Background to cloud certificates

What a trustworthy cloud provider needs to offer

Cloud certificates are an indication of quality and security. But only regular audits provide reliable information about all relevant aspects, from password management to disaster recovery.

Text: Urs Binder, 28 February 2017

Trust, but check all the same. This Russian saying is particularly appropriate when talking about the security and reliability of cloud providers and cloud services. Let us take a commercial enterprise as an example: Master data and customer-specific transactions must be treated confidentially and may not fall into the wrong hands – otherwise customers will go elsewhere. Price calculations and agreements with suppliers are only the business of the parties involved. The same applies to personnel files and salary information. And there is no way that companies can do without IT for days at a time or that data might go missing. IT systems are simply too important to the business.

The same applies, of course, when the systems are held in a company's own data centres. If you hand your IT – in whole or in part – over to the cloud, you need a guarantee that the provider has also drawn up and implemented all necessary measures with regard to IT security, data protection and system availability.

Certification of data centres and cloud services

Certificates provide proof of the trustworthiness of cloud providers, their data centres and their individual cloud services. Here are four examples:

The “Star Audit ECSA” and the “Star Audit Swiss” with additional Switzerland-specific characteristics from eurocloud.org. However, the ECSA website currently lists only a few certified providers.
The “Trusted Cloud” certificate from TÜV Rheinland confirms that a comprehensive range of tests for all relevant aspects has been passed successfully. Familiar SaaS providers such as Salesforce.com or box.com have been certified.
The Tier IV Certificate from the Uptime Institute is considered the top quality award worldwide and guarantees the availability, efficiency and security of data centres. The Swisscom data centre in Wankdorf was the first in Switzerland to receive this certificate, in 2014.
For PaaS platforms such as the Swisscom Application Cloud, there is a certificate from the Cloud Foundry Foundation.

Certificates such as these take into account standards and provisions for various areas of the design and operation of data centres, complemented with cloud-specific features and controls with regard to confidentiality and functionality.

Certificates, however, are only ever a snapshot and do not provide ongoing monitoring of the systems and services. They also do not tell us much about individual customers who took advantage of the services, or their needs.

Transparency and visibility

Regular audits are, however, just what cloud customers really need. The aim is to give customers transparency and visibility across all system characteristics. If a provider were able to offer this, the customer would benefit in two ways: Customers can satisfy themselves of the quality and adequate implementation of the services and security measures. They can also use the certifications and reports to demonstrate that they are fulfilling their own due diligence.

Swisscom as a cloud provider has placed its trust in four pillars:

The entire company is ISO 27001-certified: This guarantees that a documented information security management system is in place and is maintained, and also describes how security risks are evaluated and treated.
An externally audited infrastructure report as per SOC2/ISAE3402: A control system regularly checks and documents various checkpoints such as the execution of backups and the issuing of administrator privileges. At the end of the reporting period, the customer receives a report from one of the “Big 4” auditing firms who evaluate the control system and the measurements taken independently.
The Business Continuity Report, which is also audited externally: This certifies the implementation of disaster recovery measures for particularly business-critical applications. This offers the customer accountability regarding the observance of the agreed performance characteristics, such as the time until service is restored in the event of a fault or the maximum duration of a loss of data.
Security reporting provides information about the security of managed services: Here, there is a particular focus on patch management, anti-malware measures and the increased robustness of the systems. The customer has a guarantee that the managed services are operated with the highest possible level of security.