FAQ: Security

idgard® is based on unique sealed cloud technology. This technology, which has been internationally patented already, is operator-safe. This means that the system operator has absolutely no access to the data stored on idgard® by the users. This is unique worldwide due to the fact that in all conventional data centers, admin staff can usually access user data, since today’s server systems can only process data in unencrypted form. With the sealed cloud, on the other hand, organizational measures are substituted by technical ones, making it absolutely impossible for a provider to access data. Further unique features include:

  • Only existing service to protect both content and metadata end-to-end
  • Alarm in case of SSL man-in-the-middle attack attempt
  • Convenient 2-factor authentication against ID theft with LoginCard (TAN generator)
  • Prevention of synchronization with foreign servers during mobile access

For more in formation on our technology, see: www.sealedcloud.de

On idgard® your data is protected also against service provider (uniscon) access. In contrast, other privacy services entail the risk of the provider being able to access and, hence, abuse data. As already reported by the media, users hardly ever find out what happens to the confidential data they’ve exchanged (or sometimes only when it’s too late). idgard® eliminates this risk completely, not only thanks to its encryption technology but also through intelligent physical access systems.

The service has been certified according to the requirements of the Trusted Cloud Data Protection Profile (TCDP) version 0.9 of the German Federal Ministry for Economic Affairs and Energy, which is based on the standards ISO/IEC 27018, ISO/IEC 27017 and ISO/IEC 27002/1, in the highest protection class 3. The „Cloud Computing Compliance Controls Catalogue“, „C5“ of the German Federal Office for Information Security (BSI) for secure cloud computing is also taken into consideration. The new standard „Trusted Cloud Data Protection Profile“ is the first cloud compliance standard with binding legal consequences. If a cloud user has determined their need for protection (here you can find the protection needs calculator) and then selects a cloud service that has been certified in the protection class that corresponds to their need for protection, then the cloud user may consider their control obligation according to section 11 of the German Federal Data Protection Act. The persons responsible on the user side can thus effectively avoid the liability risk for the first time.

In the preparation of these standards were involve:

  •  The data protection supervisory authorities, DIN e.V.,
  •  the German federal ministries for Economic Affairs and Energy (BMWi), of the Interior, Building and Community (BMI) and of Justice and Consumer Protection (BMJ),
  • the companies Deutsche Telekom, SAP, regio-iT and uniscon,
  • law professors,
  • auditors such as TÜV, KPMG, PwC, etc.,
  •  as well as different associations (Bitkom, VOICE, etc.)

 

At the public hearing to finalize the new standards, the industry (Microsoft, Cisco, Box, Salesforce, DATEV, 1&1 etc.) unanimously welcomed the standards as a breakthrough in data protection certification. The standards and the procedural rules associated with certification are already addressed in the EU General Data Protection Regulation (GDPR), which explicitly provides for such relief for cloud users, and will be the German contribution to the European Criteria under Article 42 of the Regulation. With idgard®, you can already use this new certification for the entire cloud industry to ease your workload.

The security of the idgard® service also meets the requirements of the section 203 of the German Criminal Code and can therefore be used for professional secrecy and the public sector.

The term „cloud computing“ encompasses two aspects:

  1. Data storage in a cloud for one’s self, excluding multiple or third-party access.
  2. Data processing or storage of information in a cloud, intended for multiple or third-party access.

In the first case, encrypting data on a device and then transferring it in encrypted form to the cloud is sufficient. However, should information be shared with third parties, as in the second case, the secret key would have to be distributed through some safe channels or by centralized key administration. Transferring the key through unsafe channels (e.g., a password by e-mail), can lead to undesired eavesdropping through robots and third parties. However, should the data not only be stored but also processed in the cloud, data encryption is necessary once it has been transferred to the cloud. This is because data processing requires, with the exception of so-called homomorphic encryption, that the data is available in plain text. Usually at this point, the administrators of the cloud, as well as the cloud application, have direct access to the confidential data. Consequently, that kind of data processing requires trustworthy providers and administrators. The special feature of the sealed cloud is that it logically, electronically and mechanically prevents the operators or administrators from accessing the data during processing. Thus, the sealed cloud creates the possibility to process confidential data in the cloud. idgard® applies this new basic technology to enable secure communication via sealed privacy boxes without complicated key management.

State-of-the-art technologies and procedures protect the idgard® system against external attacks. If hackers were able to break through this protection and gain access to the database, this would be totally useless, since the database is encrypted in such a manner that every user profile is encrypted with an own key. This makes the time and effort needed for such an attempt extremely high, completely unremunerative and fully preposterous. With very time-consuming algorithms, one would have to try to find unknown keys by coincidence. It’s easier to get rich winning the monthly lotteries.

idgard® customers are responsible for backing up their own data, since idgard® is primarily a communication system and not a data backup system.

However, one can act on the assumption of continuous data availability, since the sealed cloud, idgard®’s basic technology, presumes six-fold redundancy: one major two-fold redundancy and one three-fold redundancy on a file system level.

Nonetheless, the sealed cloud does not create backup copies on a separate system, so uniscon—the idgard® service provider—can properly guarantee the deletion of data which is often necessary for data protection reasons.

When setting up a user, you may send the recipient a 2nd factor for authentication: a pass code by SMS. You may also create your own pass code by overwriting the password field. NOTE: not all signs are allowed.

Allowed:

Upper and lower cases, numbers, spaces, and ^ ! ” § $ % & / ( ) = ?{ } [ ] + * ~ # ‘ < > | ; , . : @

Not allowed:

The characters ° ² ³ ß ´ ` € Ä Ö Ü µ and other signs that are not displayed directly on the main keyboard.

No. idgard® can only send SMS to mobile phones.

The SMS is used for authentication when employees or guests register. It is sent to the personal mobile number they enter during setup and is necessary to finalize the registration.

For security reasons and to prevent abuse, the SMS may only be sent to a mobile number. This is because mobile phones, as opposed to landlines, are normally used only by the person in question and not third parties, thus being the best means for direct communication.

© Uniscon GmbH 2020