SlideShare a Scribd company logo
CLOUD COMPUTING
- Dharmalingam S
Note: Its only for studying and knowledge sharing purpose
CLOUD .?
Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources that can be rapidly
provisioned and released with minimal management
effort.
TRADITIONAL IT CLOUD
ARCHITECTURAL BLOCK
BASIC SERVICES
BUILDING CLOUD ENVIRONMENT
 Heterogeneous System support.
 Service Management
 Dynamic Workload and Resource
Management
 Reliabilty, Availability and Security
 Integartions with Existing data Center management
tools
 Visibility and reporting
 Cloud must be a converged infrastructure – Supports
DR, Elasticity, Avoid Single point of failure.
 There has to be fully automated orchestration of
service management and software distribution
across the converged infrastructure
CURRENT CLOUD SETUP:
Cloud security  privacy- org
CLOUD SECURITY
 Data breaches.
 Multi-Factor authentication and Encryption of data.
 Insufficient identity, Credential and Access
management
 Weak password
 Identity solution between the customers
 Cryptographic keys
 Any centralized storage mechanism containing data
secrets (e.g. passwords, private keys, confidential
customer contact database) is an extremely high-value
target for attackers
 Insecure Interfaces and APIs
 System Vulnerabilities
 Kernel, System libraries and application tools- put the
security of all services and data significant risks
 Bugs are everywhere
 Solution - Vulnerability scanning, secuirty patches or
upgrades. Secure design and architecture can lessen
the chances of attacker taking full control of every part
of an information system .
 Heartbleed, Shellshock
 Account Hijacking
 Phising, fraud, reuse of passwords.
 Organizations should look to prohibit the sharing of
account credentials among user services.
 Amazon systems were used to run Zeus Botnodes
 Malicious Insiders
 Advanced Persistent Threats
 Spearphishing, direct hacking systems, delivering
attack code through USB devices, penetration through
partner networks and use of unsecured or third-party
networks are common points of entry for APTs.
 Data Loss
 Insufficient Due Diligence
 Good Roadmap and Checklist for due diligence for evaluating
technologies
 An organization that rushes to adopt cloud technologies and
choose CSPs without performing due diligence exposes itself to a
myriad of commercial, financial, technical, legal and compliance
risks that jeopardize its success. Amazon AWS experience an
outage, due to accidental deletion of information that controls load
balancing.
 Nirvanix cloud storage specialist hosted data for IBM, DELL went
bankruptcy for the above reasons.
 Facebook faced issues after buying M&A.
 Denial of Service
 Shared Technology Vulnerabilities
PHYSICAL SECURITY
• The elements of physical security are also a key element in
ensuring that data center operations and delivery teams can
provide continuous and authenticated uptime of greater than
99.9999%
• Physical access control and monitoring, including 24/7/365
onsite security, biometric hand geometry readers inside “man
traps,” bullet-resistant walls, concrete bollards, closed-circuit
TV (CCTV) integrated video, and silent alarms.
• Environmental controls and backup power
• Policies, processes, and procedures
NETWORK SECURITY
• Denial of Service: .
DNS Hacking, Routing Table “Poisoning”, XDoS attacks
o syn cookies
o Connection limiting
o Internal bandwidth maintained
• Port Scanning
o Port scans are violation of Acceptable Use Policy(AUP)
• Man in the Middle Attack: To overcome it always use SSL
• IP Spoofing: Spoofing is the creation of TCP/IP packets using
somebody else's IP address.
o Host based firewall infrastructure
o Infrastructure will not permit an instance to send traffic with a source IP
or MAC address other than its own.
SECURITY IN THE MIDDLEWARE
It supports the Security groups, where we can define our
own security groups and assign ACLs
The firewall can be configured in groups permitting
different classes of instances to have different rules for
ex) webserver
http –port 80
https-port 443
SSH –port 22
-- IAM & Certificates based communication between
cloud components.
CREDENTIAL MANAGEMENT
• Access Credentials
o Access Keys
o X.509 certificates
o Key pairs
• Sign-In Credentials
o Email Address (User Name) and Password
o Account Identifiers
• Account Identifiers
o Account ID
o Canonical ID
EC2 SECURITY
• Host OS
o Built on bastion host
o Cryptographically strong SSH keys to access bastion host
o Access are logged and routinely audited
• Guest OS
o Virtual instances are controlled by customer
o Customers have full root access and administrative
controls
o Customers use token or key based authentication
EC2 SECURITY
Firewall:
 Set with default as deny mode
 Requires customers X.509 certificate and keys to
authorize change
API
 Calls to launch and terminate instances are signed
by X.509 certificate/secret Access keys
 API calls are encrypted in transit with SSL
SECURITY SOLUTIONS
-
WHAT WE ACHIEVED
DATA ISOLATION ( VM ISOLATION)
 All the VM’s in the hypervisor are communicating via
event channels and shared memory with in the host.
 By creating the policies in the hypervisor level we can
the allow/deny the interdomain communication.
 Implemented in XSM Framework similar to seLinux
Security Label
Object : Role : Type
DIGITAL CERTIFICATE LOGIN
 It prevents Account hijacking.
 Every user will be distributed with the Digital Certificates
which is approved by CA.
 Digital certificates have Private key, Public key, Name,
Unique serial number, etc.,
 User Certificates are verified in the LDAP for allow/deny
the user.
• Role Based Access Control
• Individual roles will be assigned to the user
• Based on the roles policies are written
• We can create groups also
Example: Normal users are not allowed to
create VMs only allowed make a request.
RBAC
LOG MANAGEMENT ENGINE
 Real time log Correlation Engine
 Able to find the Error within some seconds
 Using logstash + Elasticsearch + Kibana3 we
achieved.
 Web applications also available
 Easily we can search the logs based on the time
and text
PRIVACY
 It is less technical issue and more of policy and
legal issues. Policies have to empower people to
control the collection, use and distribution of their
personal information.
THINGS TO CONSIDER:
 Notice
 Choice
 Onward Transfer
 Security
 Data integrity
 Access
 Enforcement
PRIVACY BY DESIGN
 Data minimization
 Controllability
 Transparency
 User-friendly systems
 Data confidentiality
 Data quality
 Use limitation
END USER COMPUTING
REFERENCES:
 For Cloud Standards:
http://www.nist.gov/itl/cloud/upload/NIST_SP-500-
291_Version-2_2013_June18_FINAL.pdf
THANK YOU.. 
cooldharma06@gmail.com

