Put in simple terms, Cloud Act allows the US government unrestricted access to all global cloud data stored by US providers. As a result, the legal dispute that e,g, Microsoft sought to resolve in the United States is no longer relevant: For data stored outside the U.S., Microsoft saw no legal obligation to transfer data to U.S. government agencies. With the Cloud Act, this circumstance changes fundamentally. U.S. companies are now required to hand over all data from the cloud to the relevant authorities regardless of the physical location of the data.
Data protection experts have long been expecting a regulation like this, but always in accordance with their European partners and GDPR in particular. What complicates the situation for cloud users and thus also for existing SAP customers now is the fact that the US government has passed the Cloud Act without consulting the EU. This unilateral regulation has not only caught EU officials in Brussels off guard, but is now also presenting cloud computing with completely new challenges. US Cloud Act in combination with GDPR could force existing SAP customers to avoid or perhaps even leave US cloud providers such as AWS, Microsoft and Google – and there are indeed European alternatives available.
“The position of US authorities with the US Cloud Act is not unexpected,” confirms Jean-Claude Flury, DSAG Board Member for Business Networks Integration, in an interview with E-3 magazine. And Bertram Dorn, AWS Specialist Solutions Architect EMEA for Security, adds in the E-3 exclusive discussion, “Our task is now to help support the risk analysis process with information and data. But you can’t simply do away with risk completely, you have to come to a realistic assessment. GDPR and the US Cloud Act are another challenge to risk analysis. And, of course, discussions are now developing on this side of the pond, that existing SAP customers – especially from the midmarket sector – are not yet used to.”
The new risk assessment for the Chief Information Security Officer is therefore not a technical but a legal one. The positive aspect is (at least for now) legal certainty because with the Cloud Act and GDPR, there are tangible regulations in place. “Even Microsoft, which has a pending case in the US Supreme Court, welcomes this situation,” says Jean-Claude Flury, CEO of DSAG, adding, “In today’s world of leaks and hacking, every company must carefully consider what data is stored in – more or less – private clouds. This is especially true for data centers outside Europe and even more so, if the operator is not an EU-based or Swiss operator”.
SAP itself has not yet responded and has not commented on the implications on its cooperation with AWS, Microsoft and Google as well as its own global data centers. Jean-Claude Flury emphasizes, “What is new is that third countries could gain easier access to data from companies in their own country through a bilateral agreement with the USA. European companies are well advised to further tighten their hopefully already strict guidelines for data storage outside the company’s own data center.” AWS expert Bertram Dorn also sees the development in a similar way: “The customer must be aware of the risks arising from GDPR and the US regulation and also evaluate and adequately assess them individually.”
With the US Cloud Act and GDPR, the Chief Information Security Officer has his work cut out for him. Drawing on his daily work experience with AWS customers, Bertram Dorn says, “Even after discussion and evaluation with our lawyers, risk assessment naturally remains the responsibility of the client.” There are thus several solutions to this challenge – one of them may be moving back to your own data center.
Most existing SAP customers have a lot of experience in setting up and operating their own data centers. In the pre-cloud age, the SAP community has consolidated, automated, and virtualized a lot. The results were streamlined and high-performance data centers, which are available as on-premise SAP installations that could keep pace with outsourcing and hosting trends in business terms.
So how great is the risk? How relevant is a cloud exit strategy? Meik Brand, SAP Business Development Manager at SAP partner QSC, comments, “First of all: If you are not yet using cloud solutions from US companies and do not keep data on US servers, you can sit back and relax and wait for the next regulatory steps from the EU. This is currently a purely unilateral initiative by US officials.”
US Cloud Act directly affects existing SAP customers using AWS, Microsoft Azure and Google Cloud Platform solutions. As a result, the reaction and response of AWS specialist Bertram Dorn is logical, “We help our customers with reviews of their security architecture, because all our precautions and security services only help if the customer correctly implements and configures these AWS offers”. Meik Brand of QSC recommends, “If you are currently in the selection process for a cloud service, you should stop it for now. Companies already using cloud products affected by the Cloud Act should wait and see. The next two to three months will show what the US Cloud Act means in concrete terms – and how the EU will position itself accordingly. SAP customers should also hold their US cloud providers accountable and clarify how they can guarantee data protection in accordance with the GDPR – despite the Cloud Act.”
While Microsoft and Google have failed to respond the E-3 magazine inquiries about their responsibility and security reviews regarding data protection, Bertram Dorn of AWS takes a clear position, “We consider these reviews to be very important, so we offer this service to our customers free of charge. The background is easy to explain: We want our customers to be successful, and that includes data security. Ultimately, it’s about the correct configuration of AWS services according to customer requirements.”
In other words: as an existing SAP customer, you can keep your data safe with AWS and make a risk assessment, but it is difficult to assess how the US Cloud Act complies with GDPR in practice and how both regulations are enforced by the respective EU and US authorities.
Meik Brand, SAP Business Development Manager at QSC, has a final recommendation, “Anyone who keeps his data with an EU cloud provider in a EU data center relies on a provider that is subject to GDPR and is therefore on the safe side in terms of data protection. SAP customers in Europe should therefore critically examine their use of US cloud solutions and limit it to absolutely necessary cases for now. With GDPR now firmly in place, there is risk of high penalties for data protection violations”. The US Cloud Act and GDPR are thus damaging cloud computing. The SAP community will have to find answers or go back to on-premise in the coming months.