153
by comparing the costs of the potential damage with the costs of the
respective risk control measures.
Risks through the Cloud provider
A risk assessment concerning the Cloud provider is only possible if there is
sufficient transparency in the way the provider delivers services. Even if you
choose a regional software vendor who has previously offered highly
functional software solutions on a license basis for the applications in
question, and is now offering them on a subscription software basis, it still
might be the case that infrastructure services from non‐European providers
are used and that legal uncertainty would thus occur.
The following main risks were identified by ENISA (European Network and
Information Security Agency) in the course of studies:
Insufficient service level guarantees
Provider dependency
Insufficient data isolation
Problems with compliance requirements
Insufficient safeguarding of administrative functions
Data protection violations
Insufficient data deletion upon request by the customer
Insider attacks by untrustworthy persons
As a recommendation for mitigating the risk, the following areas should be
coordinated with the provider:
Do interfaces and data export functions exist?
Do contractual provisions for control functions exist?
Are the applicable data protection provisions complied with?
Are the data locations known and assured?
Under which governing law is the service provided?