"There is no cloud. It's just someone else's computer."
(Unknown)

"Cloud applications" are now part of everyday life in many areas, e.g. as useful
apps in the personal environment, as collaborative project platforms across company boundaries
or as scalable infrastructures available at short notice in everyday life in education, business and administration.

They enable simple, effective and efficient collaboration, create fast and
flexible solutions and support mobile working.

Countless cloud services are available today both as so-called "public cloud" solutions and as so-called "private clouds" in a wide variety of business models.

However, it should not be forgotten that "the cloud" is an abstract term, but ultimately only means that the data and information it contains is processed in a Data Centre somewhere in the world in the hands of an operator. The question of access and ownership is therefore very important when it comes to cloud applications.

We distinguish between different types of cloud services:

• SaaS
  • Software-as-a-Service
  • Externally operated software, e.g. MS Office 365
  • Licensing often "on-demand"
• PaaS
  • Platform-as-a-Service
  • Z. E.g. Google App Engine
  • Provides development environments for developers
• IaaS
  • Infrastructure-as-a-Service
  • Z. E.g. hosting providers such as AWS, Ionos, Hetzner, MS Azure

There are a few more ("FaaS"). These are considered too specialised to be listed here. The different categories (SaaS, PaaS, IaaS, ...) are not decisive for the assessment of whether external cloud storage or processing is permitted. The data categories determine the assessment, see below.

The risks for ICBM can be roughly divided into three overlapping categories:

• Legal
  • Disclosure of data
  • Intellectual property rights
  • Licences and governance
  • GDPR
  • Export control
  • Storage and erasure under federal law
• Financial
  • Licences and governance
  • Can lead to fines due to violations
• Organisational & technical
  • Accessibility
  • Tracking of usage
  • Infiltration of malicious code
  • Compatibility of data (migration)
  • Provider dependency

Before using external cloud services, the respective applicant must carry out a preliminary review in consultation with the responsible data controllers, which includes a cost-benefit analysis and a risk assessment. This review includes a comparison with internal cloud services.

Users are recommended to carry out tests of external cloud services with test data.

External cloud services should only be considered if a preliminary review initiated by the respective applicant shows that no suitable solution is available within ICBM/UOL or that no such solution can be implemented that meets the respective functional and non-functional requirements or the respective contractual, legal, financial or time constraints.

The use of external cloud services must not violate legal and contractual requirements, the IT Framework Policy of ICBM/UOL or the IT security regulations of ICBM/UOL as amended from time to time.

IMPORTANT: The decision to use cloud services must be made by the data controller. This means that the data controller also bears the corresponding responsibility for their use. ICBM IT will be happy to advise you.