More Related Content

PDF
Palo Alto Networks CASB
PDF
Zero trust in a hybrid architecture
PPTX
Zero trust Architecture
PDF
CDMP preparation workshop EDW2016
PPT
Information Technology Policy for Corporates - Need of the Hour
PDF
KVKK Genel sunum - Kişisel Veriler
PDF
Data masking insights and actions
PPTX
Identity & access management
Palo Alto Networks CASB
Zero trust in a hybrid architecture
Zero trust Architecture
CDMP preparation workshop EDW2016
Information Technology Policy for Corporates - Need of the Hour
KVKK Genel sunum - Kişisel Veriler
Data masking insights and actions
Identity & access management

What's hot (20)

PPTX
Security models for security architecture
PDF
Data Governance Powerpoint Presentation Slides
PDF
Data Catalog for Better Data Discovery and Governance
PDF
NIST Zero Trust Explained
PPT
Security Requirements in IoT Architecture
PDF
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
PPT
Cloud computing security
PDF
Succeeding with Secure Access Service Edge (SASE)
PDF
Cryptography and Network Lecture Notes
PPTX
The evolution of IT in a cloud world
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
PPTX
The Deep Web, TOR Network and Internet Anonymity
PDF
DataMinds 2022 Azure Purview Erwin de Kreuk
PDF
Cyber Security
PDF
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
DOCX
07. Analytics & Reporting Requirements Template
PPTX
The Dark Web : Hidden Services
PPTX
Zero trust deck 2020
PPTX
Data security
PPTX
Cloud Access Security Brokers - CASB
Security models for security architecture
Data Governance Powerpoint Presentation Slides
Data Catalog for Better Data Discovery and Governance
NIST Zero Trust Explained
Security Requirements in IoT Architecture
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
Cloud computing security
Succeeding with Secure Access Service Edge (SASE)
Cryptography and Network Lecture Notes
The evolution of IT in a cloud world
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
The Deep Web, TOR Network and Internet Anonymity
DataMinds 2022 Azure Purview Erwin de Kreuk
Cyber Security
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
07. Analytics & Reporting Requirements Template
The Dark Web : Hidden Services
Zero trust deck 2020
Data security
Cloud Access Security Brokers - CASB
Ad

Viewers also liked (19)

