Category: Cybersecurity

ISO 27001 Certification: security as a standard for our cloud products

Digitalization is shaping our lives and workplaces like never before. With this evolution comes an increased responsibility to protect data effectively and ensure stable service delivery. Information security is no longer a “should” but an absolute “must.”

As a provider of industrial software solutions from the cloud, quality, security, and reliability are our top priorities. We are delighted to announce our successful ISO 27001 certification by Datenschutz Cert. This confirms our commitment to providing products that meet the highest security standards and effectively protect data.

More security, efficiency, and sustainability with automation

Our goal was clear from the beginning: to meet security and stability requirements with innovative technologies. We rely heavily on automation and Infrastructure as Code (IaC) to achieve this. These measures enable us to implement security mechanisms effectively and integrate them seamlessly into our development and operating processes.

One crucial aspect of our preparations was to take climate risks into account. Events like extreme weather pose potential threats to IT infrastructures. In response, we developed solutions that minimize risks while enhancing efficiency – such as monitoring tools and automated scaling. These technologies reduce our carbon footprint and help to ensure a high level of security and sustainability.

Security culture as a success factor

Information security is more than just meeting standards—it is an integral part of our corporate culture. Principles such as high availability, automation, and the use of a single source of truth define how we work and foster a structured approach to tackling complex challenges. A standout aspect is the contribution of our team. Regular training and a high level of security awareness ensure that information security is not just seen as a task for IT, but is practiced throughout the entire company. This holistic mindset was a cornerstone of our journey to achieving ISO 27001 certification.

Our automation strategies further illustrate how we combine efficiency with security. By standardizing processes, we reduce human error while laying the foundation for continuous improvement.

Added value for customers and partners

For our customers, certification means one thing above all: trust. ISO 27001 certification is an internationally recognized seal of quality and confirms that we adhere to the highest security standards. This not only enhances the reliability of our cloud products but also assures our customers that their data is in safe hands.

Our partners also benefit significantly from this certification. Standardized processes and clearly defined security requirements make collaboration more seamless, boost efficiency, and establish a foundation of trust for future projects. It is a crucial competitive advantage, especially in a dynamic environment like the cloud industry.

Our vision for the future

ISO 27001 certification is not an endpoint for us but a milestone in our ongoing journey to continuously enhance our security measures. For instance, we plan to make our monitoring systems even more robust, enabling us to detect potential risks more quickly and address them more effectively. The digital landscape is constantly changing – we are ready to face these challenges and ensure the security of our customers, partners, and their data.

How will the Data Act affect the industry?

Successful digital transformation requires access to data and its intelligent use. The EU has therefore defined a regulation that is intended to strengthen the European data market: the Data Act. Companies from traditional industries must adapt to it as soon as possible.

What is the Data Act?

The “Regulation on harmonised rules on fair access to and use of data” (Data Act) is a directive of the European Union that defines regulations regarding data access and use. It aims to create a fair, transparent framework for the exchange and use of data within the EU, thereby promoting innovation and increasing the competitiveness of European companies on the global data market.

The Data Act is a key component of the EU’s digital strategy. It was approved by the European Council on November 27, 2023 and came into force on January 11, 2024. Following a 20-month transition period, it is to be converted into directly applicable EU-wide law from September 12, 2025.

What is the motivation?

Data is a key resource in the digital economy. However, due to a lack of guidelines, legal requirements, and standards, a large part of the data generated remains unused, especially in industry.

Furthermore, we are currently observing a strong imbalance on the market: data is mostly owned by a small group of large companies. Compared to SMEs and start-ups, this gives them a considerable competitive advantage, which is reflected, for example, in one-sided contracts regarding data access and use.

To counteract this, the EU has developed the Data Act. It aims to democratize the market and create a balanced, fair data ecosystem. To this end, the EU has defined a legal framework ensuring that users of networked products or connected services can promptly access the generated data.

The objectives of the Data Act in a nutshell:

  • Clear rules for the use and exchange of data
  • Transparency and fairness within the data market
  • Protection of personal data
  • Secure data processing
  • Promotion of data-driven innovations
  • Increased competitiveness of EU companies

Who is affected by the Data Act?

The Data Act addresses companies, organizations, and individuals who

  • bring connected products to the market,
  • offer connected services,
  • as a data owner, share generated data with third parties,
  • receive data from data owners,
  • as a public institution, request data owners to share data, or
  • offer data processing services.

