IT risks are becoming increasingly complex and qualified employees are hard to find. As a result, not only small and medium businesses are thinking about outsourcing their IT security. However, using what is known as Managed Security Services only outsources the tasks, not the overall responsibility. Continue reading to learn, what you, as a data protection officer, should look out for when your company plans to outsource its IT security to third parties.
Security as a Service
Managed Security Services (MSS), also known as Security as a Service, are IT security solutions and services that are provided to customers from the cloud.
An increasing number of companies are relying on Managed Security Services. As stated in the Cloud Monitor 2017 report by Bitkom and KPMG, security solutions from the cloud are now the second most used of all cloud services, at 44 percent.
This puts them ahead of groupware (e-mail, calendar etc.) at 35 percent and tools for internal collaboration at 33 percent.
Data processing on behalf of the controller: the question of responsibility
Many companies hope to use Managed Security Services or Security as a Service as a means to rid themselves of responsibility. The security requirements for the processing of personal data is high and the implementation is complex.
Surveys show that it is not uncommon for companies that use cloud services to assume that the responsibility is with the cloud service provider: According to the “Cloud Insights” study by T-Systems, 20.1 percent consider the cloud service provider as solely responsible.
However, since this is a matter of technical data processing services, it would be considered data processing on behalf of the controller in most cases – i.e., the responsibility remains with the customer.
Data processing on behalf of the controller must satisfy the requirements of article 28 of the General Data Protection Regulation (GDPR) for a contract with the service provider.
This includes that processors must guarantee to perform suitable technical and organisational measures in a way that ensures that the processing complies with the requirements of the GDPR and safeguards the rights of the data subject.
High requirements for Managed Security Services
What is required for inspecting the technical and organisational measures of the provider (contractor)? The checklist below lists the points that data protection officers should look into. This applies at least until suitable data protection certificates and codes of conduct according to the GDPR are presented.
Checklist with requirements for Managed Security Services (Word document)
|Data centre operations of the provider|
|Protection against physical damage, e.g. from fire, flooding or storms|
|Protection against unauthorised access (access restrictions)|
|Automatic update processes for security solutions|
|Documented technical expertise of personnel|
|Use of proven security solutions|
|Personnel is bound to comply with data protection requirements|
|Redundancy of provided systems (fail safe)|
|Data connection between organisation and provider|
|Encrypted data transmission|
|Precautions to ensure network security at the provider|
|Checks for systems for administration of provided security solutions|
|Data storage and monitoring logs|
|Protection of the logs and other stored data of the company (e.g. user lists) against unauthorised access, data loss and data theft|
|Deletion of data as required when the purpose of storage ends and as coordinated with the client|
|Strict separation between different clients|
|Periodical reports to client and defined alarms (paths of escalation with alarm levels) for data protection violations|
Please note: IT security is essential
Furthermore, you should work to clarify another misunderstanding about Managed Security Services: Not just the responsibility for the protection of personal data remains within the organisation. (The GDPR states that while cloud providers are responsible for data protection violation, they are not solely responsible.) It is also not possible to outsource IT security completely.
Even if the security provider inspects the entire incoming and outgoing data traffic for security risks, the company still needs a secure connection to the service provider.
The following security tasks always remain within the company:
- Define, implement and monitor internal security guidelines that may also become a benchmark for external service providers
- Define and monitor the quality of contracted services (SLA, Service Level Agreement)
- Plan, implement and maintain an identity management system to secure access to the applications that are running externally
- Install and update anti-malware solutions, firewalls and other local security components to ensure a secure connection to the provider
- Configure security settings and protect local and mobile end-user devices that communicate with the externally run solutions
- Ensure internal network security (LAN, WLAN) and the security of gateways to the external solution
- Monitor external services through reporting and inspections
Managed Security Services can be the instrument of choice for improving data security. However, they are not a substitute for internal data protection and data security efforts.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.