In cloud computing, data doesn’t swirl around in a hazy cloud; it is transferred specifically to the cloud provider’s data center and stored there. How does this work, and how secure is it? We follow the data on its journey and show what happens behind the scenes.

Applications used in cloud computing run on the servers of the cloud provider. All data is stored in their data centers and retrieved from there, too. Simply put, it is possible to use the programs to store and load data from any given location. The benefit of such an arrangement is that besides Internet access, the implemented PCs, laptops, tablets, smartphones, and thin clients do not need any major programs. The end devices simply run a Web browser that gives users access to the cloud providers’ applications and services.

One of the advantages of cloud computing is that employees, wherever they may be, can access their work data.

For example, the cloud-based SAP Business ByDesign solution comprises CRM and ERP functionality that provide worldwide access to financial bookkeeping, customer account management, order processing, and claims management. The data is stored in the cloud and retrieved from there.

So how does that work? Essentially, the data transfer to the provider, as well as access to the data stored at the provider’s location, takes place via an Internet connection. Connections via a secure tunnel like a virtual private network (VPN) are more the exception than the rule. Consequently, public cloud systems have open interfaces to the Internet.

That is why security is a top priority and why cloud providers and customers have to protect these interfaces from unauthorized use.

Medium-sized companies with few employees and financial resources can often sign up for security features in the form of flexibly retrievable cloud services.

Encrypted data transmission

To use a cloud application such as SAP Business ByDesign, employees simply log in to the server in the cloud provider’s data center from their workstations, home offices, or when traveling. In the most straightforward situation, authentication is performed by entering a user name and password; however, more complex and secure procedures can also be instituted.

One very secure process makes use of public key infrastructures (PKI). It grants access only after first successfully confirming a user’s identity via smart cards with a signature function, biometric procedures, or multi-use passwords. Cloud providers can also issue certificates via their own trust center.

If the values are correct and if the system “finds” the user, that person is granted authorization. Data and programs to which individuals have valid access are now unblocked. After successfully signing in, a connection is automatically set up to the destination device in the data center.

Since data is not meant to be read or changed along the way, it arrives encrypted at the provider’s location. The data is also encrypted on its path from the provider to the user for which secure socket layer (SSL) encryption is used.

TCP/IP disassembles the data

Once users enter new customer data or modify existing master data in SAP Business ByDesign, it is sent to SAP via the Internet. The encrypted data is transmitted according to the rules of the transmission control protocol (TCP)/Internet protocol (IP). The TCP breaks the information down into small data packets and sends each one to the same target IP address via potentially different routes.

Each packet contains details regarding the address to which it is being sent and a sequence number that indicates its position within the transmission. The IP protocol takes care of this addressing task, thereby ensuring that the packets really do arrive at the cloud provider’s location and are reassembled in the right sequence. Once at the provider’s data center, the TCP reassembles the individual packets and forwards them as a file to the server.

Generally, providers operate entire server farms, consisting of dozens (sometimes even hundreds) of interconnected computers that may often be set up in a decentralized manner in a cluster. Virtualization software known as a hypervisor can subdivide each server into multiple virtual machines that are typically used by various customers. The software can also combine individual servers to form a large-scale system.

Multi-tenant capability keeps customer data separate

When storing data, providers ensure that their customers’ data is kept strictly separate. All data packets must be assigned to the right customers, which use different tenants of an application. As a result, each customer has its own completely isolated environment on a logical level.

Data is usually stored in relational database systems. The software can assign individual users certain roles and rights that determine who can access what data. Relational database systems offer features such as authentication mechanisms and encrypted storage.

This makes it impossible to view someone else’s data or user management processes.

To protect the data, the provider also ensures that customer data is regularly backed up. If data is lost, it can easily be recovered.