Markus Schaffrin is a member of the management team of eco – Association of the Internet Industry – where he is responsible for IT security. Having led many successful projects on IT security, he has established himself as an authority on this subject. His expertise is also highly appreciated in government ministries: Schaffrin is a member of the Steering Committee of the German Federal Economics Ministry initiative “IT Security in the Business World” and serves on various other boards. In the interview, he explains those security aspects that are especially relevant when using the cloud.
- Because cloud offerings often scale better than a company’s own IT infrastructure, more attention must be paid to data protection, availability and data integrity.
- If you place data in the cloud, the division of responsibilities must be clarified: What does the service provider take care of, what do you handle yourself?
- Before entering into a contract, you should think about how it will end: How will you move your data from one cloud provider to another.
Mr. Schaffrin, how did you come to eco and what are your responsibilities there?
For my master’s degree thesis, I studied electronic payment systems for e-commerce, a classic topic for the association (eco originally stood for “electronic commerce”). I then conducted some joint projects with Harald Summa, the General Manager of eco, which ultimately led to my joining the association. That was almost 20 years ago; today I am a member of the management team, where I am responsible for the Member Services division, so I am always listening to our members. I have also overseen various security projects, including botfrei.de, an anti-botnet advisory centre, and the S initiative. Security is a cross-sectional technology for us.
IT directors are often asked: “Is our customer data truly secure?” Especially when a company has put data in the cloud. What do you say to them?
It depends on where the data is located and what the company’s core business is. A server under the desk is just as much a security problem as an unsecure cloud provider. And so the question cannot be answered in general terms.
Are cloud solutions meaningful alternatives to a company’s own infrastructure when it comes to security?
From a technical standpoint, you have the advantage that cloud infrastructures scale better, meaning they can more easily grow along with your business. For this reason, professional cloud providers can do a good job of satisfying the individual needs of their customers. What really matters, however, is the content of contracts and agreements. That includes provisions for availability, among other things. They must be appropriate for the application and so the clauses need to be detailed. Data integrity is another point. Can I see if data has been altered, meaning that someone has accessed it? That is important because attackers often keep very quiet after an intrusion, but remain active on the server for months. You need ways of detecting such intrusions. Your control must be assured because you never want to lose control of your IT. And so a company must always be concerned about security when it puts data in the cloud. Also in this case, the security precautions must be constantly adapted to the threat situation.
What security aspects should companies consider when they compare cloud offerings?
A first big distinction is the provider’s country of origin. For example, US providers differ from German and European providers with respect to data protection and applicable law. Other important factors are the location of the data centre and whether it has been audited and certified. Interested parties should ask to see what on-site security precautions have been taken. You can’t just look at the price, you must also pay attention to the fine print. In case of damage, many will say: I thought my provider took care of that. They did not pay enough attention to the differences between the different offerings and possibly did not know that they are themselves responsible for malware protection.
What other selection criteria should be considered?
The encryption of the stored data is one such criterion. Also, if the data is transmitted in encrypted form. You should also consider how the cloud provider deals with security problems and what response times or notification times can be agreed. The provider must be right for the project and the company because such agreements are usually made for a longer term. This way, the security can keep up with growing applications. Another important question to consider is, how you will exit an agreement if you want to replace your provider. If you wait to ask until the time when the data is supposed to be transferred, it could turn out to be arduous and costly.
When you’re talking about a longer-term project, who already thinks about the end of an agreement at the start?
Exactly! But it is certainly not improbable that you will want to change your provider at a later time. For example, when you need to call for new bids every few years, which is the case for many large companies and public-sector institutions. Suddenly you find that another provider is less expensive and so you want to switch to that provider, even though you had not contemplated this before. Or a technically much better offering becomes available in the market. Providers are replaced more often than people think.
Small and medium-sized enterprises usually do not have these kinds of problems that large companies do; but what problems are SMEs confronted with?
An SME usually does not have much IT staff and expertise. They need to keep costs under control and usually choose the cloud for cost reasons. Let us say, for example, that an SME does not operate its own mail server and its website too is hosted by an outside provider. And so, SMEs need to address basic topics first and they need simple solutions. But they too should clarify the issues I mentioned before. Like, what services are we supposed to provide ourselves, and what will our cloud provider take care of? Who makes backups? Where is that done? How can we get hold of backups? Hybrid solutions are often possible. Many enterprises prefer to make their own backups so that the data is available on their own NAS, but there too the data must be protected. Or a two-stage method is used, under which data is additionally mirrored to the cloud. However, most SMEs don’t have this kind of expertise.
And we shouldn’t forget craftsmen, they need a lot of support. They too have their own websites, but often don’t have much knowledge of security. For such people, eco offers SIWECOS so they can review the security of their own website online and get a report with many explanations so they know how to solve any problems that might arise. And then the craftsman can go to his service provider with this knowledge.
The botfrei.de project that the eco Association initiated and is now being handled by our member eyeo, offers many security tips and tools that can be very useful precisely for small and medium-sized enterprises. For example, you can use the service to conduct a router check or see whether your own password has been stolen. Once a system has been infected, you can find out how to remove the virus. Such checks should be performed regularly because cybersecurity is a cat and mouse game: The arms race never ends.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.