The volume of digital data produced and stored by companies is growing. Cloud technology offers a convenient solution: IT service providers offer storage space or software which enables data to be saved remotely. But how can companies be sure that their data is protected against unauthorised access or deletion? Researchers from the Technical University of Munich (TUM) have studied this issue and developed a model which allows service providers to be checked and certified reliably.
Particularly for SMEs, it is often difficult to find a secure and reliable option among the many smaller cloud service providers on the market. On the back of discussions with around 100 IT specialists from these types of companies, TUM scientists led by Prof. Helmut Krcmar, Chair Person of the Chair for Information Systems, have developed a solution for this problem.
Together with six additional partners, they have developed a new dynamic certification system for cloud services as part of the “Next Generation Certification” (NGCert) consortium.
Quality certification already exists in the form of so-called certificates, which are intended to guarantee the security of saved data. These are issued by TÜV and other authorities, and are designed to check specific requirements, such as legal regulations which the provider is required to fulfill for its customers. However, these quality certificates are often provided for one to three years – following just a one-off examination.
These types of static certificates are the main problem according to Helmut Krcmar. “Certificates lose their relevance to the current situation much quicker than in one to three years and therefore also their security. We need dynamic systems which can constantly check the validity of certification over a period of time.
We have now developed a model which makes this possible for the first time from an organisational and technical standpoint.” The discussions held with companies showed that the introduction of this type of dynamic quality certification could substantially increase companies’ trust in cloud services and allow them to use the technology more easily.
In collaboration with companies and cloud service providers, the scientists developed important criteria which new dynamic certificates have to fulfill. For three fourths of the consulted companies involved in the project, data security and data protection were most important. Confidential personal data is often saved in the cloud.
From a legal standpoint, the responsibility for this data remains with the companies and not the cloud service provider. It is therefore vital that the data is reliably saved within Germany, where strict data protection laws apply.
That is why NGCert project partners developed programs as part of the certificates which constantly check the location of the cloud service provider’s computers – something referred to as geolocation. The software tests all the paths taken by data packages sent from a company to the cloud service provider.
These paths are as characteristic as fingerprints. If they change, it can indicate that the data processing is taking place in a different region, possibly using foreign computers.