Persons who participate in data rooms and providers of applications that include smart contracts are also affected. Persons whose trade, business, or profession involves the implementation of smart contracts for others in connection with the execution of an agreement must also comply with the Data Act.

Which tasks result from the Data Act?

The Data Act imposes numerous new obligations on the industry. These include:

Making data accessible: Providers must ensure that users of connected devices or connected services have access to the data they generate.

Ensuring portability: The Data Act demands mechanisms that enable users to easily and securely transfer their data to third parties. This includes the development of standards and interfaces for data exchange.

Ensuring transparency and fairness: Companies must be transparent about what data they collect, how they use it, and who has access to it.

Ensuring data protection: The processing and disclosure of data must comply with applicable data protection laws (e.g., the GDPR).

Enabling cooperation with authorities: In many cases, it is necessary to pass on data to public institutions. This requires clear processes and responsibilities.

Data Act vs. Data Governance Act

The Data Act is not the only pillar of the European data strategy. It also includes the Data Governance Act (DGA), an existing regulation that defines processes and structures for the exchange of data between individuals, companies, and public institutions. In contrast, the Data Act focuses more on promoting the digital economy. It regulates which players are allowed to use the generated data under which conditions.

What are the consequences of violating the Data Act?

Unfortunately, it is not yet possible to predict how these aspects will be structured in detail. The EU regulation has not yet been transposed into German law. It therefore remains to be seen what obligations will arise in Germany and which supervisory authorities will oversee implementation.

However, one thing is clear: violations of the Data Act will result in fines, similar to the GDPR. There is also a risk that companies will be sued for damages by other market players if they fail to meet the requirements. Furthermore, it is possible that products and services that do not comply with the Data Act may no longer be sold in the EU.

Does the Data Act only create new duties?

The EU regulation does not only entail obligations. It opens up many new opportunities for SMEs in particular. If data is available to all market players in interoperable formats, this facilitates the implementation of innovative, data-based services, such as predictive maintenance.

This is precisely what the democratization of the data market aims to achieve. It gives companies more control over the way they handle their data and creates rules that facilitate data transfer. Both data owners and users will benefit from this.

Processes that are complex and time-consuming today will be accelerated. For example, the regulation provides clear rules for contract management. Cloud or edge providers, for instance, must contractually and technologically ensure that customers can transfer their data as easily as possible when they switch systems.

The industry will also benefit from increasing competition. For example, machine manufacturers who want to enable their products for the Internet of Things can currently only turn to a few providers for this purpose. The Data Act opens up this restricted circle. This not only increases the quality of products and services but also leads to lower prices.

According to a representative survey by the digital association Bitkom, Germany’s economy is currently divided on the Data Act. 49 percent of the 603 companies surveyed across all economic sectors see the new EU regulation as an opportunity for their business. On the other hand, 40 percent of respondents consider the Data Act to be a risk.

What is the best approach for companies?

Companies dealing with the Data Act quickly come up against complex issues: How do they ensure that the data interfaces of their machines, systems, and products are accessible to third parties? What impact does the sharing of data have on their business model? What opportunities does this present (e.g., new services and offers)?

Many of these questions are currently still unclear, making it difficult to prepare for the EU regulation. However, it is advisable to put the topic on the strategic agenda and seek an exchange with associations and other companies. This dialog helps assess the impact of the Data Act on your business.

Summary

With the Data Act, the EU wants to equip the European data market for international competition. The regulation promotes a secure, efficient flow of data and creates a framework that facilitates data exchange and use. This results in new business obligations, but also fairer market conditions.

How the Data Act will be implemented in Germany remains to be seen. Manufacturing companies should nevertheless get to grips with the contents as soon as possible. It is a complex set of rules that influences topics ranging from technological infrastructure to processes and contract design. Companies affected must adequately prepare themselves.

Further information

Handling data is becoming increasingly important for a company’s success. A reliable security architecture is essential, especially for cloud users. In our guide “IT security for companies”, you can read about the requirements for this and the factors you should consider when selecting software providers.

More cybersecurity using the password

Today is “change your password day” again. A well-intentioned
initiative for more IT security. Coming originally from the military context of the 1960s, the recommendation to change your password regularly can still be found in many corporate policies today. Modern guidelines such as the current BSI Basic Protection Compendium and the NIST Digital Identities Guidelines drop this requirement because there are more effective strategies to increase password security:

Password length over complexity

First of all, a strong password needs to be changed only if there is a suspicion that it has been revealed.

