Tele­Trust: “Sta­te of the art” handout

The Ger­man Tele­TrusT – Bun­des­ver­band IT-Sicher­heit e.V. has published a “Hand­out” on the so-cal­led sta­te of the art published. The sta­te of the art is men­tio­ned in Art. 32 (1) GDPR as one of seve­ral cri­te­ria to be con­side­red when deter­mi­ning the ade­qua­cy of tech­ni­cal and orga­nizatio­nal mea­su­res. In this con­text, the sta­te of the art lies between

  • the “Sta­te of sci­ence and rese­arch”, which offers hig­her secu­ri­ty but enjoys even lower reco­gni­ti­on and has pro­ven even less in prac­ti­ce, and
  • the “Gene­ral­ly reco­gnized rules of tech­no­lo­gy”, which offer lower security.

In this con­text, the sta­te of the art is descri­bed as

The pro­ce­du­res, faci­li­ties or modes of ope­ra­ti­on available in the move­ment of goods and ser­vices, the appli­ca­ti­on of which can most effec­tively ensu­re the achie­ve­ment of the respec­ti­ve legal pro­tec­tion objectives

The hand­out descri­bes tech­ni­cal mea­su­res orga­ni­zed by topic and places them in each case on the con­ti­nu­um bet­ween the gene­ral­ly accept­ed rules of tech­no­lo­gy and the sta­te of the art in sci­ence and rese­arch. Example:

What action (pro­ce­du­res, faci­li­ties, or methods of ope­ra­ti­on) is descri­bed in this section?
The fol­lo­wing mea­su­res are useful for pro­tec­ting the stored data:

  1. Encrypt­ed trans­fer of files to and from the file sha­ring service
  2. Cli­ent-side end-to-end encryp­ti­on of data for the reci­pi­ent befo­re trans­fer to cloud storage 
    • Through encryp­ti­on inte­gra­ted into the data exch­an­ge ser­vice in the cli­ent soft­ware belon­ging to the cloud storage.
    • Using sepa­ra­te end-to-end encryp­ti­on soft­ware on the client

In par­ti­cu­lar, the fol­lo­wing que­sti­ons should be considered:

  1. Who ope­ra­tes the ser­vice and does the ope­ra­tor have access to the data, if applicable?
  2. How is the data pro­tec­ted during trans­port to and from the operator?

If the ser­vice is ope­ra­ted by a tru­sted enti­ty, then end-to-end encryp­ti­on of the data its­elf may not be neces­sa­ry under cer­tain cir­cum­stances, but it is gene­ral­ly sen­si­ble even for tru­sted operators.

File exch­an­ge ser­vices are available whe­re data is encrypt­ed trans­par­ent­ly befo­re upload, i.e. wit­hout any spe­cial action by the user, and decrypt­ed again after down­load. The ope­ra­tor then sees only encrypt­ed data. Alter­na­tively, cli­ent-side encryp­ti­on soft­ware can be used to pro­vi­de end-to-end encryp­ti­on of data befo­re upload or after down­load. Howe­ver, the­se solu­ti­ons usual­ly requi­re addi­tio­nal effort on the part of the user. When it comes to encryp­ti­on, care should be taken to use secu­re pro­ce­du­res for encryp­ti­on and for key gene­ra­ti­on and key management.

Under no cir­cum­stances should the encryp­ti­on of data during trans­port to and from the ope­ra­tor be dis­pen­sed with (trans­port encryp­ti­on, usual­ly TLS).

The­se mea­su­res are clas­si­fi­ed as follows:

It is important to note that the sta­te of the art only one of seve­ral cri­te­ria in the assess­ment of appro­pria­ten­ess. The mea­su­res descri­bed in the hand­out are the­r­e­fo­re not man­da­to­ry. A com­pa­ny may – and must – e.g. also take the Eco­no­mic effi­ci­en­cy pos­si­ble mea­su­res into account.




Rela­ted articles