How trust in cloud-based data center infrastructures can be strengthened – an interview with Volker Rauscher, Head of Service Management 1&1 Internet SE
According to a recent study by the McKinsey Global Institute, the most advanced sectors, companies, and individuals in the US economy are pushing the boundaries of technology use. But as a whole, only 18 percent are realizing their digital potential. With the shift of business activities to the internet, the huge amount of stored data that is generated must be protected from either unauthorized access or loss caused by technical malfunction. We asked Volker Rauscher, Head of Service Management 1&1 Internet SE, how hosting providers can meet customers’ growing needs for data protection and what kind of cloud-focused challenges and opportunities await them. Rauscher works in the department Data Center & Networks and is responsible for 1&1 Data Centers’ security.
Q: For those who are new to the topic, why is cloud security so important?
Digitization significantly changes our society. This affects our private life as well as the business world. Nowadays, more and more processes are taking place online. Thus, enormous amounts of data are accumulated in the web, among them vital information such as customer data. Consumers and customers have high expectations about the protection of their data, with good reason. Whether or not they trust a company with their data depends a lot on how a provider manages and secures the data’s availability.
Q: Given this status quo, are there any prejudices against hosting providers?
Many users are especially critical of cloud offerings because these kinds of services are viewed as much less secure than on-premise systems. Data loss, security breaches and insufficient data protection are horrors that keep users shying away from the cloud.
Q: How can providers of hosting services address these challenges?
Providers are given the option to certify their own infrastructure by official authorities. A certification according to ISO/IEC27001:2013 defines regulations for establishing, introducing, maintaining and continuously improving an Information Security Management System (ISMS). This certifies that an organization deals conscientiously with data security – unfortunately, not all negative consequences are transparent for outsiders. Therefore, to reliably evaluate the extent of an organization’s established information security, you must consider additional measurements which can be defined in the course of a risk analysis.
Q: Does this also concern companies using cloud-based solutions?
A certificate comparable to ISO/IEC 27001:2013 specifically for services via cloud computing does not exist yet. Currently there is only ISO/IEC 27018:2014 available, which merely encompasses recommendations on how to manage security in the cloud with particular focus on the regulation and processing of personal data. Based on ISO/IEC 27001:2013, companies are able to communicate their efforts in cloud security by acquiring a conformity certificate for ISO/IEC 27018:2014. This is not an officially acknowledged certificate, but it attests that a company has taken additional measures to maintain the security of processing personal data in the cloud. Confidentiality of non-personal data, protection from DDoS attacks or guarantee of the availability of services on a cloud platform are not covered by the conformity certificate at all.
Q: What do you recommend to providers of cloud-based infrastructures?
As mentioned above, cloud providers have very limited options to certify their cloud-based infrastructure at the moment. Nevertheless, I strongly recommend a minimum certification with ISO/IEC 27001:2013 to verify basic protection of data security. Apart from that, a conformity certificate for ISO/IEC 27018:2014 is an important argument against the still widespread stigma of insufficient cloud security.