Comments on: Data Security in the Cloud

By: Cloud Computing, Data Protection and the German Mindset « Cloudy Times

Cloud Computing, Data Protection and the German Mindset « Cloudy Times — Tue, 29 Jul 2008 12:06:18 +0000

[...] An article about Cloud Computing in the German weekly ZEIT made me think of a recent blog post on data security in the cloud. Although the article is quite positive and describes Cloud Computing [...]

By: Markus Klems

Markus Klems — Tue, 15 Jul 2008 07:07:10 +0000

Thank you, Craig. I added you to my blogroll, as well. Great articles on security topics!
Btw, I just use powerpoint or open office + gimp to draw the diagrams.

By: Craig Balding

Craig Balding — Mon, 14 Jul 2008 15:04:56 +0000

Hi Markus

Enjoying your blog (and your diagrams – what tool are you using there?).

The security aspects of Cloud Computing are pretty interesting I think. Some feel very similar to traditionally outsourcing (risk management by contract) and others feel ‘new’. From speaking with some of the providers, there is a long way to go before regulated entities can put regulated processes in the Cloud however as John M Willis keeps reminding us, there are lots of companies dipping their toes in the water (finger in the Cloud? ;-).

Anyway, I’m now a subscriber.

Cheers,

Craig

By: Markus Klems

Markus Klems — Fri, 04 Jul 2008 07:10:06 +0000

James,

thank you very much for your kind words.

The idea of “follow the moon” or in this case “follow the law” computing is fascinating! I must admit, I have not followed the discussion you linked above very closely but I will try to catch up.

As I mentioned in my blog post German data protection laws are pretty harsh. This is also a problem for community-based Web sites, because they must fear to be sued if not caring enough about their user data.

I am not a lawyer, but here are some possibly interesting sections from the Federal Data Protection Act (Bundesdatenschutzgesetz):

§4b (2): [...] You are not allowed to transfer personal data to a third party if the person concerned has a legitimate interest in you not doing so. [...]

§4b (3): The adequacy of the level of data protection takes into account all circumstances assessed in the data transmission, like type of data, duration of the proposed processing, destination country, etc. [...]

§4b (4) and §16(1),(2) basically say that you might even have to tell the person concerned that her data is moved to a third party.

As I said, I am not a lawyer, so I am not sure if these sections really are relevant for the case described in “follow the law” (as you do not transfer data to a third party but only geographically from one location to another).

By: James Urquhart

James Urquhart — Thu, 03 Jul 2008 16:13:01 +0000

Markus, I'm a big fan of your blog. Excellent work. One interesting aspect of this has been discussed over the last month or so on the Google Cloud Computing group, as well as on my blog: can you move computing geographically to leverage the best regulatory environment for the immediate task at hand? And if so, when is it better to move the data, versus move the compute job itself? As I note in the groups thread, its about automating loopholes. Nick Carr and Greg Ness picked up on the meme. Another (large) thread on the Google group explored the question of moving data vs. moving compute capacity. What are your thoughts?