Today, attackers can try out billions of passwords within a very short time using automated systems. Especially if these systems are accessible via the network or have access to the password hashes and can therefore be effectively tried offline. The complexity of the password is therefore completely irrelevant if it is too short. Recommendations for length vary from 8 to at least 14 characters.  Advances in attack tools such as Hashcat, and faster, specialized password-guessing hardware, are driving these requirements ever higher.

Compliance policies today require individualized login credentials. This eliminates the risk a password is known to many people and thus the need to change it regularly. One long password for exactly one person for exactly one service. Pretty secure.

Passwords are no repeat parts

To be honest, haven’t you ever used the same or a very similar password for multiple services? You should get rid of this habit quickly because a successful attack on one service automatically leads to a successful attack on others. The use of already privately used passwords in a corporate environment is particularly critical.

Modern password policies ensure that passwords appearing in lists of captured passwords are rejected. The website haveibeenpwand, for example, indicates whether a password has been captured. Modern systems offer interfaces to check passwords in this way. In CONTACT Elements you can easily activate them:

from cdb.sig import connect
from cdb.authentication import check_pwned_password
connect(‘password_acceptable_hook’)(check_pwned_password)

Password manager instead of one-size-fits-all

Password repeating is bad, and so are short passwords. Users face the challenge of remembering a large number of long passwords in their heads. Writing it down on a piece of paper and hiding it under the keyboard or sticking it on the bulletin board is not a solution, because a camera can capture it.

It is better to use a password manager. It can create and manage long passwords and makes them easier to enter via copy and paste. Unfortunately, some companies, driven by the concern that a Trojan will intercept the passwords on the clipboard, block the copy and paste method in their applications, preventing the use of a password manager. However, in the case of a Trojan attack, this measure is usually ineffective and companies should instruct users to use a password manager to increase their IT security.

Beware of highwaymen and tricksters

Even the strongest password does not protect against attacks if it is intercepted. It’s often surprisingly easy to do. Connections without a minimum level of security like Transport Layer Security (TLS) are an open book for any attacker. Older network protocols such as Kerberos also offer numerous gateways. Ransomware exploits these to spread across the corporate network. As soon as an administrator logs on to a compromised computer, the attacker has the credentials, and shortly thereafter gold and silver tickets are created and the Windows domain is firmly in the attacker’s hands.

Here, too, security stands or falls with the password, because it is used in the calculation of the authentication tickets and, due to the symmetrical encryption, enables the attacker to calculate the password back from the ticket.

Increase security through multiple factors

One recommendation to get around the weaknesses of passwords is to include other factors. This works very well from a security perspective. A second factor significantly increases security in almost every case. In most cases, it is of secondary importance whether these are one-time passwords such as TANs via SMS, time-based codes such as Definition Time-based One-time Password (TOTP), or even simple confirmation emails with links.

The downside of second factors is the additional effort and the impact on usability. Helpdesk processes become more complicated, users need to be trained, and login processes often happen more slowly.

Single sign-on – both a curse and a blessing

Users love single sign-on (SSO), where you only have to enter a password and a second factor once to use numerous services. This minimizes the effort enormously – but also for the attacker. Particularly if access depends on a weak password only. A central login system also solves many problems for compliance when users are blocked or reports are generated. The costs for user administration are also reduced.

Single sign-on turns the “one password per service” argument above on its head. Again, only one password stands between the attacker and your system. If the attacker knows the password, he has access. And then the single sign-on system opens all doors for the attacker.

Detect phishing

Even stronger mechanisms such as TOTP or hardware key generators do not protect if the password and access code are entered on a fake website. This practice is known as phishing. The solution, on the other hand, is channel or token binding and links (binds) the desired access to the channel through which the access is requested. This means that a token is only accepted for access to device A but not to device B of the attacker. This form of multi-factor authentication is very secure and easy to use with modern hardware or cell phones. For enterprise IT, integration with common platforms is relevant here. Windows Hello, Apple and Android support the FIDO2 / WebAuthn standard specified by the FIDO Alliance to detect phishing and make single sign-on secure.

Passwords are obsolete!?

Starting from the WebAuthn standard, there is a new initiative since 2022 with passkeys – driven by Apple, Microsoft and Google – to banish passwords from applications and single sign-on. You can change your password to a passkey today if your device supports it and use 2024’s “Change your Password Day” to delete your password and never have to use it again.

More Information on Cybersecurity

Learn everything you need to know about building a reliable IT security architecture for protection against cyberattacks in our free white paper “IT Security for Enterprises”.