PDF
Privacy and security in the cloud Challenges and solutions for our future inf...
PDF
Security & Privacy in Cloud Computing
PPT
Security & Privacy In Cloud Computing
PPTX
Lecture01: Introduction to Security and Privacy in Cloud Computing
PPT
Cloud Computing Security Issues
PDF
The Security and Privacy Threats to Cloud Computing
PPT
Note names part 1 ©
PPTX
งานอังกฤษ
PPTX
Prezentacja 2015
PDF
When should you get your house painted
PDF
Tutorial Eclipse 3
PPTX
Guide cоздание сайта на office 365.
PPTX
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
PPTX
Diary Development corporation, Biratnagar
PPT
Presentation to the International team of NBME
PPTX
Question 7
PPTX
งานอังกฤษ
PDF
Risk and Sustainability-Russ Doak rev 1
PDF
Dossier de presse English
Privacy and security in the cloud Challenges and solutions for our future inf...
Security & Privacy in Cloud Computing
Security & Privacy In Cloud Computing
Lecture01: Introduction to Security and Privacy in Cloud Computing
Cloud Computing Security Issues
The Security and Privacy Threats to Cloud Computing
Note names part 1 ©
งานอังกฤษ
Prezentacja 2015
When should you get your house painted
Tutorial Eclipse 3
Guide cоздание сайта на office 365.
Sales Tax Compliance within Oracle E-Business Suite / JD Edwards / PeopleSoft
Diary Development corporation, Biratnagar
Presentation to the International team of NBME
Question 7
งานอังกฤษ
Risk and Sustainability-Russ Doak rev 1
Dossier de presse English
Ad

Similar to Cloud security privacy- org (20)

PPTX
Securing Applications in the Cloud
PPTX
CLOUD SECURITY.pptx
PDF
Cloud Security
PPTX
Azure Fundamentals Part 3
 
PPTX
Cloud computing and Cloud security fundamentals
PDF
Can You Trust Cloud Security In Public Cloud?
PPT
Implementing an improved security for collin’s database and telecommuters
PPTX
UIT1701-U04S01-CloudSecurityMechanisms.pptx
PDF
Security On The Cloud
PDF
Cloud Security
PPTX
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
PPTX
Data security in cloud computing
PPT
Aws training in bangalore
PPTX
Cloud Security
PPTX
Cloud Security
PDF
Best Practices in Cloud Security
PDF
How We Protect Our Business in the Cloud (The Smart Way)
PPTX
Cloud Security_ Unit 4
PPTX
Security in the cloud Workshop HSTC 2014
PPTX
Web authentication & authorization
Securing Applications in the Cloud
CLOUD SECURITY.pptx
Cloud Security
Azure Fundamentals Part 3
 
Cloud computing and Cloud security fundamentals
Can You Trust Cloud Security In Public Cloud?
Implementing an improved security for collin’s database and telecommuters
UIT1701-U04S01-CloudSecurityMechanisms.pptx
Security On The Cloud
Cloud Security
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
Data security in cloud computing
Aws training in bangalore
Cloud Security
Cloud Security
Best Practices in Cloud Security
How We Protect Our Business in the Cloud (The Smart Way)
Cloud Security_ Unit 4
Security in the cloud Workshop HSTC 2014
Web authentication & authorization

Recently uploaded (20)

PDF
Machine learning based COVID-19 study performance prediction
PDF
KodekX | Application Modernization Development
PDF
Unlocking AI with Model Context Protocol (MCP)
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
cuic standard and advanced reporting.pdf
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
PDF
Modernizing your data center with Dell and AMD
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
PDF
Advanced IT Governance
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
PPTX
Big Data Technologies - Introduction.pptx
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
PPTX
Understanding_Digital_Forensics_Presentation.pptx
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Machine learning based COVID-19 study performance prediction
KodekX | Application Modernization Development
Unlocking AI with Model Context Protocol (MCP)
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
GamePlan Trading System Review: Professional Trader's Honest Take
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
“AI and Expert System Decision Support & Business Intelligence Systems”
cuic standard and advanced reporting.pdf
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Modernizing your data center with Dell and AMD
Diabetes mellitus diagnosis method based random forest with bat algorithm
Advanced IT Governance
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
Big Data Technologies - Introduction.pptx
Advanced methodologies resolving dimensionality complications for autism neur...
Understanding_Digital_Forensics_Presentation.pptx
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Dropbox Q2 2025 Financial Results & Investor Presentation

