Risks

A central problem is the emerging dependency of the cloud user on the provider. The more data and services are transferred to a cloud provider, the greater the dependency on this, since a later change is usually complex and difficult (vendor-lock-in). Accordingly, the relationship between user and provider of cloud services needs to be accurately analyzed and evaluated. When using cloud services, in particular aspects of operational security and availability of data must be considered.

The following questions provide clues:

• What safeguards against data loss does the provider undertake?
• What does an emergency concept look like in the event of a cloud service outage?
• How is data and services protected against access by third parties?
• Which responsibilities for data protection (password strategies, data transfer between user and providers, encryption of data) remain with the user?
• What availability is guaranteed?
• How can data and services be migrated from a provider back to their own institution or to another provider (insourcing and provider change)?
• What is the legal framework for the provision of the service (for example, which legal status applies:
German, European, third country)?
• What are the ways to intervene in case of infringement or insolvency of a provider?

5 data in the cloud

The privacy objectives of data generally relate to confidentiality, integrity, availability, authenticity, authorization (role models), accountability, liability and auditability. Regardless of the operating model, the use of cloud offerings and the relocation of data to a cloud provider must determine which protection requirements exist and whether the data must be protected under national law. This applies in particular to personal data to be protected under data protection law. In the medical environment,
these requirements are typically particularly high, such. Genetic information, patient studies, disease registers, biomaterial databases, and in particular, are also subject to country-specific data protection
legislation. The use of a cloud service always corresponds to a processing of orders by third parties, which is permitted under data protection law only in very special justified exceptional situations.

Depending on whether written consent has been given or not for the use of certain services by affected patients, the data must at least be pseudonymised or completely anonymised. In each case, current de-
identification methods are to be used. Finally, in terms of outsourcing medical data to a cloud outside of medical facilities, there still needs to be the aspect of Seizure protection, which is waived if medical data is no longer in the custody of a medical facility.

In the case of confidential technical data (patents), it should also be ensured that no third party obtains access to this data. It must be clarified who has the responsibility for the data control including the individual steps of the data transfer, the Data storage and data deletion has.

Typically, the assurance and monitoring of these aspects is a problem with the use of cloud services. For larger commercial cloud providers, colleges and clinics often find themselves in an unfavorable asymmetric power relationship that makes it difficult to enforce individual requirements and legal claims. Here, therefore, a differentiated individual case analysis is necessary, which data Are subject to security and privacy requirements and are therefore suitable for use in cloud offerings. In a private cloud solution in their own data centers or in community solutions, where the data lie with partners who belong to the same jurisdiction and do not pursue commercial interests, the requirements for data security and data protection are often easier to fulfill. Cooperative solutions within the public
science system are therefore preferable to offers from commercial, external service providers.

Funded by the DFG

When requesting resources for cloud services via the DFG, some boundary conditions must be taken into account. For example, the DFG can recommend or co-finance investments in infrastructures as part of its large-scale equipment programs. Operating costs are excluded. Since cloud services are services in the legal sense, the previous separation into investments and operating costs is not or only partially possible.

It can be seen that this restriction will not be appropriate in the long term to the scientific requirements and requires a new consideration.
However, the DFG can recommend or co-finance investments in the cloud infrastructure for private and community cloud solutions and thus support best practice models.

The use of cloud services, for example in DFG projects, will normally have to be financed from the basic equipment and can not be financed as supplementary equipment in analogy to the use of a service from a data center. Exceptions require special justification, which must make it clear that project-related additional needs are needed that go beyond the basic provision.

In the future, the total cost of ownership (TCO) of services or experiments will have to be considered more closely in order to make services such as cloud services comparable to pure HW / SW procurements and, where necessary, eligible for support. The sustainability and cost-effectiveness of
solutions needs to be portrayed, as the metrics of public data centers show that commercial cloud solutions are typically not more cost effective than their own operating models. However, this requires high automation and a critical size for the economy of scale. Accordingly, community cloud solutions delivered within the science system are preferable to private and public cloud offerings.

For community cloud solutions, a suitable legal framework for the exchange of services must be established. Here must u.a. Answers to questions of tax issues, public procurement law and the settlement of benefits can be found.