Sichere und dynamische Cloud Lösungen.

Die sichere Cloud wird definiert durch

"Der Schutz Ihrer personenbezogenen Daten in der Cloud verlangt angemessene technische und organisatorische Maßnahmen der IT-Sicherheit" (§ 9 Bundesdatenschutzgesetz).

Ihre Compliance- Anforderungen und gesetzliche Regelungen für spezifische Daten setzen zusätzliche Kriterien für die IT-Sicherheit. Die Umsetzung erfordert nicht nur die Analyse und Bewertung der Sicherheitsmaßnahmen Ihres Cloud Providers oder Ihrer eigenen privaten Cloud Umgebung, sondern notwendige Maßnahmen sind vor Beginn der Nutzung der (hybriden) Cloud-Lösung zu vereinbaren und zu realisieren.

Wir unterstützen Sie bei der Verwaltung und Orchestrierung von sicheren hybriden Cloud Lösungen und schützen Ihre vertraulichen Daten durch neuartige Sicherheitstechnologien.

Um den richtigen Cloud Service Provider (CSP) für Ihre sichere Cloud Lösung zu finden, haben wir für Sie einige Fragen zusammen gestellt, die Sie Ihrem CSP stellen sollten:

(Der Inhalt dieses Abschnitts ist z.Z. nur auf Englisch verfügbar, wir bitten um Verständnis)

Fragen, die Sie Ihrem Cloud Service Provider stellen sollten

Application Security (SaaS)

Wo finden sich Details, wie gemeinsam genutzte Systeme und Applikationen voneinander isoliert werden? Für sichere cloud lösungen benötigen Sie eine aussagekräftige, detaillierte Dokumentation der Maßnahmen zur Kapselung und sauberen Trennung
Wie können Sie garantieren, dass der Zugriff auf Ihre Daten und Anwendungen auf die Nutzer Ihres Unternehmens beschränkt ist?
Wie stellen Sie sicher, dass Ihre Plattform auf neue Software-Fehler und Verwundbarkeiten gemonitort wird?
Beinhaltet Ihr Sicherheits-Konzept die Authentifizierung von Benutzern, Single Sign On (SSO), Authorisierung (privileged management) und SSL/TLS (zugänglich über API)?
Welche Verwaltungsmöglichkeiten oder Tools bietet Ihre Lösung und können diese dazu benutzt werden, anderen Nutzern Lese- und Schreibrechte zu gewähren?
Ist der Zugriff auf SaaS (Software as a Service) fein granuliert und kann er an die Richtlinien und Prozesse Ihres Unternehmens angepasst werden?

Identity and Access Management Systems offered for our use and control

Is an Identity Management System in place?
Does the system allow for a federated IDM (identity management) infrastructure which is interoperable both for high assurance (one time password systems, where required) and low assurance (e.g. username and password)?
Are you interoperable with third party IDM identity providers?
Is there the ability to incorporate single sign-on?
Does our credential system allow separation of roles and responsibilities and for multiple domains (or single key for multiple domains, roles and responsibilities)?
How do you manage access to our system images – and ensure that the authentication and cryptographic keys are not contained within in them?
How do you authenticate yourself towards our company (i.e. mutual authentication when we send API Commands, when we log into the management interface)?
Do you support a federated mechanism for authentication?

Network Architecture Controls & Security

Define the controls used to mitigate DDoS attacks.
Describe the concepts you have implemented for defence in depth (deep packet analysis, traffic throttling, packet black-holing, etc.)
Do you have defences against “internal” (originating form your own network) attacks as well as external (originating from the Internet or customer networks) attacks?
What levels of isolation are used (for virtual machines, physical machines, network, storage, management networks and management support systems, etc.)?
Is your virtual network infrastructure (in PVLANs and VLAN tagging 802.1q architecture) secured to vendor and/or best practice specific standards (e.g. are MAC spoofing, ARP poisoning attacks, etc. prevented via a specific security configuration)?
What guarantees do you offer for full isolation of resources (e.g. separate virtual instances, separate VPNs, separate physical machines…)?

Patch Management

Provide details of the patch management procedure followed.
Can you ensure that the patch management process covers all layers of the cloud delivery technologies –ie, network (infrastructure components, routers, switches, etc.), server operating systems, virtualization software, applications and security subsystems (firewalls, antivirus gateways, intrusion detection systems, etc.)?

Resource Provisioning

In the event of resource overload (processing, memory, storage, network) what information is given about the relative priority assigned to our request in the event of a failure in provisioning?
Is there a lead time on service levels and changes in requirements?
How much can you scale up? Do you offer guarantees on the availability of supplementary resources within a minimum period?
What processes are in place for handling large-scale trends in resource usage (e.g. seasonal effects)?
Will location of the data be switched/changed depending on capacity of free storage space?

Legal Requirements

In what country are you located?
Is your infrastructure located in the same country or in different countries?
Do you use other companies whose infrastructure is located elsewhere?
Where will the data be physically located?
Are you compliant to data protection/privacy requirements according to the European Union regulations?
Is your company safe harbor certified?
Will jurisdiction over the contract terms and over the data be divided? Please describe how.
Will any of your services be subcontracted out?
Will any of your services be outsourced?
How will the data owned by us or our customers be collected, processed and transferred?
What happens to the data sent to you upon termination of the contract?
Is it possible to audit your company on-site?
Who holds the rights to content stored on your cloud infrastructure with regard to intellectual property rights?
Who is liable for data loss and integrity?
Is any of our direct competitors as well your customer?
Have you obtained all applicable registration/permit/licenses for providing this internet based service according to local laws and regulations especially in the data storage and data handling in Germany, e.g.:

  • No storage of data of official institutes outside Germany
  • Local Data protection requirements
  • Special data handling requirements
Please list all obtained registration/permit/licenses for e.g. Germany.
Please highlight and explain how and confirm that you can manage these special requirements.

 

Sprechen Sie uns an

Wir sind für Sie immer da, rufen Sie uns einfach an:
Tel.: +49 221 960 28 202