Cloud security privacy- org

  • 1. CLOUD COMPUTING - Dharmalingam S Note: Its only for studying and knowledge sharing purpose
  • 2. CLOUD .? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort.
  • 6. BUILDING CLOUD ENVIRONMENT  Heterogeneous System support.  Service Management  Dynamic Workload and Resource Management
  • 7.  Reliabilty, Availability and Security  Integartions with Existing data Center management tools  Visibility and reporting  Cloud must be a converged infrastructure – Supports DR, Elasticity, Avoid Single point of failure.  There has to be fully automated orchestration of service management and software distribution across the converged infrastructure
  • 10. CLOUD SECURITY  Data breaches.  Multi-Factor authentication and Encryption of data.  Insufficient identity, Credential and Access management  Weak password  Identity solution between the customers  Cryptographic keys  Any centralized storage mechanism containing data secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers
  • 11.  Insecure Interfaces and APIs  System Vulnerabilities  Kernel, System libraries and application tools- put the security of all services and data significant risks  Bugs are everywhere  Solution - Vulnerability scanning, secuirty patches or upgrades. Secure design and architecture can lessen the chances of attacker taking full control of every part of an information system .  Heartbleed, Shellshock
  • 12.  Account Hijacking  Phising, fraud, reuse of passwords.  Organizations should look to prohibit the sharing of account credentials among user services.  Amazon systems were used to run Zeus Botnodes  Malicious Insiders  Advanced Persistent Threats  Spearphishing, direct hacking systems, delivering attack code through USB devices, penetration through partner networks and use of unsecured or third-party networks are common points of entry for APTs.
  • 13.  Data Loss  Insufficient Due Diligence  Good Roadmap and Checklist for due diligence for evaluating technologies  An organization that rushes to adopt cloud technologies and choose CSPs without performing due diligence exposes itself to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success. Amazon AWS experience an outage, due to accidental deletion of information that controls load balancing.  Nirvanix cloud storage specialist hosted data for IBM, DELL went bankruptcy for the above reasons.  Facebook faced issues after buying M&A.  Denial of Service  Shared Technology Vulnerabilities
  • 14. PHYSICAL SECURITY • The elements of physical security are also a key element in ensuring that data center operations and delivery teams can provide continuous and authenticated uptime of greater than 99.9999% • Physical access control and monitoring, including 24/7/365 onsite security, biometric hand geometry readers inside “man traps,” bullet-resistant walls, concrete bollards, closed-circuit TV (CCTV) integrated video, and silent alarms. • Environmental controls and backup power • Policies, processes, and procedures
  • 15. NETWORK SECURITY • Denial of Service: . DNS Hacking, Routing Table “Poisoning”, XDoS attacks o syn cookies o Connection limiting o Internal bandwidth maintained • Port Scanning o Port scans are violation of Acceptable Use Policy(AUP) • Man in the Middle Attack: To overcome it always use SSL • IP Spoofing: Spoofing is the creation of TCP/IP packets using somebody else's IP address. o Host based firewall infrastructure o Infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.
  • 16. SECURITY IN THE MIDDLEWARE It supports the Security groups, where we can define our own security groups and assign ACLs The firewall can be configured in groups permitting different classes of instances to have different rules for ex) webserver http –port 80 https-port 443 SSH –port 22 -- IAM & Certificates based communication between cloud components.
  • 17. CREDENTIAL MANAGEMENT • Access Credentials o Access Keys o X.509 certificates o Key pairs • Sign-In Credentials o Email Address (User Name) and Password o Account Identifiers • Account Identifiers o Account ID o Canonical ID
  • 18. EC2 SECURITY • Host OS o Built on bastion host o Cryptographically strong SSH keys to access bastion host o Access are logged and routinely audited • Guest OS o Virtual instances are controlled by customer o Customers have full root access and administrative controls o Customers use token or key based authentication
  • 19. EC2 SECURITY Firewall:  Set with default as deny mode  Requires customers X.509 certificate and keys to authorize change API  Calls to launch and terminate instances are signed by X.509 certificate/secret Access keys  API calls are encrypted in transit with SSL
  • 21. DATA ISOLATION ( VM ISOLATION)  All the VM’s in the hypervisor are communicating via event channels and shared memory with in the host.  By creating the policies in the hypervisor level we can the allow/deny the interdomain communication.  Implemented in XSM Framework similar to seLinux Security Label Object : Role : Type
  • 22. DIGITAL CERTIFICATE LOGIN  It prevents Account hijacking.  Every user will be distributed with the Digital Certificates which is approved by CA.  Digital certificates have Private key, Public key, Name, Unique serial number, etc.,  User Certificates are verified in the LDAP for allow/deny the user.
  • 23. • Role Based Access Control • Individual roles will be assigned to the user • Based on the roles policies are written • We can create groups also Example: Normal users are not allowed to create VMs only allowed make a request. RBAC
  • 24. LOG MANAGEMENT ENGINE  Real time log Correlation Engine  Able to find the Error within some seconds  Using logstash + Elasticsearch + Kibana3 we achieved.  Web applications also available  Easily we can search the logs based on the time and text
  • 25. PRIVACY  It is less technical issue and more of policy and legal issues. Policies have to empower people to control the collection, use and distribution of their personal information.
  • 26. THINGS TO CONSIDER:  Notice  Choice  Onward Transfer  Security  Data integrity  Access  Enforcement
  • 27. PRIVACY BY DESIGN  Data minimization  Controllability  Transparency  User-friendly systems  Data confidentiality  Data quality  Use limitation
  • 29. REFERENCES:  For Cloud Standards: http://www.nist.gov/itl/cloud/upload/NIST_SP-500- 291_Version-2_2013_June18_FINAL.pdf

