top of page

US Cloud Act and ISO 27001 Certification - Considerations for R&D Data Security

At a glance:

This post discusses the importance of securing R&D data in the manufacturing sector and the challenges faced by maintaining data security while collaborating in a globalized world. We highlight the security problem imposed by the US Cloud Act and explain why ISO 27001 certification is essential. We conclude by delving into the collaboration between Espeem and LuxProvide, a company that manages the Meluxina supercomputer located in Luxembourg, to handle sensitive data securely.


An illustration of two experimental R&D engineers working in the lab.


Introduction

Research and development (R&D) data in the manufacturing sector is valuable because it can lead to innovative products that companies will rely on for future success. However, it is also vulnerable because the hard-won insights may be readily apparent should the data be intercepted. 


Disclosure of trade secrets is no idle concern. The R&D heavy manufacturer Dupont, for instance, has litigated no fewer than three major cases of trade secret theft in the last two decades—one related to Kevlar, one related to titanium dioxide technology, and one related to ethanol fuel. While not all related to cybersecurity, they demonstrate the market for illicitly obtained trade secrets. 


Maintaining data security while collaborating in a globalized world requires work. Finding a way to achieve a good level of security requires examining the US Cloud Act and ISO 27001 certification.


What is the Data Security Problem imposed by the US Cloud Act? 

To answer this, let us take a look at an excerpt of the text itself:


"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."


The act effectively kills one of the best measures to increase security—ensuring that no one except the client can see the unencrypted data. Since providers are required to comply with data requests, they have to build their systems to access the unencrypted data. 


Another concern is that if the US government uses the act legitimately to obtain information, the disclosure may accidentally contain trade secrets. Individuals in the US government may then inadvertently spread it or even be tempted to pass it on to competitors of the data's owner.


Achieving the high data standards required for handling sensitive manufacturing data means avoiding US-based providers and even providers with a significant presence in the US. This situation is unfortunate since the most advanced and convenient computing providers are from the US.


Why is ISO 27001 Security Certification Important? 

27001 security certification, also known as ISO/IEC 27001 certification, refers to a designation a company can achieve by implementing an  Information Security Management System (ISMS) that meets the requirements outlined in the ISO/IEC 27001 standard.


Here's a breakdown of the key points:

  • Focus:  The certification emphasizes protecting an organization's information assets from various threats, such as data breaches, cyberattacks, and unauthorized access.

  • ISMS:  The core of the certification is the ISMS, a framework that includes policies, processes, and procedures designed to manage information security risks effectively.

  • Certification process:  To be certified, an organization undergoes an audit by an accredited certification body to verify its ISMS meets the ISO 27001 standard.

In essence, the 27001 certification signifies that a company takes information security seriously and systematically manages information assets and associated risks. The certification does not mandate specific technologies, which may become outdated, but mandates that the provider continually assesses the risks it faces.


While a computing center may implement robust security features without certification, and certification can never guarantee that everything will go right, we still consider the ISO 27001 certification a must when data is highly confidential.


Collaboration with LuxProvide

At Espeem, we have taken the consequence of these considerations. To handle sensitive data, we have started a collaboration with LuxProvide, a company created to manage the Meluxina supercomputer located in Luxembourg. LuxProvide is not subject to the US Cloud Act as a local Luxembourgish company, has undergone the ISO 27001 certification, and is trusted to handle personal medical data. 


When handling sensitive data, we will use the Meluxina cluster for calculations. As a small company, Espeem can rely on LuxProvide's security practices to protect our clients. We can confidently handle sensitive client data when we ensure that the most sensitive data is only available on the Meluxina cluster and that Espeem accesses the data only through LuxProvide protocols.


The added security extends to our STM simulation consultancy and the atomistic simulation apps we will create in the future. Our first product, the STM App, did not need the stringent security considerations in this article since its intended audience is academic researchers. However, in April 2024, the Luxembourgish state awarded us a grant to develop secure apps on the Meluxina cluster. Our future apps will, therefore, benefit from the highest security scrutiny.


Conclusion

Securing R&D data in the manufacturing sector is crucial to ensuring innovation and future success. The US Cloud Act poses a significant data security problem, making it necessary to work with computing centers that are not subject to this act and are ISO-27001 certified.


If you wish to learn what kind of services we can securely perform on the Meluxina cluster, check out our simulation consultancy and our STM app, which are examples of the types of apps we can deploy there. Or connect with us directly—we are always ready to assist you with any queries you may have.

7 views0 comments

Recent Posts

See All

Comments


bottom of page