“AUDITOR” Develops Europe-Wide Certification of Cloud Services
Use of the cloud is booming worldwide, and with this comes an abundance of cloud service providers and certifications. The current market is a jungle of offers and certifications. At the same time, new requirements are arising through the forthcoming EU General Data Protection Regulation. As a result, the research project “AUDITOR - European Cloud Service Data Protection Certification” wants to create clarity and greater legal certainty, and – based on the preliminary work carried out through the „Trusted Cloud“ technology program – develop a unified, Europe-wide certification integrating the established norms: An interdisciplinary team of researchers and companies is developing a data protection certification for cloud service based on the new EU General Data protection Regulation, which is intended to become the standard across Europe.
The objective of the research project “AUDITOR” is the conception, exemplary implementation and testing of an enduring EU-wide data protection certification for cloud services. The certification in accordance with the EU General Data Protection Regulation (GDPR) is in the interests of everyone involved: the cloud customers, who are only permitted to work with cloud providers that can guarantee a sufficient level of data protection, the cloud providers, who can offer just this security with such a certification, the auditing and certification bodies, for whose business area the GDPR stipulates strict laws, and the end-user, potentially affected by the data usage, the protection of whose personal data is in the focus of certifications of cloud services.
In order to conceptualize an enduring data protection certification, the first step is to develop a catalog of criteria for the certification of cloud services in accordance with the GDPR, as well as pursuing an appropriate standardization in the form of a DIN (German industry norm) specification. This DIN specification forms the foundation for the European norm and the development of a data protection certification process which is recognized EU-wide. Against the backdrop of the European single market, this is very important to find a harmonized approach for the usage of cloud services in Europe. A first version of the catalog of criteria will be made public in April 2018 with further adjustments based on the results of the following field test and stakeholder consultations.
Along with this, suitable organizational structures and processes for the intended certification will be conceptualized. This includes, in particular, the specification of modular certification and audit processes that take international standards into account. In order to ensure long-term usage and broad dissemination of AUDITOR, ultimately, the business models for the enduring success of the AUDITOR processes will be examined. The certification processes developed in the AUDITOR project and the criteria prepared for standardization are then to be tested in practice and validated during the course of the project.
“The goal of the AUDITOR project is to improve the comparability of cloud services which are offered by companies located in different EU member states, and in this way to create transparency. This is above all beneficial for SMEs, but also for large companies, because new market potential can be opened up on the basis of an enduringly applicable EU-wide data protection certification for cloud services in accordance with the GDPR. Our work on further developing and substantially improving the certification of cloud services is in the interests of all players in the market.” according to Prof. Dr. Ali Sunyaev.
The research project AUDITOR is the follow-up project to the Trusted Cloud Data Protection Profile for Cloud Services (TCDP). The project with a total budget of 1.7 million euros has a duration of two years and officially started on November 1st, 2017. The official kick-off event was held on March 23rd, 2018 at the KIT campus in Karlsruhe with all project partners, the DLR Project Management Agency (represented by Dr. Regine Gernert), and the Federal Ministry of Economic Affairs and Energy (represented by Dr. Alexander Tettenborn).
The following institutions and organizations are involved in the project.
Karlsruhe Institute of Technology, Critical Information Infrastructures Lab, Prof. Dr. Ali Sunyaev
- CLOUD&HEAT Technologies GmbH
- datenschutz cert GmbH;
- DIN-Normenausschuss Informationstechnik und Anwendungen (NIA), DIN e.V.;
- ecsec GmbH;
- EuroCloud Deutschland_eco e.V., eco – Verband der Internetwirtschaft;
- Universität Kassel, Fachgebiet Öffentliches Recht mit Schwerpunkt Recht der Technik und des Umweltschutzes, Projektgruppe verfassungsverträgliche Technikgestaltung (provet)
- Bundesamt für Sicherheit in der Informationstechnik (BSI);
- Consultix GmbH;
- CRMADDON Factory GmbH;
- Die Landesbeauftragte für den Datenschutz Niedersachsen;
- Fabasoft Austria GmbH;
- Fujitsu Technology Solutions GmbH;
- Hornetsecurity GmbH;
- mediaBEAM GmbH;
- Microsoft Deutschland GmbH;
- Mitteldeutsche Gesellschaft für Informationssicherheit und Datenschutz mbH;
- PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft;
- SAP SE;
- SCOPE Europe b.v.b.a/s.p.r.l.;
- Trusted Cloud e.V.;
- TÜV Informationstechnik GmbH;
- Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein;
- Uniscon GmbH;
- VIVAI Software AG;
- VOICE-Bundesverband der IT-Anwender e. V.
From the research group Critical Information Infrastructures