Security in the Cloud – Is that possible at all?
Lately, discussions on the topic of Clouds in an enterprise environment often occur in an atmosphere of optimism. For example, the IDC study Cloud Computing in Germany 2017 anticipates a tripling of Public Cloud expenditures in Germany over the next five years. Department managers no longer want to deal with the technical, operational and financial disadvantages of on-premise installations. Newly hired young employees are by virtue of their age used to the Cloud. Therefore they want the IT departments to replace existing hardware and software with solutions that are based on SaaS and are usually better suited to solve problems quickly and reliably.
However, the decision makers don’t take the easy way out. On the one hand they want to benefit from the significant advantages of the Cloud that eventually lead to a generally increased acceptance of Cloud-based solutions. On the other hand, information security is of vital importance and concerns to this effect still stand in the way of a decision in favour of the Cloud much too often.
Data leakages, availability problems and bankruptcies of service providers frequently make it into the news. Even renowned brands can be seriously damaged by security-related issues. Negative information of this kind gets deeply into the consciousness of those who are responsible and often prevents important digital innovation right from the beginning.
Less resistance, higher security concerns
The auditing company KPMG and bitkom Research have together published the latest results of a study on Clouds and security in the new Cloud Monitor 2018. 66 % of all German businesses are already employing Cloud computing, which is a clear sign that acceptance of Cloud solutions is constantly rising. However, other important indicators show the difficulties with regard to information security:
- 63 % of non-users fear unauthorized access on sensitive company data
- 56 % of non-users fear data loss
- 46 % of users have problems regarding the availability of the solution providers
- 28 % of users have difficulties implementing the compliance requirements
- 27 % of users have difficulties implementing the security requirements
Cloud Monitor 2018 - Evaluation of Data Security Incidents in Public Cloud Solutions
Breaking the logjam in innovation
What can solution providers do to help break the logjam in innovation that arises from security concerns? The answer is easy: They have to earn the trust of their customers. Their clients must be able to have full confidence that security is understood and implemented at the highest quality levels in all of its variants and aspects, from data reliability and integrity to system availability.
When this degree of security is achieved, the customers’ security risk is reduced to an acceptable level that will finally allow them to take a decision in favour of the Cloud.
It’s the point of view that matters
Taking an integrated view on information security is of vital importance to the providers of Cloud-based solutions. The marketing slogan “hosted at an security-certified data centre” may be misleading since it is not nearly enough to give thought to the security of the infrastructure without also considering the provider and organisational security – even though ignoring the latter would be quite convenient and less expensive for the provider. True security can only be achieved in an environment of cooperation between people and technology and in consideration of all parties concerned.
The Fundamental Values of Information Security
Besides taking measures on a technical level, solution providers must also meet organisational framework conditions in order to implement the three fundamental values of information security – confidentiality, integrity and availability. This primarily concerns their own company, but also their suppliers and their Cloud infrastructure.
Finding the right solution provider
Customers are facing the question “How do I find the right provider, and how can I know that I can trust him?”. After all, their insight into a provider’s organisation is at best a very limited one.
There is a reliable answer to this question:
Solution providers can voluntarily submit to strict auditing processes. In the course of these so-called certification procedures, an external and independent auditor is checking the company with the necessary holistic approach. If the audit is successful, a certificate or an attestation with a quality seal is awarded and it is valid up until the next audit date. With the help of these quality seals, customers can quickly and easily assess providers and take a decision.
The ISO 9001 PDCA
While these audits are admittedly very demanding for solution providers, they are nevertheless imperative with regard to security and user confidence in the Cloud, particularly in view of the constantly rising threat of cyber attacks.
As the Fabasoft Business Unit Executive responsible for our cloud-based Enterprise Digital Asset Management solution Fabasoft DAM, I am proud that Fabasoft is taking security very seriously. The Fabasoft Cloud and with it Fabasoft DAM is one of the safest Cloud solutions that are currently available, which has been confirmed by many independent certifications. We regularly validate our processes and workflows, stay on top and continually strive to improve.
The ISO/IEC 9001, 20000, 27001 & 27018 Seal
For example, we have been holding the ISO/IEC 9001, the ISO/IEC 27001, the ISO/IEC 27018 as well as the ISO/IEC 20000 certificates for years and regularly submit to recertifications. With these ISO certifications our customers have proof that we adhere to clearly defined organisational, technical and security-related standards within our company as well as in our IT service management.
The BSI C5 Seal
The general ISO norms tell a lot about an organisation, but they are not explicitly designed for Cloud services. We therefore take our commitment one step further. In order to strengthen trust, technical stability as well as awareness of our security system, we additionally meet the 114 technical and organisational requirements of the C5 catalogue of the German Federal Office for Information Security (BSI). Fabasoft has been the only European business since 2017 that has successfully met the demanding requirements of the BSI C5 attestation. Only six businesses worldwide have been certified according to C5 so far.
The EuroCloud Europe Seal
Fabasoft’s continued efforts with regard to data protection and data security have also been confirmed by the independent non-profit organisation EuroCloud Europe. In 2016 we already received the maximum of 5 stars, declaring the Fabasoft Cloud the “safest Cloud in the world”. In recognition of our existing security standards we were recertified with 5 stars in June 2018 and have so far been the only Cloud provider to achieve this rating. For our users, this certificate is an insurance policy against data misuse. What is special about the audit is the fact that it checks the entire value-added chain.
All of these certificates and measures (read more about Fabasoft’s additional certificates and attestations) help our customers build trust in the reliability and security of Cloud solutions. A benefit to both parties!