More than three quarters of German companies store their corporate data in a cloud.1 And even though more and more companies are turning to cloud services, security concerns - especially when it comes to securing critical data - are among the biggest obstacles when thinking about moving to the cloud. After all, companies entrust an external provider with their sensitive data which feels like losing control over this data. The European General Data Protection Regulation (GDPR) as well as compliance requirements play a vital role. Companies that want to move to the cloud must entrust cloud providers with their data and as a result ensure in advance that these cloud providers comply with all technical, legal and contractual requirements. It is an absolute must for cloud providers to comply with GDPR to stand a chance with companies at all.
What is cloud storage?
Cloud storage is a service that allows data to be stored by transferring the data via the Internet or another network to a remote system managed by a third party. There are many different cloud stor-age systems:
In practice, three basic application variants for cloud computing can be distinguished. The differences are not so much on technical but rather on organizational level.
- Public Cloud
In this scenario, a publicly available provider operates the cloud and several customers share the infrastructure without even being aware of each other.
- Private Cloud
A private cloud is accessible exclusively for one company and is operated either by the company itself or by the IT service provider.
- Hybride Cloud
A hybrid cloud combines features of the public and the private cloud. This means that certain services are operated by public providers while others remain with the company.
Would you like to learn more about the right organizational, operational, technical and infrastructural measures you should take when opting for a cloud service provider?
Follow this link to read the blog post “Eleven criteria to consider when selecting a cloud service provider”.
Cloud security and compliance
According to Bitkom's Cloud-Monitor 20192, 90 percent of companies using, planning or discussing a cloud consider compliance with the cur-rent GDPR to be indispensable. For 79 percent transparent security architectures and controls are mandatory. How then can users be sure that cloud computing services handle data they have been provided with correctly in terms of IT security? Fact is: Security in the cloud minimizes risks in the cloud.
Cloud security comprises a wide range of individual measures to protect cloud services and environ-ments. Cloud security decreases risks of failure, loss of data, unauthorized access. It is an increasingly important, if not the most important, component in cloud computing. To guarantee compliance, the protection of the infrastructure, data processing and storage, rules, processes and technical measures must be defined.
Among the five most important aspects of cloud security are:
- Server and network security
It must be ensured that there is an impenetrable barrier between the outside world and the data inside as well as between the different cloud customers.
- Identity and access management
Access to data must be protected and the access authorizations must be clearly defined.
- Information security
Sensitive data must always be correct, confidential, and available for access at any time. Data protection guidelines must be in compliance with legal regulations.
- Security of applications and platforms
Applications must be safe and checked regularly for possible flaws.
- Physical security
It must be ensured that hardware is operated in a secure environment and that appropriate access rights have been defined.
These guidelines are indispensable for a secure cloud. But especially for industries subject to a wide range of legal requirements, such as the health sector or financial institutions and insurance compa-nies, compliance is a huge topic.
Security and compliance by means of standards and certificates
Only if the cloud provider fulfills certain standards, can customers be sure that their data is processed and archived correctly and in accordance with the regulations. Basically, standards can be divided into three categories:
- Cross-industry international standards
These standards are derived from the customers’ demands in a consistent approach to operation, security, data protection, risk management and control (standards such as: SOC 1, SOC 2, SOC 3, ISO/ IEC 19086, ISO/IEC 27001, ISO/IEC 27018, CDSA, CSA CCM).
- Standards covering vertical and local areas
The healthcare industry, the manufacturing sector, the education system, financial service pro-viders and public authorities have introduced their own standards. In many cases, a company will not be able to offer its customers online services as long as it does not comply with the regula-tions stipulated for this industry (local standards such as FISC, PDPA, MLPS / vertical standards such as PCI-DSS (financial industry), FedRAMP (U.S. Federal Government), HIPAA (healthcare in-dustry).
- Standards based on national requirements or data protection laws
Regulations and directives based on national requirements or data protection laws (standards such as EU GDPR, Privacy Shield).
Besides the mentioned standards, certifications are another standardized method to assess the compliance of cloud providers with these standards. Even if the data has been stored by the cloud provider, it is the cloud service customers who are legally bound to ensure that the Data Processors they entrust customer data with have defined technical and organizational measures for the protec-tion of personal data. Different security labels issued by independent institutions enable users to check whether cloud providers meet defined security standards or comply with legal regulations.
