Who is more dangerous? Hostile hackers or the USA

DDoS attacks are extortion Trojans

On September 7, 2022, the Karlsruhe Higher Regional Court overturned decisions by lower courts that cloud providers must be excluded from public tenders. This primarily affects companies from the USA.

The condition that the data must be processed in Germany does sound a healthy note of mistrust toward the U.S. government. Nevertheless, it is clear: It is exaggerated to demonize the cloud on data protection grounds.

In fact, today - and this is what primarily matters - it is factors more secure than having your own data center. In addition, the reasoning of the ruling shows: There is virtually no risk of legal challenge if you trust the contractual data protection promises of a U.S. company. 

Wrong debate focus

The discussion has a slippery slope: While we discuss a lot about the factually very rare permissions of US authorities to access data, we are exposed to the most massive attacks by hostile hackers ever in history. Trend: drastically increasing. Likewise, the variety of attack vectors has increased to an unimaginable degree. The media only report on a fraction of the cases.

We must not minimize the problem of the lower level of data protection in the United States; we must discuss it and work to raise it. But first, we need to focus on the most pressing problems: Hackers who paralyze companies and cause millions or billions of dollars in damage each time. Provocative and pointed: Am I compliant, but dead? Supposed data protection is not more important than data security and business continuity.

Zero Trust

Far more dramatic than the already dreaded DDoS attacks are the blackmail Trojans that love local data centers. Their chances are much worse in the cloud.
The reason: there is always zero trust. I have to make everything that is supposed to work together known to each other. Anomalies, such as frequent access with the same passwords, are detected much more quickly, and even if an admin notebook has caught malware, it cannot spread. Hyperscalers invest billions in their security to keep it that way. At Microsoft alone, there are around 3,000 employees who deal exclusively with cloud security.

In data centers, on the other hand, vulnerability is high. Once a Trojan has infiltrated, it has an easy game. In the case of highly sensitive SAP data, this hits the Achilles' heel of companies. How long can business be sustained if SAP stops working? Stock center by Post-it and invoices by Word? Many companies would simply go broke after just one day of downtime. 

Nevertheless, data protection remains an open question. In general, however, data transfers are rarer than is commonly believed. In online stores, it is actually more common for data to be given to the outside world. Half of the requests come from the police, including the German police, for law enforcement purposes. Requests for information with a special interest in knowledge make up a minimal proportion, and most of the time the focus is on the question of whether a particular customer exists - not what data is available about him. Based purely on Germany, this results in a microscopically small number that has remained relatively constant for many years. Even in the unlikely event that one of the cloud customers is listed as a terrorist by U.S. intelligence, measures are still possible to keep the data accessible but unreadable. No protection is absolutely secure, including this one. But the effort would be very high. 

Anyone who hesitates to operate their SAP system in the cloud of a hyperscaler for data protection reasons today is avoiding a tiny risk and, tragically, is putting themselves in a danger that threatens their very existence. The real adversaries have gone from being the exception to the rule in just a few years. They are well-equipped hackers with enormous criminal energy.