The German cloud
- The physical location of data servers is important
- German companies are taking advantage of doubts created by American overreach
More than $1 trillion are expected to be spent on the shift to cloud computing between 2016 and 2020. But when putting your data and that of your clients in a cloud company, the big question is: whom can you trust? Or perhaps where can you trust? The location of the data servers holding your information is important, as they come under the legal jurisdiction of that country, even if you and your virtual castle do not live there. With nationalism on the rise and some governments undermining privacy in the name of security, Germany, the country with Europe’s strictest data-protection regulations, could be the right choice.
It is perhaps no coincidence that American cloud-service giants like Amazon, Salesforce, IBM and Microsoft have all opened German data-storage centres in the past three years. “Due to our history, we have a constitution with very strict privacy laws,” says Ahmad-Reza Sadeghi, head of the System Security Lab at Technische Universität Darmstadt. He says the core of these privacy laws comes down to one basic principle: personal data can be released only with the owner’s permission. Germany has been a major driver of the EU General Data Protection Regulation that comes into effect in 2018.
German Fort Knox
Germany’s cloud-services market jumped from €1.4 billion in 2012 to €9.2 billion in 2015, with 65% of German companies reporting that they used cloud services in 2016. Even so, that is just a fraction of the $209 billion the worldwide market pulled in last year. But Europe is the biggest market after the US, with the UK in the lead and Germany slotting in ahead of France, tipped to show the strongest European growth until 2020.
One flagship of the German Cloud is the offering of Deutsche Telekom’s corporate customer arm, T-Systems, which includes “high-tech Fort Knox” data centres as part of its service. Another is Deutsche Telekom’s partnership with another huge foreign firm, China’s Huawei; together they have rolled out the public Open Telekom Cloud platform. Salesforce and Microsoft alo partems, h oversees all data access in covering privacy requirements. Chief architect for cloud operations and analytics at Huawei’s German Research Centre, Jorge Cardoso explains that Huawei does not supply cloud solutions directly to customers in Europe – unlike in China – but offers joint services.
“For example, on the Open Telekom Cloud we’ll be implementing High Performance Computing (HPC) for big customers that need to carry out heavy simulations,” says Cardoso. Cardoso sees Germany attracting more cloud service providers like Huawei thanks to its role as Europe’s leader in data security. “When the big American companies want to offer data storage in Europe, they’ll build more and more data centres here because, for example, no big German company will trust storing financial data in the US, as nobody knows whether the FBI will be able to access the data or not.”
But there is no guarantee that foreign companies with data servers in the EU will be safe. Microsoft won a case against the US Department of Justice, which wanted to access customer data stored on Irish servers, but Google was recently ordered to hand over e-mails stored outside the US. Google is appealing the decision, but the damage may have been done.
Even so, Sadeghi believes Germany has a cloud jump on the rest of Europe. “The only place where the security awareness is as strong from a research and funding point of view is the UK,” he says. “But how trustworthy is the UK, given that it is a close partner of the US? How could a German company trust its data to a UK cloud company?”
Then there’s Switzerland
Another European country with a longstanding reputation for security and discretion has begun to market itself as a safe bet for cloud storage. Among the arguments of the Vigiswiss Swiss Data Centre Association: “Switzerland is a politically neutral, stable and pragmatic democracy with a culture of confidentiality.” Says Sadeghi: “If Switzerland can keep the money of all kinds of people safe, including dictators, maybe they can do it with data as well.” He adds that Liechtenstein or Luxembourg are also plausible candidates.
Judging by EU guidelines on countries where data can be safely stored, however, Switzerland’s laws are merely “adequate”. The data-safe harbour of the future will be defined first by its laws – and then cemented by technological superiority.
“Even within Europe, everyone knows not only the precision of German tech and engineering but also the nature of the law and the precision of its application,” says Cardoso. “For that reason, Germany is the perfect place for cloud computing or data services.”
Public and private keys
Many online processes are secured by RSA encryption a technology developed 40 years ago.
The “https” code that you see in the address line of your internet browser is directly linked to an encryption system called RSA. Created by three American mathematicians in 1977, it ensures that information exchanged on the internet stays private. One important application is online banking.
Like every encryption system, RSA is based on random numbers. In this case, two random prime numbers (each with between 300 and 600 digits) are multiplied to form what is known as the public key. This public key is saved on a website’s server. The internet browser uses this key to encrypt data before sending it to the server. To decipher the information, you need to know the two prime numbers. In our example, they are saved on the server of the website and known only by the people that have access to it. This is called the private key.
How safe is the technology? The RSA system is based on the principle that the prime factorization of a very big number is extremely difficult – a supercomputer might take years for this task. In 2012, however, Arjen Lenstra, professor of cryptologic algorithms at the École Polytechnique Fédérale de Lausanne, found that 0.2% of keys were not safe because they were made of a small group of prime numbers. That does not mean the encryption system itself is weak. “If one wants to attack a system, it is in general not a good idea to focus on the part that is, if properly implemented, the strongest,” explains Lenstra. What’s more problematic is the creation of the random prime numbers. If the mechanism is too simple, it can easily be hacked. But given the small percentage of weak keys, RSA encryption may still have plenty of life left.
From worms to blackmail: the most harmful cyberattacks
November 1988: The Morris Worm
Also known as the Internet Worm, it was launched on the US government’s ARPAnet (a precursor to the internet) and spread to 6,000 networked computers.
Summer 1994: Citibank theft
Russian hackers siphoned $10 million from Citibank and made transfers to bank accounts around the world.
March 1999: Melissa Virus
This mass-mailing macro virus quickly became the costliest malware outbreak of its time, causing
$80 million worth of damage.
May 2000: ILOVEYOU Worm
Considered one of the most damaging worms ever, it quickly infected millions of computers worldwide.
February 2001: Anna Kournikova Worm
Designed to trick email users into opening an attached image of the Russian tennis star, it launched
a viral script that forwarded the message.
April 2007: Estonian DOS attacks
A series of denial-of-service attacks on Estonian websites, including banks, ministries, and parliament.
January 2010: Stuxnet
Built as an American-Israeli cyber weapon, it is famous for having damaged Iran’s nuclear program.
October 2012: Red October
Prior to its discovery, this malware reportedly operated worldwide for up to five years, targeting diplomatic and scientific organisations in at least 39 countries.
June 2015: Cybertheft at the US government
The records of more than 21 million people were stolen from the US Office of Personnel Management.
May 2017: WannaCry ransomware attack
Described as unprecedented in scale, it is estimated to have infected more than 230,000 computers in over 150 countries, disrupting the operations of railways and airlines.