Which certificates really guarantee safety in the Cloud?

According to the IDC study “Cloud Computing in Germany 2017“ (in German), an increasing number of department managers are evaluating and budgeting Public Cloud services for their areas of responsibility. When it comes to implementation, they often have to deal with Cloud sceptics who need to be convinced with considerable persuasion. It usually takes little time to explain the benefits of a Cloud. The question of who to entrust with the company’s data is eventually more difficult to answer. Independent certificates or attestations may help with this decision since they certify transparency and build trust. After all, more than 57 percent of all businesses say that their main criterion for selecting a particular Cloud provider is trustworthiness (IDG “Cloud Security Study“, in German). Spectacular cyber attacks on services such as Twitter, Yahoo, SoundCloud and others have done their part in adding to a heightened desire for security. This development is reinforced by a growing number of legal regulations and a rise in security requirements within the EU (blog article “5 Cloud megatrends 2018“). Therefore, the question to be answered is: How can you find out if a certificate is trustworthy?

Certified providers are guaranteeing security

For a first evaluation, potential customers can check how the individual providers of certificates present themselves on the Internet, they can look into the number of certificates that have been awarded and used, and examine the list of supporters and partners. Cloud experts know that the main difference is whether a label has been awarded on the basis of self-assessment or in connection with an external audit. In the case of self-assessment, quality markings are handed out based on self-reporting only. The customers therefore have to trust that the providers really comply with the criteria and adhere to them. With regard to an external audit, a representative of an independent certification organisation checks whether the requirements for the quality and security of Cloud services are sufficient. Audits requiring the Cloud provider to contractually guarantee 24/7 compliance with all criteria go yet a step further than those where the criteria only have to be met on the day of the audit itself. In order to achieve such a high level of quality, issues like security, privacy by design and transparency must be firmly established throughout the company, in all of its services and products – including senior management and the executive board.

Who to trust?

With its C5 attestation - which is short for Cloud Computing Compliance Criteria Catalogue - the German Federal Office for Information Security (BSI) has established a new standard in terms of security and transparency. The auditors are engaged by the Cloud providers themselves, they are from organisations such as KPMG or PwC. In this way, BSI wants to ensure the certificate’s independence. Only five companies worldwide have received this certificate. The Austrian Cloud provider Fabasoft is the first European provider fully complying with all 114 technical and organisational requirements of BSI and contractually guaranteeing compliance to its customers.

A number of ISO certifications equally ensure high quality of Cloud services. ISO/IEC 27701 is a highly recognised ISO certification which is also considered in the IT baseline protection certificate of BSI. In 2014, the International Organization for Standardization (ISO) introduced the extension ISO/IEC 27018:2014 which is tailored to Cloud services and covers data protection in the Cloud. The certificate ISO 20000-1 is of particular value to customers since it primarily aims at their needs and requirements. The objective: The highest level of quality that is possible for IT services. And last but not least: The certificate “Certified Cloud Services” awarded by TÜV Rheinland qualifies Cloud providers by means of internal and external analyses of their technical, physical and organisational security measures.

The “stars” among the Cloud services

In 2016, the independent non-profit organisation EuroCloud Star (ECSA) awarded a five-star certificate for the first time worldwide. Up until today, Fabasoft is the only Cloud service that has reached the highest possible level of five stars, making it the safest Cloud in the world. For Cloud users, this certificate is an insurance policy against data misuse. What is special about the audit is the fact that it checks the entire value-added chain.

What’s important with regard to certificates?

  • Independence of the certifying organisation
  • Difference between self-assessment and external audit
  • Contractually guaranteed catalogue of criteria such as the C5 attestation of BSI
  • ISO standards

The Fabasoft Cloud holds the following certificates and attestations:

  • C5 (Cloud Computing Compliance Controls Catalogue) (since 2017)
  • EuroCloud Star Audit (since 2016)
  • ISO 27018 (since 2015)
  • TÜV Rheinland (since 2014)
  • ISO 20000-1 (since 2011)
  • ISAE 3402 Type 2 (since 2011)
  • ISO 27001 (since 2008)