Editor's Notes

  • #7: 1.Support s data center existing infrastructure 2. Service offering should include resource guarantees, metering rules, resource management and billing cycles. 3, Must meet consumer workload and resource aware. Cloud computing makes all the components of data center virtualized, not just compute and memory. The environment should deliver the maximum performance. SLA also have to met.
  • #8: 24/7 worlkload Shared resources so have to consider the internal, external, security and mulittenancy must be integrated. Service need to be able to provide access to only authorized users and in the shared pool model the users need to be able to trust that their data and application are secure. 99.999% availability – 5.26 minutes in a year
  • #11: By the use of Weak password CSP should understand the security around the Cloud identity solution such as process, infra, segmentation between the customers Cryptographic keys, including TLS certificates, keys used to protect access to data and keys used to encrypt data at rest must be rotated periodically. Any centralized storage mechanism containing data secrets (e.g. passwords, private keys, confidential customer contact database) is an extremely high-value target for attackers Cryptographic keys, including TLS certificates, keys used to protect access to data and keys used to encrypt data at rest must be rotated periodically.
  • #12: The security and availability of general cloud services is dependent on the security of these basic APIs. Organization and 3rd parties may build on these interfaces to offer VAS to their customers. This introduce the complexity of new layered API, it also increases risks. APIs and UI are exposed to outside world – faces heavy attacks
  • #14: Data stored in the cloud can be lost for reasons other than malicious attacks. An accidental deletion by the cloud service provider, or worse, a physical catastrophe such as a fire or earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer takes adequate measures to back up data, following best practices in business continuity and disaster recovery Solution: geographic redundancy, data backup with in the cloud, amd premise to cloud backups. Amazon EC2 suffered loss of data loss loss of customers & Sony Hijack Denial-of-service (DoS) attacks are attacks meant to prevent users of a service from being able to access their data or their applications. By forcing the targeted cloud service to consume inordinate amounts of finite system resources such as processor power, memory, disk space or network bandwidth, the attacker—or attackers, as is the case in distributed denial-of-service (DDoS) Cloud service providers deliver their services scalably by sharing infrastructure, platforms or applications. Underlying components (e.g., CPU caches, GPUs, etc.) that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multitenant architecture (IaaS), re-deployable platforms (PaaS) or multicustomer applications (SaaS). Side channel attacks. (Inter-Vm communication) Vulnerability – “The unchecked buffer vulnerability (CVE-2015-3456) occurs in the code for QEMU’s virtual floppy disk controller. A successful buffer overflow attack exploiting this vulnerability can enable an attacker to execute his or her code in the hypervisor’s security context and escape from the guest operating system to gain control over the entire host.”
  • #27: Notice: have to inform that userdata is collected and about how it will be used. Choice: Enduser can allow/disallow to collect or transfer data to third parties. Onward Transfer: Transfer of data to third parties may only occur to other organizations that follow adequate data protection principles. Security: Reasonable efforts must be prevent loss of collected information. Data integrity: data must be relevant and reliable for the purpose of collected info. Access: Individuals must be able to access information held about them and correct or delete if it is inaccurate Enforcement: There must be effective means of enforcing these rules.
  • #28: Data minimization: data processing systems are to be designed and selected in accordance with the aim of collecting, processing or using no personal data at all or as few personal data as possible. Controllability: an IT system should provide the data subjects with effective means of control concerning their personal data. The possibilities regarding consent and objection should be supported by technological means. Transparency: both developers and operators of IT systems have to ensure that the data subjects are sufficiently informed about the means of operation of the systems. Electronic access / information should be enabled. User-friendly systems: privacy-related functions and facilities should be user friendly, i.e. they should provide sufficient help and simple interfaces to be used also by less experienced users. Data confidentiality: it is necessary to design and secure IT systems in a way that only authorized entities have access to personal data. Data quality: data controllers have to support data quality by technical means. Relevant data should be accessible if needed for lawful purposes. Use limitation: IT systems which can be used for different purposes or are run in a multi-user environment (i.e. virtually connected systems, such as data warehouses, cloud computing, digital identifiers) have to guarantee that data and processes serving different tasks or purposes can be segregated from each other in a secure way.