Cloud services are incredibly popular, and for good reason. The “Software as a Service” model offers various advantages. However, there’s a flip side. When it comes to security, data protection, and legal compliance, self-hosted solutions are clearly ahead of the game. In this blog post, we’ll explore the benefits of total data sovereignty and shed some light on the risks associated with certain cloud services.
In this day and age, companies heavily rely on cloud-based services for processing and storing data. “Software as a Service” (SaaS) solutions, which run on external servers, are cost-efficient and scalable. Plus, they can usually be set up in record time, and the service provider takes care of updates and maintenance, which takes some of the burden off of internal IT departments and conserves financial and human resources.
SaaS solutions can also come with certain risks, however. While they greatly facilitate access to software, they are not immune to cybercrime: In order to prevent cyberattacks and data theft, end-to-end encryption, rock-solid security protocols, and strict management of user access rights must be part of every SaaS solution’s standard repertoire. At the same time, the importance of choosing a trustworthy service provider cannot be overstated. After all, data protection goes well beyond just the technical aspects: Where exactly are the service provider’s servers located? What about the company’s jurisdiction? Is metadata collected and potentially shared with third parties? Can authorities gain access to sensitive company data?
The Role of Legal Frameworks
In the EU, the processing and storage of personal data in companies is regulated by the General Data Protection Regulation (GDPR). The Swiss equivalent to the GDPR is the Federal Act on Data Protection (FADP). Nevertheless, a SaaS provider’s servers or “backup facilities” could be located in countries where they are subject to other legal frameworks that are not on par with the GDPR or the FADP.
If a server is located in a country without modern data protection laws like the GDPR or the FADP, metadata may be systematically collected and shared with third parties. As far as messaging apps are concerned, metadata can be quite revealing and may include information about the time and duration of the communication, the location, and phone numbers. Regardless of the server location, it is also important to note that around two-thirds of European cloud services are managed by providers that are headquartered in the US. Thanks to the “Trans-Atlantic Data Privacy Framework,” data transfer to the USA is currently permitted under the GDPR and FADP – but it is unclear how long this agreement will remain in place.The “Trans-Atlantic Data Privacy Framework” is based on an executive order from the US President, so it is not backed by an act of the US Congress and could be overturned in the future either by a change in circumstances in the US government or a ruling by the European Court of Justice (ECJ) In addition, laws such as the CLOUD Act and the Foreign Intelligence Surveillance Act (FISA) continue to allow US authorities to access data stored by US cloud services at any time (even if the data is stored outside of the US).
When choosing a SaaS solution, it is thus important to closely review not only the technical security aspects but also the legal criteria in regard to data protection. Otherwise, companies run the risk of violating applicable regulatory requirements such as the GDPR. Organizations looking to eliminate these potential risks can also take a radically different approach: self-hosting.
Data Sovereignty Through Self-Hosting
Handling sensitive and personal data inevitably leads to a need for data sovereignty because this kind of information is linked to the data protection laws and governance structures of a country, an industry, or a company.
For companies in particular, the requirements placed on the storage and processing of data are becoming increasingly complex. With DORA, NIS2 and CER, the management is responsible for data protection. As a result, it is crucial for the executive level to address the topics of cyber resilience and data sovereignty.
Unlike with SaaS solutions, self-hosting allows companies to rely solely on their own servers. This guarantees not only the physical ownership of data, but also the ability to determine where and how data is collected, stored, processed, and used. No longer relying on third parties reduces the amount of data exchanged, which, in turn, lowers the risk of data loss. Self-hosting therefore not only offers maximum security but also data sovereignty, i.e., sole control over the access to, use of, and protection of the data.
Data Sovereignty and Instant Messaging
Modern working life is characterized by a constant flow of information, with messaging apps playing a major role: they enable the straightforward, efficient exchange of information and documents, simplify collaboration between coworkers, and streamline work processes. It is no surprise, then, that despite having a collaboration solution in place, a considerable share of corporate communication takes place using personal chat apps. However, these are some of the riskiest channels: according to Kaspersky, nearly 90% of phishing attempts are sent via WhatsApp. A self-hosted or independent chat environment can therefore significantly increase cybersecurity. This is why Threema has developed a solution for companies with the strictest security requirements: Threema OnPrem.
Companies using business messengers often overlook the fact that central administration and user management can contain a great deal of sensitive information (e.g., names, job titles, etc.). Whereas with a SaaS solution, this data is stored on the operator’s server, self-hosted solutions like Threema OnPrem offer companies total control and sovereignty over their data. This allows companies to ensure that only authorized personnel can access sensitive data. Threema OnPrem’s management cockpit lets companies manage organizations, licenses, and user accounts, enforce security and compliance requirements, view usage statistics, and restrict authorizations. This means, for example, that IDs of employees who have left the company can quickly be revoked or removed from chat groups so that former employees no longer have access to confidential business data.
Threema OnPrem is mainly intended for public administrations, public authorities (such as the military or the police), and organizations in critical sectors where the strictest data security is required according to NIS2 (e.g., in the health-care sector). The Threema OnPrem mobile app can be distributed directly via the management cockpit or using an EMM/MDM system and connected to a directory service such as Active Directory. In case of limited technical resources or time, we offer an extensive network of full-service providers.