Data Sovereignty in the Cloud - Wishful Thinking or Reality?

Proceedings of the 2021 on Cloud Computing Security Workshop Pub Date : 2021-11-15 DOI:10.1145/3474123.3486792

Christian Banse

{"title":"Data Sovereignty in the Cloud - Wishful Thinking or Reality?","authors":"Christian Banse","doi":"10.1145/3474123.3486792","DOIUrl":null,"url":null,"abstract":"The idea of data sovereignty has been at the core of various research activities over the last years, especially in Europe. The topic gained additional traction through various regulations and initiatives such as the EU General Data Protection Regulation (GDPR), the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and lastly, Gaia-X. While asserting digital control over your data is relatively easy in a closed ecosystem, such as your own on-premises or a community data space, it is infinitely more challenging in a public open ecosystem, such as the Cloud. On one hand, recent advantages in the field of confidential computing, such as the introduction of secure enclaves and encrypted virtual machine memory are promising new ways to enforce data sovereignty even in Cloud infrastructures. On the other hand, the mere existence of these techniques does not ensure an overall secure system, demonstrated by various flaws found in confidential computing techniques themselves, such as AMD SEV. So, the question remains if data sovereignty in the cloud is already reality or still wishful thinking? Keeping the requirements from initiatives such as Gaia-X and the EUCS in mind, this talk will explore what it means to achieve data sovereignty and security in the Cloud. It is important to understand, that it is not only necessary to implement appropriate security measures, but also (continuously) demonstrate the effectiveness of them. Therefore, this talk will show an overview of different technical means to leverage confidential computing for data sovereignty in the Cloud, especially using remote attestation and integrity verification. Furthermore, it will explore techniques to demonstrate the effectiveness of these measures with regards to regulation compliance. One such example is the MEDINA framework, which aims to continuously verify the requirements of EUCS and Gaia-X, both on the infrastructure as well as the application level in cloud systems.","PeriodicalId":109533,"journal":{"name":"Proceedings of the 2021 on Cloud Computing Security Workshop","volume":"40 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2021 on Cloud Computing Security Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474123.3486792","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

The idea of data sovereignty has been at the core of various research activities over the last years, especially in Europe. The topic gained additional traction through various regulations and initiatives such as the EU General Data Protection Regulation (GDPR), the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and lastly, Gaia-X. While asserting digital control over your data is relatively easy in a closed ecosystem, such as your own on-premises or a community data space, it is infinitely more challenging in a public open ecosystem, such as the Cloud. On one hand, recent advantages in the field of confidential computing, such as the introduction of secure enclaves and encrypted virtual machine memory are promising new ways to enforce data sovereignty even in Cloud infrastructures. On the other hand, the mere existence of these techniques does not ensure an overall secure system, demonstrated by various flaws found in confidential computing techniques themselves, such as AMD SEV. So, the question remains if data sovereignty in the cloud is already reality or still wishful thinking? Keeping the requirements from initiatives such as Gaia-X and the EUCS in mind, this talk will explore what it means to achieve data sovereignty and security in the Cloud. It is important to understand, that it is not only necessary to implement appropriate security measures, but also (continuously) demonstrate the effectiveness of them. Therefore, this talk will show an overview of different technical means to leverage confidential computing for data sovereignty in the Cloud, especially using remote attestation and integrity verification. Furthermore, it will explore techniques to demonstrate the effectiveness of these measures with regards to regulation compliance. One such example is the MEDINA framework, which aims to continuously verify the requirements of EUCS and Gaia-X, both on the infrastructure as well as the application level in cloud systems.

查看原文本刊更多论文

云中的数据主权——一厢情愿还是现实?

数据主权的概念在过去几年中一直是各种研究活动的核心，特别是在欧洲。通过欧盟通用数据保护条例(GDPR)、欧洲云服务网络安全认证计划(EUCS)以及Gaia-X等各种法规和举措，该主题获得了更多的关注。虽然在封闭的生态系统(例如您自己的内部部署或社区数据空间)中对数据进行数字控制相对容易，但在公共开放的生态系统(例如云)中则更具挑战性。一方面，机密计算领域的最新优势，例如引入安全飞地和加密虚拟机内存，有望在云基础设施中实施数据主权。另一方面，这些技术的存在并不能确保整个系统的安全，在机密计算技术本身(如AMD SEV)中发现的各种缺陷就证明了这一点。因此，问题仍然存在，云中的数据主权是已经成为现实，还是只是一厢情愿的想法?考虑到Gaia-X和EUCS等计划的要求，本演讲将探讨在云中实现数据主权和安全意味着什么。重要的是要明白，不仅有必要实施适当的安全措施，而且还(不断地)证明它们的有效性。因此，本演讲将概述利用机密计算实现云中的数据主权的不同技术手段，特别是使用远程认证和完整性验证。此外，它将探索技术来证明这些措施在遵守法规方面的有效性。MEDINA框架就是这样一个例子，它旨在不断验证EUCS和Gaia-X在基础设施和云系统中的应用级别上的需求。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2021 on Cloud Computing Security Workshop

自引率

0.00%

发文量