The New Data Security Strongholds: How a German Tier 3 Data Center Works in Response to the EU GDPR and US CLOUD Act
In the digital era, data represent a valuable raw material for any company. For this reason, the new EU GDPR had a considerable impact – including on German companies who often involve external data centers in their processing activities. How and where data are processed in a next generation data center, and how information is protected from loss or theft, is explained in the following article from an inside perspective. The US CLOUD Act and the new challenges it brings are also examined.
Data centers are modern facilities for data processing and storage, which can be used by companies as an alternative to developing their own IT infrastructure. Planning and constructing a data center is a lengthy and complex process requiring high investments. Thus, it is less expensive for numerous companies to utilize the services of a professional data center operator.
Overview of Tier Levels[*]
Tier I
- Limited protection against physical events
- No redundancy
- 99.671% availability
- Maximum downtime of 1 729 minutes per year
Tier II
- Enhanced protection against physical events
- Redundant capacity components and a single, non-redundant distribution path
- Partial redundancies in power supply and cooling
- 99.741% availability
- Maximum downtime of 1 361 minutes per year
Tier III
- Protection against most physical events
- Redundant capacity components and several independent distribution paths
- N+1 fault tolerance
- 72-hour protection against power outage
- 99.982% availability
- Maximum downtime of 95 minutes per year
Tier IV
- Protection against nearly all physical events
- Redundant capacity components and several independent, active distribution paths
- 2N+1 complete redundancy
- 96-hour protection against power outage
- 99.995% availability
- Maximum downtime of 26 minutes per year
In Germany, data processing follows strict European data protection regulations. In order to prevent any data losses, backups are performed regularly in accordance with applicable legal provisions, best practices, and precise customer requirements. Comarch serves renowned ICT customers such as Idealo, Metro, Acco Brands, E-Plus, Schnellecke, Heathrow, JetBlue and hosts their data.
Since 2013, the newly built Comarch Data Center in Dresden has been used to provide Comarch's cloud products as well as IT services, fulfilling high availability, security, performance, and scalability requirements.
Located on two floors with about 320 m² effective area, Comarch operates two separate data center facilities that can each house about 60 server cabinets or 2 500 rack units for physical server systems. The Comarch Data Center in Dresden complies with the Tier 3 standard and is one of the safest data centers within the Dresden region and central Germany. This new data center is the second one used by Comarch to offer services in Germany (the first one is in Berlin). Around the globe, Comarch has more than 15 data centers at its disposal. The newest of them is located in Lille, France.
In order to ensure a high security level, two transformer stations and distribution units for fail-safe operation were installed in the Dresden data center. If the public power grid were to fail, UPS batteries would provide backup power for about 15 minutes (under full load), which is sufficient time for the power generator to start automatically. Thanks to the nine-ton diesel generator installed on the roof of the new building, the servers can survive even longer power outages unscathed. The diesel tank (with a volume of 20 000 liters) and the external tank connection even meet Tier 4 requirements for backup power supply. To maintain a constantly low temperature in the data centers despite the high heat emission of the server systems, two water chillers with a cooling capacity of 550 kW each were installed, as were four chilled water tanks with a total capacity of 24 000 liters. In the unlikely event of smoke development within the data center, smoke detectors locate the danger zone and flood the server room with a non-toxic extinguishing gas (Inergen) to prevent a potential fire.
Six Levels of Security
In the Dresden data center, a multi-level security concept in accordance with international standards is realized. The first level is about physical security. Fully secured data center facilities such as Comarch's are monitored 24/7/365. They are divided into several zones with a designated security zone and corresponding employee access control for each zone. Furthermore, an ICT security layer and perimeter protection are deployed.
Next, redundant power supply is ensured. For this, the data center is equipped with additional power sources, i.e. N+1 generators and a UPS system.
To implement environmental security, the fully air-conditioned data center is divided into several fire protection areas. Here, comprehensive measures protect the data center from fire and water damage. The fire protection system works with Inergen and FM-200.
Another kind of protection is provided by backup and archiving. In addition to this, Comarch's data centers offer advanced protection against virtual access. That means data are sent through encrypted channels and secured within the data center by a multi-redundant infrastructure such as shared storage or shared backup.
Last but not least, monitoring plays an important role. In the Dresden data center, technical monitoring is performed by Comarch's Global Operations Center. A team of engineers and specialists in different IT fields controls operation of the systems and devices entrusted to them, solves incidents in accordance with ITIL best practices, and is responsible for service coordination, observance of deadlines, and reporting.. In addition to the above, a disaster recovery service may be obtained.
Better Safe than Sorry: Disaster Recovery Service
Using a disaster recovery service provides another option to ensure the highest possible protection from data loss. In a recent project, a large German enterprise opted for the modern enterprise resource planning software Comarch ERP Enterprise, which was subsequently implemented throughout its German operations in 2018. This software is hosted in the Comarch Data Center in Dresden. Comarch's services also include mail server and backup. In addition, a disaster recovery service was set up in Comarch's data center in Berlin. In the unlikely event that connection, infrastructure, or software fails in the Dresden data center because of unforeseeable circumstances, operations will be manually switched to the Berlin data center and the enterprise can continue working without the slightest interruption. This setup prevents the database from experiencing any data loss.
