Cloud computing

Is a Swiss cloud more secure than any other cloud?

21 March 2021 - Marcel Meili
Is a Swiss cloud more secure than any other cloud?

Cloud Computing is on everyone’s lips, even surpassing the number of Google searches about Artificial Intelligence and Blockchain in most countries. This trend has now arrived in Switzerland. However, people are still reluctant to use the services of foreign companies. The concerns about losing sovereignty over their own data are simply too strong. Sensitive data must not fall into foreign hands, must be available at all times and must remain in the country. And this is an opinion shared by many decision makers. So, is it true that data is more secure in a Swiss cloud?

The marketing departments of products and services often take advantage of the excellent reputation of Swiss labels. What worked with Swiss watches, Swiss chocolates and Swiss pocket knives should also attract customers in a digital world. And so the Swiss Cloud is born! But when is a cloud “Swiss”? Does only the data center have to be located in Switzerland? Or does the company headquarters have to be located in Switzerland and subject to Swiss law in order to comply with this label?

Also, the banking and insurance industries have been accustomed, historically, to keeping their files and gold in their own basements. This way of thinking has become ingrained in their minds and has been transferred to data storage. Consequently, data is only safe if it is stored in the company’s own basement. The German-language IT news portal Netzwoche writes how the trend towards the cloud can be tackled with increasing data protection requirements and how modern data is comparable to the gold at banks in the past.

Data is the gold of the cyber age

For companies having their own software development department, public clouds such as Amazon Web Service (AWS), Microsoft Azure and Google Cloud Platform (GCP) bring a wide range of benefits. But, at the same time, the migration path of the company’s own applications to the cloud is hard and long. However, many companies already use software as a service (SaaS) for their email, CRM, ticketing system, accounting and many other processes. SaaS is often introduced in smaller companies without having thought about the location of data storage first or implementing security protocols beyond the usual authentication.

But what aspects should now be considered when moving sensitive data to the cloud? It’s crucial that data:

  • Must not be lost
  • Must be available at all times
  • not fall into foreign hands
  • And must meet regulatory requirements.

In the case of customer data, regulatory requirements also play a decisive role, which can vary greatly from country to country. For each process, it is vital to precisely analyse which aspects of security are crucial and how they need to be addressed.

Let’s take a closer look at some security aspects in detail and compare Swiss clouds with other clouds.

Durability

No one wants to lose their data due to hardware failure, a software error or, in the worst case scenario, a natural disaster. This can be avoided either with a backup strategy or relying on the durability of the cloud provider’s service. Large foreign cloud providers such as Amazon, Microsoft or Google offer automatic backup or very easy to set up backups and achieve a durability of up to 99.999999999% with their service. That means if you were to store 10 million objects, then you would expect to lose part of your data every 10,000 years. This value is better than most Swiss cloud providers or even on-premise systems of Swiss IT companies, banks and insurance companies can achieve. Therefore, the data is no less likely to be lost if the service carries a Swiss label.

Availability

In order to achieve a high availability of the application and its data, these are often distributed over at least two data centers that are sufficiently far apart. If one data center fails completely, the other can immediately step in and maintain availability. An example could be a data center near Zurich and a second one in Ticino.

For Swiss clouds, mirroring the application and its data to two data centers results in high costs and distribution to three data centers is rarely realised. Meanwhile, setting up one’s own data center is associated with immense costs. And leasing into a third-party data center and the setup of its own servers requires a lot of effort. In practice, it’s more efficient to stick with either one or no more than two locations.

Regions and Availability Zones

Large public clouds, on the other hand, offer dozens of data centers with just a few mouse clicks or by writing a configuration file. Using AWS as an example, there are at least three so-called Availability Zones in each region, which consist of one or more data centers. Today, 25 of these regions are available and more are added every year. Microsoft also recently announced that it will introduce availability zones in every country by the end of 2021. Due to the often lower costs and simpler configuration, high availability can be implemented much more easily with a public cloud than with a local provider.

The ship has sailed for local Swiss cloud providers

It’s no surprise that Martin Andenmatten, president of Swiss Euro Cloud, told Netzwoche in an interview that the ship has already sailed for Swiss cloud providers. They can only position themselves as cloud brokers or service integrators.

Data Access

This is a very broad topic which includes, among other things, the security of the infrastructure, protection of the application through firewalls, identity and access control and also encryption of the data. The security of the data depends, to a large extent, on the architecture and implementation of one’s own solution; a comparison of the infrastructure providers is only possible to a limited extent with regard to this aspect.

First of all, a distinction must be made as to who is responsible for which area. The cloud operator cannot assume responsibility for the security of the data if its own application allows unprotected access to the data by design or due to an error. Additionally, it is the responsibility of the cloud provider to ensure the security of the cloud, i.e. the hardware and the managed resources. Smaller providers are often more flexible in structuring the agreement here. The larger providers can make up for this with a wide range of multiple services for different processes, which are also extensively documented and meet a large number of industry standards. An excellent example is the Shared Responsibility Model of AWS.

A comprehensive discussion and a final assessment would go beyond the scope of this article. However, all cloud providers are excellently positioned in this respect and the weakest point is often your own application.

Monitoring and Logging

What does monitoring and logging have to do with security? Well, firstly, it’s important that this is in use both before and after any data is compromised. Well-applied monitoring can provide early indications of any compromises. And, after an incident, the logged events are of central importance for a reappraisal of the security practices in place.

Again, the work of the solution or infrastructure architect of the application is critical to its success or failure. However, the wide range of integrated services available through the large cloud providers can make a significant contribution to a simple and cost-effective solution. Most services already include basic monitoring and logging without any additional configuration. This, of course, can be achieved in any cloud or data center. However, I myself have experienced that monitoring and logging is not always implemented, even after an application has been operating for several years. For smaller clouds, and here we are talking primarily about Swiss clouds, this can be associated with greater effort.

Regulations

Now we come to the less technical requirements. In many cases, the law, a regulatory entity such as Finma, or an internal company guideline dictates in which country the data must be held. Whether this guideline is comprehensible or simply outdated is irrelevant. The data must remain in its own country. In this case, Swiss cloud providers have, at first glance, an advantage. However, with some quick research you will soon discover that Microsoft and Google already have data centers in Switzerland. And AWS will soon follow suit.

The public cloud providers offer assistance with these topics as a matter of their own interest, such as the AWS Compliance Center for Switzerland.

Summary

Cloud computing is one of the biggest trends of our time, and not without reason. But our culture is often averse to new things, and labels such as “Swiss” or “from Switzerland” evoke a sense of familiar security. However, it is worth asking exactly what your own needs are.

The three largest cloud providers have an advantage over every smaller provider, including Swiss providers, simply because of their size and workforce of thousands of security engineers. In terms of security, but also availability and resilience, all the arguments speak for one of the three large foreign cloud providers: Amazon, Microsoft and Google.

However, if data storage in Switzerland is required for legal or regulatory requirements, other aspects must be evaluated. Two of the three largest public cloud providers already have data centers in operation in Switzerland, the other will follow in a year.

When it comes to data security, the country in which the data center is located hardly plays a role. In the case of regulatory requirements or close integration in a hybrid or multi-cloud, a data center location in one’s own country can be an advantage. With their wide range of services, almost unlimited scalability, resources at the push of a button and the many standards already audited, they are ideally equipped for almost all scenarios.

For the small Swiss providers, however, the ship has already sailed.