23. April 2018 - Data processing on behalf of the controller

Managed Security Services: here’s what you need to consider


IT risks are becoming increasingly complex and qualified employees are hard to find. As a result, not only small and medium businesses are thinking about outsourcing their IT security. However, using what is known as Managed Security Services only outsources the tasks, not the overall responsibility. Continue reading to learn, what you, as a data protection officer, should look out for when your company plans to outsource its IT security to third parties.

Managed-Security-Services: Auch ein Datenschutz-Thema IT security as data processing on behalf of the controller – a data protection issue (Image: / LeoWolfert)

Security as a Service

Managed Security Services (MSS), also known as Security as a Service, are IT security solutions and services that are provided to customers from the cloud.

Typical examples include the monitoring of security functions, malware detection and countermeasures, encryption, setup of temporary virtual private networks, firewalls and intrusion detection.

An increasing number of companies are relying on Managed Security Services. As stated in the Cloud Monitor 2017 report by Bitkom and KPMG, security solutions from the cloud are now the second most used of all cloud services, at 44 percent.

This puts them ahead of groupware (e-mail, calendar etc.) at 35 percent and tools for internal collaboration at 33 percent.

Data processing on behalf of the controller: the question of responsibility

Many companies hope to use Managed Security Services or Security as a Service as a means to rid themselves of responsibility. The security requirements for the processing of personal data is high and the implementation is complex.

Surveys show that it is not uncommon for companies that use cloud services to assume that the responsibility is with the cloud service provider: According to the “Cloud Insights” study by T-Systems, 20.1 percent consider the cloud service provider as solely responsible.

However, since this is a matter of technical data processing services, it would be considered data processing on behalf of the controller in most cases – i.e., the responsibility remains with the customer.

Data processing on behalf of the controller must satisfy the requirements of article 28 of the General Data Protection Regulation (GDPR) for a contract with the service provider.

This includes that processors must guarantee to perform suitable technical and organisational measures in a way that ensures that the processing complies with the requirements of the GDPR and safeguards the rights of the data subject.

High requirements for Managed Security Services

What is required for inspecting the technical and organisational measures of the provider (contractor)? The checklist below lists the points that data protection officers should look into. This applies at least until suitable data protection certificates and codes of conduct according to the GDPR are presented.

Checklist with requirements for Managed Security Services (Word document)

Requirements Fulfilled Not fulfilled
Data centre operations of the provider
Protection against physical damage, e.g. from fire, flooding or storms
Protection against unauthorised access (access restrictions)
Automatic update processes for security solutions
Documented technical expertise of personnel
Use of proven security solutions
Personnel is bound to comply with data protection requirements
Redundancy of provided systems (fail safe)
Emergency plan
Data connection between organisation and provider
Encrypted data transmission
Precautions to ensure network security at the provider
Checks for systems for administration of provided security solutions
Data storage and monitoring logs
Protection of the logs and other stored data of the company (e.g. user lists) against unauthorised access, data loss and data theft
Deletion of data as required when the purpose of storage ends and as coordinated with the client
Strict separation between different clients
Periodical reports to client and defined alarms (paths of escalation with alarm levels) for data protection violations

Please note: IT security is essential

Furthermore, you should work to clarify another misunderstanding about Managed Security Services: Not just the responsibility for the protection of personal data remains within the organisation. (The GDPR states that while cloud providers are responsible for data protection violation, they are not solely responsible.) It is also not possible to outsource IT security completely.

Even if the security provider inspects the entire incoming and outgoing data traffic for security risks, the company still needs a secure connection to the service provider.

Security tasks

The following security tasks always remain within the company:

  • Define, implement and monitor internal security guidelines that may also become a benchmark for external service providers
  • Define and monitor the quality of contracted services (SLA, Service Level Agreement)
  • Plan, implement and maintain an identity management system to secure access to the applications that are running externally
  • Install and update anti-malware solutions, firewalls and other local security components to ensure a secure connection to the provider
  • Configure security settings and protect local and mobile end-user devices that communicate with the externally run solutions
  • Ensure internal network security (LAN, WLAN) and the security of gateways to the external solution
  • Monitor external services through reporting and inspections

Managed Security Services can be the instrument of choice for improving data security. However, they are not a substitute for internal data protection and data security efforts.

Oliver Schonschek
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.