Rethinking cloud computing

Why a legal expert sees R&S®Trusted Gate as a solution

Prof. Dr. Dirk Heckman, renowned data protection and IT security law expert, sees the dilemma as characterized by the fact that it is possible neither to regionalize the internet nor to Europeanize the laws of other countries that are obliged, for example, to hand over their data to their own authorities. Heckmann, however, believes that the dilemma can be solved. He is not speculating on Europe’s emerging GAIA-X platform, nor does he think a switch to legally compliant but less capable providers is appropriate.

Instead, in his May 2021 report on the data protection compliant use of cloud solutions, Prof. Dr. Heckmann concludes that "cutting the Gordian knot" tied by the European Court of Justice in its Schrems II data security ruling could be achieved by a technical solution: R&S®Trusted Gate from Rohde & Schwarz Cybersecurity. He concludes his report by stating his conviction that this solution also represents "a major step toward digital sovereignty".

With his verdict, Prof. Dr. Heckmann refers to the independent KuppingerCole Analyst AG and their report from March 2019, in which they explain how it is possible for the solution – which has been patent pending for just under three years – to provide one hundred percent protection for data in the cloud. Robert Rudolph, Product Marketing Manager R&S®Trusted Gate, expects patent protection to be granted this year, describing the solution as an "absolutely new process". This process makes it possible to use all forms of public cloud services, regardless of the provider, with full security – and at the same time to meet the demands of data protection and compliance. The trick: while the cloud providers' services can still be used via servers all over the world, the users' own data is completely decoupled from these services and thus unable to be accessed by the public cloud providers.

How data centric security works

We are witnessing a paradigm shift: away from protecting one's own IT infrastructure and toward data centric security. To take this fundamental step, the solution's inventor, Dr. Bruno Quint, and his team at Rohde & Schwarz Cybersecurity have developed a combination of virtualization, encryption and file fragmentation. And it works like this: when a document is uploaded to the cloud, a virtualized version of the original document is created. This virtual document contains only the metadata of the original, such as keywords, but actually has no content of its own. An unauthorized reader sees that a blank document is being transmitted, but not what the original actually contains. The document as such remains in the workflow, but is worthless to hackers or intelligence agencies.

The original document, meanwhile, is encrypted and fragmented; figuratively speaking, it is transformed into digital dust. These dust particles are then stored on different, freely selectable storage systems. This means that the original document can never be viewed in its entirety. Even quantum computers with their enormous computing power are helpless. The distributed chunks cannot be cracked because they are only fragments of the encrypted data. The shredded document only becomes visible when all the chunks are reassembled and decrypted.

Dr. Bruno Quint explains: "The data protection authorities, after all, have not banned users from using the cloud, and they have not banned cooperation with the major providers. What matters is regaining sovereignty over the data. And in a cloud environment, the data is the only thing we own." Cloud providers based outside of Europe are sometimes forced by law to hand over data to their respective government agencies. "They see R&S®Trusted Gate as an effective customer tool for preventing this," says Daniel Heck, Vice President Marketing Rohde & Schwarz Cybersecurity, "and they maintain a good working relationship with us as a result."

The fundamentally new software solution is very easy to use. Public authorities and companies can install R&S®Trusted Gate and have it up and running within 24 hours. Case in point: a German non-profit organization wanted to handle its internal communications using a standard collaboration tool, and at the same time to ensure that personal and health-related data remained protected in the public cloud. R&S®Trusted Gate was deployed on the desired platform, and the installation was fully configured within a day by professional remote support. Employees were able to continue working together the next day as they always had, with no additional training. Chat is also encrypted. Other typical cases in which R&S®Trusted Gate represented a quick solution include a biotechnology company that uses R&S®Trusted Gate to protect itself against industrial espionage and an aviation company that can process its satellite data in encrypted form – and thus securely.

Protection for the network and equipment, too

The data centric approach does not make traditional security measures obsolete, but rather complements them. Government agencies and public authorities in particular rely on sharing confidential documents and classified information not only in a cloud, but also within their network. In this respect, the sudden switch to home offices is also a challenge, because data transfer via standard VPN (virtual private network) tunnels leaves the data vulnerable to attack. Germany’s Federal Office for Information Security (BSI) recommended solutions that are independent of the operating system. Until recently, however, this would have meant obtaining hardware and providing each employee in the home office with a VPN box in addition to their end user equipment. Here, too, the simpler approach is a software solution that implements VPN dial-in independently of and isolated from the operating system, without requiring additional hardware connected to the terminal device: the R&S®Trusted VPN Client has been approved by the BSI for classified information up to RESTRICTED (VS-NfD) level.

It is still important to maintain control over the browser, as this is the main gateway for malware. Opening an email attachment, using an app, downloading a document – all of these can introduce malicious code that infects not only the computer but the entire network. Rohde & Schwarz Cybersecurity has developed R&S®Browser in the Box, a software response to this problem as well. Users notice nothing to tell them that they are working in a secure environment when they go online – the operating system runs in a virtual environment, and the file system and interfaces are not accessible to the browser. Downloaded documents enter an isolated environment ("docs in the box"), and even crucial interfaces such as the microphone and computer camera are incorporated into the virtual environment and thus kept secure.

In this way, one seemingly insoluble problem after another turns out to be quite solvable after all – provided you have the know-how. In the case of the supposedly unsolvable cloud computing dilemma, Prof. Dr. Heckmann felt prompted by the elegant solution presented by R&S®Trusted Gate to use two tongue-in-cheek subheadings when structuring his report. The first was for the section on legal assessments: "I have no solution, but I admire the problem." The second was for the section on the technical solution presented by R&S®Trusted Gate: "I admire the solution. What was the problem again?"