Central government can use Google cloud services without GDPR risks from June – Computer – News

Am I being too unfavourable if I feel the dangers can by no means be eradicated? Regardless of what’s acknowledged within the phrases and circumstances and the contract, the dangers (eg in case of struggle, to call one thing excessive) will all the time exist.

I feel so too. Good agreements are good, however particularly from a enterprise perspective, in that world all the pieces is a cope with a value. You don’t agree that X won’t ever occur, you agree {that a} wonderful can be paid if X occurs. From a enterprise perspective, it’s then solely a consideration whether or not the wonderful outweighs the advantages of breaking the settlement.
To a sure extent, after all, this can’t be in any other case, errors are made all over the place and also you due to this fact need to cope with them.

The error we make too typically is that it’s thought that good agreements are sufficient. I discover that very naive. That is like saying you do not want seatbelts and airbags in your automotive as a result of there are site visitors guidelines. In a authorities (as in lots of different organizations) there may be extra than simply cash. It’s nearly inconceivable to safe state secrets and techniques with agreements alone.

So that you additionally want technical safety like encryption (additionally, not solely, you want each). Sadly, it is vitally troublesome to observe this. Not solely as a result of most suppliers don’t want you to look into their code/programs/… to see whether it is correctly organized. Comprehensible from their perspective, however as a buyer it’s of no use to me.
In follow, it’s typically solved by having an audit executed. Then you definitely get a chunk of paper from the auditor that all the pieces is okay. However really you might be depending on agreements. Usually, that auditor can also be chosen by the provider itself and the standard assure consists of much more agreements.
My expertise is that 90% of the audits primarily take a look at organizational features and little or no on the precise implementation of the expertise.

Sadly, even a direct inspection of the expertise doesn’t give onerous ensures, even in the event you had been certain that there are not any bugs, as a result of software program can change in a short time. One second you might be working program X and one second later it might have been changed by program Y and you can’t inform the distinction from the surface. Technically, it’s difficult to suppose how this might or ought to be executed in a different way. I do not see an answer but and something that even seems like an answer rapidly turns into very draconian. Assume, for instance, of chips in your pc that you don’t management your self, however another person who controls the chips, whether or not or not through the web. To be clear, that’s not an thrilling fantasy, such chips are already in your pc, phone and TV (see e.g https://en.wikipedia.org/wiki/Intel_Management_Engine in https://en.wikipedia.org/wiki/Digital_rights_management).

All in all, I come to the conclusion that it’s nearly inconceivable to actually depend on computer systems (programs) that you don’t handle your self. As well as, it’s essential to at the very least have full management over all crypto. There are suppliers that assist so-called bring-your-own-key programs. That may be a huge step in the proper path, however you retain coming again to the purpose that you simply can’t really management such a system.

An excellent step to make can be polymorphic encryption. This implies you can edit knowledge with out decrypting it first. It’s also possible to give the (mathematical) assure that the operator can’t study something in regards to the encrypted knowledge. The expertise exists in itself, however doesn’t appear far sufficient for widespread software.

Even then, you by no means have absolute certainty.

[Reactie gewijzigd door CAPSLOCK2000 op 21 april 2023 12:14]