Although cloud service providers are not obligated to obtain such certifications, many provide a range of certificates and security labels on voluntary basis (e. g. of the competence network “Trusted Cloud” or of German TÜV). Cloud providers should be able to furnish proof that recertification takes place in regular intervals. You should also ask whether only individual components of the cloud ser-vice are certified or - as would be ideal - the entire offer.
Criteria Catalog Cloud Computing C5
The Criteria Catalog C5 (Cloud Computing Compliance Criteria Catalogue) stipulates the minimum requirements for safe cloud computing and first and foremost addresses professional cloud provid-ers, its auditors, and customers. With C5 German BSI (Federal Office for Information Security) has developed its own standard for cloud security which allows auditors to assess the compliance of cloud providers with these stipulations. After a successful audit, the auditor issues a certificate to the cloud provider and creates an in-detailed audit report. Customers can then usually request insight into this report. This system is primarily aimed at professional users as assessing such reports re-quires expert knowledge.
Location of cloud provider
Another criterion which is of great interest to many companies is where the cloud provider is located. The information where the cloud provider and its servers are located indicates which data protection laws will govern the storage and handling of user data. Not always is it obvious at first sight where the cloud provider or its datacenters are located. When the cloud provider had its business location and data storage servers in the European Economic Area, then this creates trust even beyond the European borders. Using cloud computing becomes particularly complicated when the personal data of third parties are stored by a provider. In this situation, non-compliance with the Federal Data Pro-tection Act is all too easy.
Advantages of cloud services for companies
Data can be retrieved with any device from anywhere. This guarantees easy and flexible access to data - on business trips as well as when working from home. And when storing data in a public cloud, companies do not have to bring their own infrastructure. But there are more pronounced advantages of cloud services for companies:
High scalability and demand-oriented usage
Flexible scalability of virtual resources is one of the most apparent advantages. Storage space, working memory, CPU performance or software licenses can be added or decreased as required. The re-sources are always available and to any extent that the customer may choose.
In one’s own data center, provisioning resources can easily take a few hours of work. Services from the cloud are available within minutes.
Pay-per-use models guarantee customers that they only pay for what they really need. No resources are wasted, and fixed costs become variable costs.
Reduced administration efforts
Companies that entrust a service provider with implementing and operating their cloud significantly reduce their administrative effort. And that reduces costs.
Booming technologies in growth markets
Markets are in a permanent flux and the product cycles in the software sector become increasingly shorter. Only few companies can keep pace. When services from the cloud are used, the obligation to innovate falls to the IT service provider. Updates of existing software, acquisition of new hardware, development of existing resources in terms of quality and quantity are all now the responsibil-ity of the cloud service provider.
And last not least:
Clouds can increase data security and data protection
Compliance with legal regulations is daily business for established cloud providers. As they have lots of experience with taking care of the data of a large number of customers from practically every industry and every country, you can rest assured that their expertise in legal standards and regulatory requirements surpasses that of any individual company. The advantage is that customers can trans-fer many legal and data protection obligations to the cloud provider or at least share them with them. But improving data security and data protection will only succeed if you work with a respectively qualified IT service provider. A corresponding service agreement will bring the required legal security. To ensure that you do not lose sight of the information security of your data, it is well worth considering some factors in advance. A first indicator for a certain level of security is compliance with the defined technical and organizational measures as well as with certifications such as ISO 27001 or BSI baseline security.
Even though many companies continue to eye cloud computing in connection with data security suspiciously, 54 percent of entrepreneurs say that public cloud computing has increased data securi-ty in operations.3
The most widely used cloud infrastructures
We also use the cloud infrastructure of Microsoft Azure. For more than 100 of its datacenters worldwide, Microsoft complies with the standard certifications as well as with the requirements of BSI's Cloud Computing (C5) Catalog. The C5 Catalog consists of a total of 114 requirements in 17 areas including the organization of information security and physical security, as well as additional requirements for processing highly confidential data and for situations requiring high availability.
1 Source: Bitkom Research GmbH – Cloud-Monitor 2019
2 Source: Bitkom Research GmbH – Cloud-Monitor 2019
3 Source: Bitkom Research GmbH – Cloud-Monitor 2019
4 Source: IDG Research Services – Study Cloud Security 2019