ensure that proper access control to personal data is enforced during storage, processing, access or use (create, read, update, delete)
• Ensure that data is protected while "in motion" and being transmitted and can not be viewed, changed or deleted without proper authorization
• Ensure that you have the ability to establish and verify when and by whom personal data was entered into a computer system, as well as when and by whom this data was updated or removed
• Ensure and have audit trails to verify that personal data is stored, processed and transmitted in accordance with the instructions and approval of the principal (individual or entity referenced in the data)
• Ensure that personal data is protected against accidental destruction or loss (availability control)
• Ensure that data collected for different purposes is stored, processed, used and transmitted separately

If you went down the list of the 10 well established domains of security, you would see that these control areas fit in nicely.  It seems like Security 101.  But what makes the BDSG such a serious concern is the penalties for non-compliance, 50,000-300,000 EUR and potential for seizure of profits, and the fact that there are real enforcement efforts that take place (unlike most of the US privacy regulations to date).

Why are the issues for BDSG any different in a cloud computing environment?  People see it as a risk, some of which I believe are real and others which I believe are just perception.

Perceived BDSG Risks of cloud computing:

1. "Cloud computing is unproven" - Cloud computing is new to most people.  Even though the concept of shared computing resources accessed over the Internet is long established, a new name, lots of hype and some high profile and not very true headlines of where bad things have happened (e.g "China Hacks Google - Beware of the Cloud") have given cloud computing a risky name.
2. "Cloud computing is less secure than my own data center" - If you really look at a cloud computing environment, you will likely find that it actually has higher levels of security than what you have in-house.  Built with the latest technologies to be a multi-layered, multi-tenant environment, it isn't constrained by the legacy conditions and outdated technologies that bind your hands internally.
3. "When I move to the cloud, I give up control" - This one could be real or perceived, it's real in that yes- compared to an internal data center where you own 100% of what happens, yes, you are giving up a decent level of control.  But it's perceived in that although you are giving up some control, you aren't helpless.  You still have control over what data you store, what controls you put around it, when it is deleted, and much more.

Real BDSG risks of cloud computing:

1. "My compliance is at the mercy of my cloud provider" - This one is true and is the other side of "I give up control".  Selecting the wrong cloud computing provider could mean the difference between a happy, safe cloud BDSG experience and one filled with fines and angry customers.  You need to find a provider that has invested in creating an environment where the data protection issues you face have been addressed.  Many companies offering cloud computing services today have been in the outsourcing and Internet business for many years and have already proven that they can handle private data.  If they aren't willing to show you what steps they've taken in their cloud environement or how their system meets the requirements of Bundesdatenschutzgesetz, move on.
2. "My applications/systems aren't ready for the cloud" - Likely very true.  Most applications in use today were designed for single-tenant environments in the hard outer shell, warm squishy center model your internal datacenters or private rented/co-located servers provide.  In cloud computing, most resources are shared - from the network, systems, storage and often even the platforms like databases or application servers.  As I wrote in my post about re-investing your cloud savings in security, you need to take a true layered approach to security if you want to feel safe (or compliant) in the cloud.
3. "Cloud computing is new, the auditors don't know what to think" - Unfortunately, true.  The auditors we all hire or employ to look at our systems are catching up rapidly, but are still on average 24 months behind technology.  In the cloud world, that's a lifetime.  Even worse, the federal auditors could be 3-5 years behind the times in technology.  You'll be lucky if they even fully grasp how virtualization works, nevermind how a fully multi-tenant, highly automated, scalable, elastic, zero-touch, on demand cloud environment works.  This is a real risk because the controls and processes the auditors have come to know and trust won't necessarily exist or look the same in a cloud, and at best you'll have to spend a lot of time explaining, at worst, they'll cite you for non-compliance.

Bottom line:

You can use cloud computing and be BDSG compliant, but don't expect to just drag and drop your already compliant applications and data on the cloud and continue to be compliant.  Use this opportunity to take a fresh, top to bottom look at your compliance efforts, identify the gaps, and plan for remediation.  Make sure you do your research and select a cloud computing provider that understands the issues you face with BDSG and has invested in their cloud organization to help your business be compliant.  In my experience, compliance is easiest when you select a provider inside the borders of Germany, even though technically if your auditors are friendly enough, they might let you put the data anywhere in the EU.

Follow Scott Sanchez on twitter for more ramblings: http://twitter.com/scottsanchez

Notice: This article was originally posted at http://www.CloudNod.com by Scott Sanchez and is his personal opinion.

Copyright 2010 Scott Sanchez, All Rights Reserved.