The cloud market is teeming with providers. With its product "Azure," Microsoft is among the leading players in the field, butting up against other major corporations such as Amazon with AWS, IBM with its IBM Cloud, and, last but not least, Google itself. They provide Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or even Software as a Service (SaaS). In addition to these corporations, all of which are American-based, there are many other providers of cloud services. Particularly in the SaaS environment, providers from Germany are to be recommended, not least because of their location.
The subject of our first article in the three-part blog series on the topic of "Security in the Cloud" was cloud use by German companies. It described GDPR conformity and other criteria that companies consider essential in the decision-making process. The present article deals with the kinds of ceretificates, attestations and security measures that distinguish cloud providers.
"Made in Germany" — from warning to seal of quality
We owe the seal of quality "Made in Germany" to the British. In 1887, it served as a warning sign and was initially intended to distinguish German copies of a knife from the high-quality English original. But repeated attempts to label the German product as inferior increasingly turned back on themselves. German manufacturers improved the quality of their goods and even achieved a large lead in various markets. Now, in all areas of life, "Made in Germany" stands for quality and high standards.
Where German cars or German electrical appliances once were popular, German software, IT, and especially cloud services are now the products for which the seal "Made in Germany" is coveted. The thing is that many German cloud providers attach special importance to certifications, attestations, and security measures. As a result, German applications and services fulfill tougher requirements in the area of security and data protection; and it is precisely this which companies rely on. This offers the user company various advantages. One is the retention of control over informational assets. Another is the fulfillment of GDPR requirements, i.e., assurance of the protection of personal data.
However, there are other aspects that make "Made in Germany" cloud services attractive. Mid-sized companies that are moving into the cloud have a particular need for expert support from the provider. They do not have their own expertise on site, so they need it from their cloud provider. Large corporations that offer their cloud services globally serve a variety of customer segments with a product that fits a general spectrum of needs. As a result, they generally do not offer individual support and assistance. This leaves us with the question of whether such offerings are truly suited to the needs of companies that are dependent on external expertise.
It is often difficult for companies to ascertain the degree to which cloud providers themselves adhere to standards in data protection, compliance, and other aspects of security. That's just where customers benefit from approved certification of cloud providers: they provide assurance that the requirements have been met.
Certification procedures and attestations for the cloud
Article 42 of the GDPR sets forth approved certification procedures for regulating data protection. Having the right certificate allows both parties, the cloud provider and the user company, to insure themselves and coordinate legal requirements. A good example of certification that is useful for warranting GDPR compliance and data protection is the Trusted Cloud Data Protection Profile (TCDP), of the Federal Ministry of Economics and Energy (BMWi). The criteria covered by TCDP includes not only data protection and data security but also quality and transparency. In addition, the TCDP also deals with how contracts are drafted. It is basically a test rig developed for data protection certification according to the German Federal Data Protection Act (BDSG).
Another test standard is the requirement catalog C5 of the Federal Office for Information Security. Offering a standard defining a minimum level of security in the cloud, the C5, which stands for Cloud Computing Compliance Controls Catalogue, enables companies to assess the security level of information in cloud services. It is in the C5's almost exclusive attention to measures for the protection of information security and transparency that the C5 differs from the TCDP. In the areas mentioned, it generally protects information security and transparency with much more detailed requirements, extending to the complexity of the tests called for. The reason for this is that the C5's approach is based on the processes of auditors in the financial area, not those of ISO auditors.
The ISO 27001 security certification is the most widespread in the IT sector worldwide in terms of basic IT protection. In its catalog of basic IT protection, the German Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik) defines how to react to different threats. Rather than certifying individual cloud products it evaluates procedures, internal processes and development and operations teams. During the certification procedure, the BSI auditor checks whether the requirements of the BSI are met for each applicable — or assumed — risk. This kind of ISO 27001 certification must be repeated at regular intervals.
Security precautions and defense against attacks
Security certificates, test catalogs and test certificates are not the only way in which cloud providers can demonstrate the security of their cloud solution to the market. Other tests are also available.
A vulnerability scan is the first step in safeguarding a corporate network. The aim is to identify which components and services have gaps in security. Performing a vulnerability scan involves launching a tool that scans a target or targets for vulnerabilities. The scan helps to identify vulnerabilities that could possibly be hacked. A timely scan can identify the vulnerabilities present, before someone else does. Afterwards, a comprehensive report is output and the vulnerabilities discovered are eliminated. To retain security on a long-term basis, it is important to perform vulnerability scans on a regular basis.
In addition to network-based vulnerability scans, many security service providers perform penetration tests to examine software for weaknesses. Penetration tests by BSI-certified IT security service providers, according to BSI-certified implementation standards, come most highly recommended.
In terms of content, a penetration test also focuses on a vulnerability test, to test an IT system's vulnerability to hacker attacks. A penetration test uses methods and techniques that are used by real attackers or hackers. The aim is to determine where exactly networks and IT applications are sensitive to attempts to hack and manipulate the system. The results of a penetration test come the form of a comprehensive report and an assessment. As for the vulnerability scan, regular execution is recommended.
The acceptance of the cloud in Germany has increased — and continues to grow. And when it comes to data protection and data security in the cloud, "Made in Germany" is a number-one selection criterion for many German companies. When choosing a cloud provider, companies from Germany also look for test certificates and attestations to provide an even greater assurance of reliability.
If you would like to find out what other data advantages cloud solutions offer, especially for workflow management, I recommend our white paper "Harnessing the Potential of Digitalization", which you can download here.