100% on the safe side
The most necessary security settings for a messenger for organisations
Why is there so much discussion about alternatives to AWS, Azure and others? And what role does this play when choosing a communications solution for your own organization? You can find out all the background information and what to look out for when hosting communication solutions in this blog post.
The provider market in the Software as a Service (SaaS) sector is growing exponentially and the demand for flexible and scalable infrastructures is constantly increasing. So far, so good. At the same time, however, the number of hacker attacks and incidents that endanger the cybersecurity of organizations using SaaS solutions is also increasing. At the same time, many organizations are not aware that they can be targeted by cybercriminals with their IT solutions or that they themselves are legally on very thin ice. After all, when deciding on a communication solution, the focus is usually on increasing efficiency, although security and compliance are equally important selection criteria – and should actually even be prioritized.
The reason that organizations headquartered in Germany or within the European Union need an Azure and AWS alternative is that there is no legal basis for having data processed in the US or by US companies. According to Article 44 of the EU General Data Protection Regulation (GDPR), transatlantic data transfers are only permitted if the U.S. would provide an adequate level of data protection – which it doesn’t – or if there is a so-called adequacy decision (according to Article 45). Such a decision existed until 2015 in form of the Safe Harbor agreement and with the successor model, also known as Privacy Shield, until July 2020: At that time, the European Court of Justice (ECJ) declared this decision invalid as well.
Why does the US, as a non-EU or EEA country – a so-called third country – not have an adequate level of data protection from the perspective of the GDPR? The reason for this is legislation such as the U.S. CLOUD Act, which allows authorities and government intelligence agencies to access any data in the possession, custody or control of a U.S. company or its subsidiaries – even if they host the data in European data centers. The fact that the local understanding of data protection is not compatible with the views of the U.S. is presumably due to the fact that data protection in this country is anchored as a fundamental right to informational self-determination. In the U.S., on the other hand, it is located in commercial and competition law and is often implemented in the form of voluntary declarations by individual industries or companies. A convergence of the USA and Europe in terms of data protection law is therefore not to be expected in the future. You can find out more detailed background information in the free whitepaper (German) from our cloud partner IONOS Cloud.
Data transfer to the USA or the use of US cloud services that host the data in European data centers is therefore no longer possible on the basis of an international agreement. All processing agreements that still invoke the Privacy Shield today must therefore be adapted. Often, however, end-user organizations that use a software or communication solution are not even aware of the legal basis on which their data is hosted by the provider or the provider has it hosted.
#1 US-based cloud computing is not GDPR-compliant – even if the servers are located in Germany.
#2 Organizations should have their contracts with cloud providers and software vendors reviewed to eliminate any risks.
It is clear, an organization that engages a cloud provider or uses a cloud-based communication solution is also responsible (in terms of the GDPR) for ensuring that the data processing is legally compliant. According to the European Court of Justice, even after the abolition of the Privacy Shield, the following options are available to legitimize the transfer of data to the USA:
1. Organizations can use the EU Commission’s standard contractual clauses if they are unchanged in terms of content and are concluded separately with each individual processor and an assessment has been made that the data subject rights (of the individuals whose data worth protecting are ultimately at stake) enjoy an EU-equivalent level of protection in the third country.
2. It is also possible for organizations to set their own binding data protection rules under Article 47 GDPR.
3. Alternatively, organizations must obtain the formal consent of all data subjects whose data is transferred – i.e., all users of a communication solution inside and possibly outside the organization. However, the legally secure formulation of this is not likely to be easy.
In fact, it can be assumed that a GDPR-compliant data transfer to the USA or data processing by US companies on the basis of the standard contractual clauses is hardly possible.
To counteract this whole issue and avoid getting into legal gray areas, communication solutions should be built on a holistic GDPR-compliant infrastructure. Data protection ultimately refers only to personal data, whereas data security requirements include economic data, research and development information, or telemetry data. The issue of security is additionally about ensuring organizational operations and communication in crisis and emergency situations. If certain services of an organization run in the cloud of Microsoft or AWS, alternatives are necessary as a kind of backup network in order to be able to maintain important processes – including communication processes – in the event of a failure of these cloud structures. Reasons for a downtime of large cloud providers can be, in addition to natural forces, disruptions of the critical infrastructure (CRITIS) as well as chemical, biological, radiological and nuclear hazards (CBRN), but also hacker attacks or human error.
1. Does it need an entire replacement of all systems based on these or other U.S.-based cloud solutions?
2. Does the organization need a sovereign parallel solution – especially for communications – to ensure this in crisis and emergency situations?
Organizations that deal with sensitive and personal data on a daily basis should seriously consider an Azure and AWS alternative for hosting their systems and communication solutions. Otherwise, it is at least advisable to establish an independent solution for secure emergency communications. Because then, even in crisis situations or in the event of cyberattacks, the full functionality of the cloud computing or cloud storage solutions can be ensured. Internal communications won’t be interrupted at any time and the organization can continue to act. As a communication solution provider, Teamwire offers a reliable alternative to cloud services such as AWS, Azure & Co. in both cases.
Our business messenger Teamwire, for example, is hosted and offered to customers through a public cloud, among others. The public cloud is provided by IONOS Cloud, the leading European provider for a sovereign cloud platform. In addition, it is possible to run Teamwire on a private cloud – with one hundred percent compliance by the self-hosting organization with the German Data Protection Act (GDPR). This allows organizations to retain full data control “in-house” and adhere to all compliance guidelines. In addition, as a provider headquartered in Germany, we are committed to compliance with the GDPR to guarantee users absolute data protection at all times. As Teamwire, we not only rely on European cloud computing and the zero-trust model, but also work with the German provider Dracoon at the cloud storage level.
As described at the outset, not all organizations are clear about the basis on which they operate their communication solutions. It is not uncommon for solution providers to lack transparency. Also, privacy and security standards statements are sometimes difficult to find or understand. Organizations that choose Teamwire can rest assured that data security is our top priority. We are also committed to making the use of Teamwire as reliable and worry-free as possible. By creating a GDPR-compliant foundation for our business messenger, relying on Azure and AWS alternatives, and supplementing these with additional security measures, we are able to dispel any possible doubts regarding data privacy, security, and sovereignty – and thus also convince sensitive organizations such as public institutions and authorities.
In our case study “Making communication simply easier” about the City of Zirndorf, we show the requirements that were used to search for a communication solution and how municipal authorities now benefit from secure and GDPR-compliant communication.
Are you interested in establishing Teamwire as a communication solution (based on an Azure or AWS alternative) in your organization? We are happy to answer all your questions. Simply arrange a non-binding consultation.