Data centers are designed to meet high requirements of information access and security, which is verified accordingly. Regular reviews by independent auditors and data center customers repeatedly confirm compliance with legal and industry-specific standards for data centers, such as Tier 3 of TIA-942, ISO 27000, ISAE 3402, or ITIL v3. They cover, for instance, physical security (perimeter protection and ICT security layer) and guaranteed service quality (SLA).
GDPR and Similar: Physical Security must go Hand in Hand with the Protection of Intellectual Values
The physical security of data is one side of the coin; the other is compliance with all essential regulations – concerning data protection amongst others. The changes set in the EU General Data Protection Regulation (GDPR) primarily pertain to the scope of obligations and responsibilities in terms of personal data protection. The new regulation is binding upon companies and data controllers, as well as on entities subject to their instructions, e.g. suppliers of cloud computing services.
In this regard, it is of essential importance for data center users to provide for full transparency within their companies, and to sign contracts with their cloud service providers. Related issues are which data are stored where, how can this be proven, and how is data deletion upon request to be realized?
In detail, the following requirements have to be fulfilled under the GDPR:
- Processing personal data exclusively as required for a specific purpose, and only granting access to this data to such persons as are charged with performing this purpose
- Logging any changes to personal data
- Restricting the circulation of personal data
- Logging any transfer (exports from the ERP system) of personal data
- Limiting access to personal data
- Furnishing proof with regard to the stored data pertaining to a specific person
- Enabling the deletion of personal data
The term "personal data" means any information referring to an identified or identifiable natural person. The requirements listed are applicable to all companies within EU jurisdiction, even if they have less than 250 employees.
So Many Countries, so Many Regulations?
Being located in Germany, the Comarch Data Center is subject to the strict legal requirements set by German and EU law. European data protection regulations and related national legislation make for one of the highest levels of personal data protection worldwide. With good reason, the end users expect this level to be met. However, storage locations operated by non-EU contracting parties, e.g. service providers in the United States, may be in violation of these laws and regulations. Admittedly, according to GDPR, all service providers are subject to this EU regulation, but ensuring compliance on the other side of the Atlantic is no easy matter. For this reason, it is highly recommended to choose a European cloud service provider, preferably one with a storage location within the European Union. In addition, the provider should be obliged by contract to adhere to the EU regulations, in particular if the storage location is outside the territory of the EU. Customers of US providers in particular need to take heed of a critical fact: The US CLOUD Act is in stark contrast to the EU GDPR. The "CLOUD" part in the name of this law stands for "Clarifying Lawful Overseas Use of Data". Since it came into effect in March 2018, the act has obligated US businesses operating data centers in Germany or anywhere else within EU jurisdiction to cooperate with US investigative authorities. As a consequence, German companies need to choose a German or European data center provider in order to be on the safe side.
What about a GDPR Certificate?
Although the Comarch Data Center meets all legal requirements, it cannot boast a GDPR certificate. But this is true for all data centers. Therefore, customers should be wary of data centers promoted as "GDPR-certified". When the GDPR came into effect, such certification was not available, since the responsible certification or supervisory authorities did not have any criteria to apply. Such criteria are only now being prepared by the European Data Protection Board and the national supervisory authorities.
About Comarch Data Centers
Worldwide, Comarch has 15 data centers at its disposal, six of them within the European Union. In Germany, Comarch operates its own modern data center in Dresden and rents another from a partner in Berlin which is subject to strictest quality criteria. For more than 10 years, customers from industries such as logistics, retail, consumer goods, automotive, and production have been using the professional services of Comarch Data Centers.
Comarch's data center in Dresden complies with the Tier 3 standard and is one of the safest data centers in central Germany. It is used to provide Comarch's cloud products as well as IT services.
Overall, the Comarch Group operates its own data centers in Dresden, Lille, Warsaw, and Kraków. In addition, the group cooperates with first-rate data center partners. As a result, it has access to advanced data centers in another 12 cities worldwide, including Berlin, Luxembourg City, Singapore, Chicago, and Shanghai.
Each data center complies with the strictest security and technical requirements in order to ensure failure-free operation of customers' business-critical applications. Comarch Data Centers offer maximum availability, comprehensive redundant connectivity levels, and 24/7 customer support while being protected by uninterrupted power supply and the highest security standards.
Comarch's data center services are the perfect alternative to maintaining one's own resources. Providing powerful and reliable solutions, Comarch aims to ensure uninterrupted operations so that the customers can focus on their core business.
Author: Klaus Lechner
[*] Source: http://www.tia-942.org/content/162/289/About_Data_Centers