Security in the Cloud involves more than just data protection
The growing use of Cloud services is one of the hottest IT topics for organisations in Germany, Austria and Switzerland, and the reasons for implementing a Cloud solution are manifold. In February 2016, market researcher IDC carried out a study on “Mobile Content Management” which showed that the main motivations in this area were the reduction of shadow IT, lowering the volume of email messages, higher employee productivity and reduced IT costs. The benefits of the Cloud seem obvious. Nevertheless, the study also showed that so far only 15 percent of German medium-sized businesses have implemented an Enterprise File Sync & Share solution for synchronising and sharing documents with external partners. One of the main obstacles is their considerable uncertainty as to the security of company data that is stored in the Cloud. According to a survey conducted by a major IT company in the United States at the beginning of 2016, more than 50 percent of respondents have concerns about putting their data in the Cloud – but nevertheless want to invest in a Cloud solution. This highlights that Cloud solutions are crucial if an organisation wants to remain competitive in the medium and long term. It does however also show the high level of uncertainty towards the security of Cloud services.
In Europe, the General Data Protection Regulation (EU-GDPR) as well as a number of certifications and labels are laying the foundations on which certified Cloud solutions “Made in Europe” can offer confirmed levels of higher security standards. Far too often, the selection of a Cloud service is entirely focused on data protection and fail-safe performance. A Cloud solution that is really safe must however offer much more to prevent data theft, corporate espionage or sabotage at the highest possible level. After all, a survey published by BITKOM in April 2016 showed that 69 percent of German industrial companies had been affected by these problems in the course of the two previous years.
EU Cloud providers that are certified according to the most important standards offer a high level of security. These standards include ISO 20000 for IT service management, ISO 27001 for information security, ISO 27018 for the protection of personal data, “Certified Cloud Service” by TÜV Rheinland or five stars in the EuroCloud Star Audit. In addition, EU member states have their own data protection guidelines. It is therefore important to work with a local contractual partner who is operating in the Cloud customer’s country, and to conclude a contract under local law. Major US Cloud providers have recognised this development and are about to establish their own data centres in Germany. It remains to be seen whether these services will in fact offer the same standards of security as German Cloud solutions do.
Data can only be fully protected if encryption already takes place on the end device – not only on desktop PCs but also on laptops, tablet computers and smartphones. This is the only way to ensure that information cannot be read out at any time during the transfer of data. A dedicated certificate is installed on the end device and encrypts the information to guarantee that the data is protected. In addition, some Cloud providers offer separate appliances where the keys are administered in a way as to make it impossible for the provider himself to access them. A preconfigured hardware unit with HSM (hardware security module) and the respective software installed at the organisation’s own data centre ensure full control over the keys.
Security of access
A room may be locked with two or more keys – but regardless of their number, sensitive data can only be safe if it is clear who has access to these keys. This issue is often neglected when a Cloud provider is selected. Full transparency on access to data that is stored in a Cloud solution therefore requires an easy and central administration of users. This is particularly important for the collaboration with external partners. When a large project with several hundred external users is completed, it is important that all access authorisations can be revoked in a secure manner.
Full control of data
An EFSS solution (Enterprise File Sync & Share) is used to share, concurrently edit and synchronise documents in real-time between internal users and external partners. This usually requires copies of these documents on the respective end devices. In this scenario, an organisation only has full control over its data if these copies can be deleted remotely in situations such as lost devices, employees leaving the company or if a collaboration ends. Some Cloud providers already offer integration of Microsoft Office 365 for concurrent online editing of documents in real-time. In this case, no local copies are made. It is however important to consider that data stored in Europe and protected according to the EU’s General Data Protection Regulation may be sent to a server in the United States where it can be accessed by US intelligence services and US intelligence surveillance courts. Microsoft is currently working on a German Cloud for its Microsoft Office 365 service which is due to be completed in 2016. Documents processed by this server will only be protected according to EU standards when this Cloud is ready.
According to IDC, more than 50 percent of German businesses want to invest in a Mobile Content Management system within the next two years. Whenever business-critical processes are to be outsourced to a Cloud, the provider’s profile should be carefully considered: For how long has the provider already been in business? Since when has the Cloud solution already been in use? Is the Cloud provider financially stable? But one of the most important questions is whether the provider has its own Cloud infrastructure comprising hardware, software, SLAs (Service Level Agreements), development and support.
Protection of know-how
In more than 69 percent of medium-sized businesses, users have already used their private file sharing account for work, as the February 2016 IDC study has shown. One of the reasons certainly lies in the fact that German businesses are very reluctant to implement Cloud services, “forcing” their employees to help themselves. For small and medium-sized businesses, the answer can be a Public Cloud solution where files, documents and processes are administered at the data centre of the Cloud provider. These data centres usually offer the same – or even higher – security standards for the protection of company know-how than those small and medium-sized businesses have themselves. Large corporations are primarily operating their own data centres. The most suitable way for them is to use a Private Cloud solution where business processes are modelled digitally and the organisation’s IT environment can be integrated via standards such as SOAP, CMIS, WebDAV or CalDAV. Both a Private as well as a Public Cloud usually bring significant savings of time and costs in installation, implementation, operation and support as compared to a “conventional software solution”. The hardware unit with its preconfigured and hardware-tailored software is installed at the organisation’s own data centre and can be connected to the existing IT services.
The issue of “security” for Cloud solutions needs to be discussed on a much broader level than just data protection and fail-safe server performance. A one-sided view on Cloud services may even be one of the reasons why organisations are so reluctant to implement a Cloud solution. All of the aspects considered above are essential to the security of company data – and only a few Cloud providers are offering such a broad range of security features. In the past, prominent examples have shown that vulnerabilities in security may inflict great damage on organisations. Implementing a Cloud solution that covers all of these aspects achieves several aims: It is the only way to ensure that files, documents and processes are really safe, it allows to make full use of Cloud possibilities, and it supports businesses in becoming or remaining competitive in the medium and long term.