Business continuity is dependent on infrastructures provided by third parties. If you’re going to manage this well, you need assurance that your service provider can deliver this. Above all, you need trust. What form this will take in practical terms within the Netherlands and Europe is the main focus of the Online Trust Coalition (OTC). Why doesn’t the traditional way of thinking about continuity and assurance work in the new information value chain?
Recent research by the DHPA [1] found that 75% of Dutch SMEs use one or more cloud services. According to the researchers, within two years, there won’t be a single company left that still organises all its IT in house. The Covid crisis, with the mass working-from-home that it entails, is accelerating this development. We’re becoming increasingly dependent on the cloud. The European Commission, too, recognises the growing importance of cloud services for innovation and digitisation. It is firmly committed to the development and use of cloud services from within Europe, partly due to the desire for more autonomy.
In order to use cloud services, all you need is an internet connection and a credit card. But for the average user, it’s good deal more difficult to obtain assurance that that cloud is reliable and secure. Often, simple questions are asked such as ‘is it secure?’, or ‘where is my data stored?’. But security is about the whole package: reliability, information security, availability and continuity, integrity and, of course, conformity with the GDPR. In addition to this, the user needs to do all kinds of things themselves with regard to the CIA triad (confidentiality, integrity and availability) and to check that everything complies with the law. It’s often unclear what this actually involves. Things get even more complicated when the cloud services purchased are used as part of one’s own online service provision, something that’s happening more and more thanks to digitisation. In such cases, the user becomes part of a chain and has to deal with both the demands of their own customers and with passing on and aggregating assurances ‘up the chain’.
Which cloud service is suitable?
Providers of cloud services assert, without exception, that these matters are properly arranged for their service. Most of the time, this is indeed the case. In practice, however, the users, especially the larger parties, don’t always assume that the claims, statements or certifications of providers offer adequate assurance. This is because management systems and certifications are designed to give assurance to the provider, and not to the user. It’s therefore extremely complex and expensive for users to assess whether a cloud service is suitable for their situation, and whether it fits within their risk profile. This issue has become even more urgent since the European Court’s recent ruling that the Privacy Shield [2] is invalid. Users of cloud services can no longer assume that their data, when processed within chains involving US providers, is protected in line with European privacy legislation. Users therefore realise that the claims of their providers and their auditors are not totally accurate, regardless of whose fault this is. To make matters worse, the European and Dutch privacy authorities just leave users to deal with this problem themselves. Users are simply advised to investigate where and with whom data might end up and what legislation applies to those companies and countries. And in case of doubt, they’re advised to immediately stop using those services.
To investigate, check and arrange all this for the dozens of cloud services that an average company uses is completely unfeasible. Likewise, the advice to stop using a particular cloud service in case of doubt, totally ignores the reality. Last year, in an urgent letter to the privacy authorities, the CIO Platform the Netherlands, a collaboration which includes IT managers from 130 organisations, stated that the auditing of cloud services and their supply chains is virtually impossible. Especially if it also has to be repeated periodically. What’s more, the idea that companies can simply pull the plug on their cloud services is completely unrealistic.
The cloud as an outsider
The underlying problem is that ‘the cloud’ isn’t taken into account in the GDPR, or in the practice of certification. Both of these are based on the COBIT model, which stems from the period before the cloud. Back then, users had full control over their IT, because computers and software were purchased and managed within one’s own organisation. Although external suppliers might have been contracted in, they were still under the management and responsibility of the organisation itself. Nowadays, the digital economy consists of a reverse chain of control. It’s the provider, not the user, that determines the functionality, the security, the privacy and other features of a cloud service. The user can only make the choice: is a service suitable or not. On top of that, they have to make this decision on the basis of difficult-to-access or incomplete information: information that isn’t, in fact, intended for this purpose. And all this without the help of the privacy authorities. In short, the supposed top-down control over online chains is a myth. What’s more, users aren’t going to get that control back.
Assurance
Around 20 organisations from government, business and science recognised this problem and decided to set up the Online Trust Coalition (OTC). The OTC wants to develop easy-to-access, standard methods that offer clarity to users about the reliability and security of cloud services, and that are easy to use for providers. The focus, therefore, isn’t on the reliability itself, such as developing the umpteenth framework, but on improving the methods and information about reliability in digital chains. The participants in the OTC are currently involved in European working groups around certification, and contact has been made with the German project Gaia-X [4]. Later this year, the OTC will publish a white paper with recommendations for relevant stakeholders.
Good methods for offering assurance to users about the reliability of cloud services will make these services, and therefore digitisation in general, easier to access. This is crucial if the Netherlands is to achieve its ambition to become digital frontrunner in Europe.
The Online Trust Coalition calls on organisations to get involved and together to strengthen the digital economy of the Netherlands in the international context. To register, please send an e-mail to: info@onlinetrustcoalitie.nl.
References [1] www.trustedcloudexperts.nl/driekwart-van-nl-bedrijfsleven-heeft-saasapplicaties/ [2] The EU-US Privacy Shield is an agreement between the US Ministry of Economic Affairs and the European Commission on the exchange of personal data between the EU and the US. [3] https://ecp.nl/timeline/lancering-otc/ [4] www.dhpa.nl/gaia-x/
