Cloud computing: working in the cloud
In cloud computing, IT resources are provided via the Internet. Secure identities can protect against data misuse.
In a single day, an insurance sales agent conducts three meetings with customers, each of them at different locations. He uses his laptop to record the necessary data, selects suitable options for each customer in the digital form and then puts together an offer tailored to the customer. After each meeting, in addition to storing the data on his computer, he also sends the data to a special server via a secured connection. To access this connection, he needs his company ID card and PIN. Both the agent and his colleagues at head office can access this data at any time and from anywhere as long as they can authenticate themselves with their digital identities. That's because their company relies on cloud computing. According to the definition by the Federal Office for Information Security (BSI), cloud computing refers to "the dynamic provisioning, use and invoicing of IT services, based on demand, via a network."
The range of services provided under cloud computingcovers the entire information technology spectrum. Companies currently rely on the cloud to use software (software-as-a-service) that allows employees to work together irrespective of the devices they use or their location. This software includes e-mail, calendar or web conference applications. Companies are also making use of more complex IT resources in order to expand their infrastructure (infrastructure-as-a-service) or development environment (platform-as-a-service).
The advantage of cloud computing lies in the degree of flexibility it offers companies when it comes to requesting and billing services. The IT resources are scalable, in other words, they adapt to meet the needs of the company. If more memory space is needed, for instance, the company can simply buy capacity, if the company's needs decline, then they can reduce the volume they use. And they always only pay for what they actually use.
Public, private or both
The cloud is not always the same. Providers essentially offer their services in three different cloud variants: public, private and hybrid cloud. With the public variant (public cloud), services are provided for everyone via the Internet. The private cloud, on the other hand, has an infrastructure that is for one company only, i.e. private, and cannot be accessed by others. Many companies choose this variant for reasons of data protection and data security. A hybrid cloud combines both a private and public cloud. In this case, certain services run via public providers, while critical applications and data are processed in a private cloud.
Cloud computing is often a matter of location
Outsourcing IT resources offers advantages, but there is a downside. Outsourcing means that companies hand the control over their data to third parties. Protection against data loss and unauthorised access is essential for the acceptance of cloud computing, especially since data in the cloud is often stored on different servers and in different countries. This in turn has consequences for data protection, a fact that was highlighted by the United States National Security Agency (NSA) spy scandal.
According to the USA Patriot Act the US government has the right to access any data that is stored on US servers. This procedure is in contradiction with Germany's Federal Data Protection Act (BDSG) which states that cloud providers can only process data on behalf of and as instructed by the company.
Uncertainty regarding where data is located and what happens with it has given many German companies cause for concern and, in 2013, led to a slight decline in investments in cloud computing. Many companies are relying more on providers who have their servers in Europe, especially in Germany.
Keys to security
In addition to aspects related to data protection, data security is also an important issue. When it comes to transmitting and storing data, both users and providers often use encryption technologies. In order to ensure that only authorised users can access the data, BSI also recommends two-factor authentication. However, secure management of cryptographic keys has yet to be fully warranted. BSI demands, among other things, that access to key management be extended to include separate authentication. Especially when it comes to the employees of a cloud computing provider, the ministry demands that strong, hardware-based authentication (for instance, smart cards, USB sticks or generated one-time passwords) be the only method that allows them to access the data they manage. This could be made possible, for instance, by a smart identity management infrastructure that enables secure digital identities to be exchanged.