ISACA Switzerland Chapter After Hour Seminar

Security versus data leakage risk - How secure is your data in the cloud?

The issue of security and data protection in the cloud is becoming increasingly complex for companies. One crucial aspect that is often underestimated is the risk of data being leaked by third countries– due to their national security laws. Organizations that rely on the services of large cloud providers (hyperscalers) are particularly affected.

Legal bases that you should know:

• U.S. Executive Order 12333 (EO 12333): Mandate for US authorities such as the NSA and CIA to gather foreign intelligence. Decisions are made without judicial review.
• U.S. FISA Sec. 702 Allows targeted monitoring of “non-US persons” and binds cloud providers to cooperate via “compelled assistance” – often secretly and without notifying customers.

Conclusion: safety positioning is crucial

Companies in Switzerland and Europe must develop a comprehensive security strategy in order to minimize the risks posed by third-country interference. This includes

1. Selection of cloud providers that offer the highest encryption standards and ideally are not subject to “compelled assistance” under EO 12333, FISA obligations or similar obligations under administrative law.
2. Exploring potential risk-mitigating technologies, such as Client-Side Agents (CSA) and Hardware Security Module (HSM).
3. Strengthening the internal security system at a logical, technical, physical and personnel level in order to be prepared for possible incidents.

The risk of data leaks in the cloud is not just a data protection problem – it is a security risk management challenge with global implications.

Disclaimer: The legal bases mentioned (EO 12333 & FISA Sec. 702) are anchored in administrative or national security law and are therefore above civil law, on the basis of which most outsourcing contracts with hyperscalers are concluded by Swiss companies. The author and his employer do not offer legal advice, but security risk management advice.