Background to cloud certificates
Cloud certificates are an indication of quality and security. But only regular audits provide reliable information about all relevant aspects, from password management to disaster recovery.
Text: Urs Binder,
Trust, but check all the same. This Russian saying is particularly appropriate when talking about the security and reliability of cloud providers and cloud services. Let us take a commercial enterprise as an example: Master data and customer-specific transactions must be treated confidentially and may not fall into the wrong hands – otherwise customers will go elsewhere. Price calculations and agreements with suppliers are only the business of the parties involved. The same applies to personnel files and salary information. And there is no way that companies can do without IT for days at a time or that data might go missing. IT systems are simply too important to the business.
The same applies, of course, when the systems are held in a company's own data centres. If you hand your IT – in whole or in part – over to the cloud, you need a guarantee that the provider has also drawn up and implemented all necessary measures with regard to IT security, data protection and system availability.
Certificates provide proof of the trustworthiness of cloud providers, their data centres and their individual cloud services. Here are four examples:
Certificates such as these take into account standards and provisions for various areas of the design and operation of data centres, complemented with cloud-specific features and controls with regard to confidentiality and functionality.
Certificates, however, are only ever a snapshot and do not provide ongoing monitoring of the systems and services. They also do not tell us much about individual customers who took advantage of the services, or their needs.
Tobias Langbein, Security Architect at Swisscom
Regular audits are, however, just what cloud customers really need, according to Tobias Langbein, Security Architect at Swisscom: “The aim is to give customers transparency and visibility across all system characteristics.” If a provider were able to offer this, he says, the customer would benefit in two ways: “Customers can satisfy themselves of the quality and adequate implementation of the services and security measures. They can also use the certifications and reports to demonstrate that they are fulfilling their own due diligence.”
Swisscom as a cloud provider has placed its trust in four pillars:
More on the topic