Scientists from the Technical University of Munich (TUM), led by Professor Helmut Krcmar, chairperson of the Chair for Information Systems, have developed a new dynamic certification system for cloud services as part of the ‘Next Generation Certification’ (NGCert) consortium.
This new cloud certification aims to ensure that users data is protected against unauthorised access or deletion. Researchers from TUM have studied this issue and developed a model which allows service providers to be checked and certified reliably.
As the volume of digital data produced and stored by companies is growing, cloud technology offers a convenient solution: IT service providers offer storage space or software which enables data to be saved remotely. Particularly for SMEs, it is often difficult to find a secure and reliable option among the many smaller cloud service providers on the market. Quality certification already exists in the form of certificates, which are intended to guarantee the security of saved data.
Certificates are issued by TÜV and other authorities and are designed to check specific requirements, such as legal regulations which the provider is required to fulfil for its customers. However, these quality certificates are often provided for one to three years – following just a one-off examination.
‘Certificates lose their relevance to the current situation much quicker than in one to three years and therefore also their security. We need dynamic systems which can constantly check the validity of certification over a period of time. We have now developed a model which makes this possible for the first time from an organisational and technical standpoint’ explained Krcmar.
The discussions that TUM held with companies showed that the introduction of this type of dynamic quality certification could substantially increase companies’ trust in cloud services and allow them to use the technology more easily.
NGCert project partners developed programs as part of the certificates which constantly check the location of the cloud service provider’s computers – something referred to as geolocation. The software tests all the paths taken by data packages sent from a company to the cloud service provider. These paths are as characteristic as fingerprints. If they change, it can indicate that the data processing is taking place in a different region, possibly using foreign computers.
Another criterion is the legal certainty of the cloud services. Laws regarding data protection and data security can frequently change, such as the retention period for access data. A certificate issued as a one-off is unable to react to these changes within the legal framework. ‘Our concept of dynamic certificates can also solve this problem. There are many individual software components which can change independently of one another and after a certificate is initially issued – these are referred to as modules,’ added Krcmar.
The NGCert project is being carried out by consortium partners: Technical University of Munich (Prof. Krcmar), Fraunhofer Institute for Applied and Integrated Security AISEC (Prof. Eckert), University of Kassel (Prof. Sunyaev), University of Kassel (Prof. Roßnagel), University of Passau (Prof. de Meer) and the industry partners EuroCloud Deutschland_eco e.V. and Fujitsu.
The project was supported by the Federal Ministry of Education and Research (BMBF) and was successfully completed on December 31, 2017.