• News
  • Knowledge and Opinion

05 July 2017

Software-as-a-Service; cloud security a risk? Not at all!

Carerix is also active in the German market and works closely with commercial journalists to highlight trends within the market. This article is a translation of:
Software-as-a Service: Sicherheitsrisiko Cloud? Im Gegenteil! (German)

Cloud applications are springing up like mushrooms. Users of HR software are left wondering: how much caution do we really need to exercise here? After all, in this area, the personal data specially protected by law is retained. What should we be looking out for?

The Data God has Placed IT Security in front of the Cloud

Lots of users are rather hazy when it comes to cloud computing, also known as the Software as a Service (SaaS) model. As a result, this can open the doors to data espionage and theft. This is especially true in cases where the wrong HR solution provider is chosen and the data hosted by it is not sufficiently secure. In the field of HR, this can be fatal. After all, particularly sensitive personal information can be exposed here. As a result, when choosing suitable HR software, it’s not just the range of functions of a tool that need to be taken into consideration, but also its security standards. For this purpose, the user needs to first of all understand the principle behind the cloud or SaaS model. With cloud computing, the entire IT infrastructure is hosted by an external IT service provider and retrieved by the customer via the web browser. All that the user needs is a good internet connection and terminal devices. More and more cloud solutions are becoming available, including in the field of HR.

Advantages of a Cloud Application

Small and medium-sized enterprises are particularly attracted to the cloud. For them, it eliminates the need to develop and maintain a cost-intensive IT landscape. Furthermore, they don’t need to acquire expensive programs that soon become obsolete and that continually need updating. Instead, the cloud provider makes the particular software available via a more cost-efficient licence model and ensures that it is always kept updated. It’s therefore hardly surprising that software from the data cloud is becoming more and more popular. According to estimates, revenue from cloud solutions in Germany will amount to 19.8 billion euros in 2018, thereby increasing by an impressive 28 percent within a year.

The Cloud and its Risks: Where Should the Server be?

But not every cloud is equal. If the server is not sufficiently secured, data espionage is possible. And depending on the location, this could even be legal. In America, for example, the state is able to access the servers of US companies on the basis of the Patriot Act, which has been applicable since 2001, without a court order. This right also extends to the European subsidiaries of US companies. Due to this legal issue, companies are increasingly requesting the cloud services of non-American IT service providers, whose servers are located on European soil. These are subject to considerably stricter data protection. This is especially relevant to customers from sensitive sectors such as legal firms, trust companies, engineering firms, research institutes and insurance companies, as well as recruitment agencies and HR departments. Between the EU and the US, the so-called EU-US Privacy Shield is designed to ensure that the data of EU citizens is handled with a similar level of protection as in the European Union. However, various exposure scandals have already shaken the confidence of consumers in the global network on a number of occasions.

The USA and Data Protection: A Never-Ending Story?

Since President Donald Trump came into office, this has suffered once more. The 45th President of the United States has already brought forward legislation that allows US internet providers to monitor, store, evaluate and sell off the online activities and patterns of movement of their users. Furthermore, it is also problematic that, despite great efforts on the part of previous US governments, there is still no data protection law at US federal level that is comparable with the data protection level of the European Economic Area. A variety of rules at state and federal level as well as jurisdictions and internal company data protection regulations make it virtually impossible for the parties involved to determine how their personal data is protected.

European Data Protection Guidelines

The data protection regulations in Europe are quite different: the European Data Protection Directive lays down considerably stricter data protection regulations for all member states within the European Economic Area. In May 2018, a new version shall enter into force, which shall again ensure greater uniformity. Anyone on the lookout for a Software as a Service provider should therefore make sure that the provider’s servers are located in Europe and that it’s a European company. In this case, any processing of personal data would only possible from the outset with the explicit approval of the involved party. Admittedly, this legal passage does not protect against illegal access by hackers. This threat should not be underestimated either. A representative study carried out by the digital association Bitkom proves that cybercrime has long since been a real threat for companies.

Data Theft: A Threat to Cloud Systems?

According to that study, half of all companies in Germany fell victim to digital economic espionage at least once between the years of 2013 and 2015. In industry, the figures are even higher. However, that’s more of an argument for the cloud than against it; although the threat from the web is virtually increasing every second, only very few companies are equipped with their own IT infrastructure for the worst-case scenario. Protection is decreasing, rather than increasing. According to the Cisco Annual Security Report from 2016, the number of companies with their own, optimal security infrastructure, in the current version, fell by as much as ten percent between 2014 and 2015. We’ve said this already: keeping your own infrastructure updated in accordance with the most recent security standards costs time and money. Both of which are often in short supply, especially when it comes to small players.

Take Note of the Certificates of Cloud Providers

On the considerably safer side are the users of cloud systems. This is because, on the whole, the operators’ data centres are kept up to date in terms of data protection, meaning that it is considerably more difficult for them to be exposed. This is not only because the most recent firewalls and security software are doing their jobs, but also because the processes within the data centres of reputable cloud companies are monitored and certified by external parties. When choosing a provider, potential software users should take note of certificates such as the ISAE 3000 report, which HR solution provider Carerix possesses.

Regular and Independent Checks

ISAE stands for ‘International Standard On Assurance Engagements’. The certificate requires regular monitoring by an independent EDP and auditor and attests to the standardisation of the internal processes of the owner for quality assurance in accordance with strictly defined norms. Information security is also a fixed component of ISAE 3000. Customers can therefore count on their data being handled safely and confidentially. Well then: off to the cloud we go!