Data security from the cloud
„We store all our data locally, that's the only thing that′s really secure.“
We often hear sentences like this. As plausible as it sounds, it is often wrong: companies operate a large number of IT systems. To ensure optimum security, all systems must be kept up to date at all times. In addition, attacks by social engineering and encryption Trojans must be securely prevented.
The fact that security gaps are repeatedly exposed and data is lost due to blackmail Trojans shows that medium-sized companies are often unable to provide the necessary resources. This is actually clear, because their core business is different.
Azure Cloud from Microsoft
We are convinced that entrusting your own data to a service provider is a good alternative. The business model of this service provider is based on guaranteeing security. We therefore currently operate humbee in Microsoft′s Azure Cloud. There, the world's best experts take care of the secure operation of the data centers.
FAQ – Frequently asked questions about data security in the cloud
Where is my data stored?
We use Microsoft′s Azure platform with data centers in the Netherlands and as a backup in Ireland. They remain in the EU and are subject to the GDPR.
Details on Microsoft′s security guidelines can be found in the Microsoft Online Service Terms in various languages. The services used by humbee are subsumed under the generic term „Microsoft Azure Core Services“ in this document. You can find a summarized overview in the document „Windows Azure Privacy Overview“.
What standards are the data centers subject to?
The data centers mentioned are continuously checked and certified by internal and external audits. These certificates are fulfilled for Azure. Below is an excerpt:
- ISO 27001 https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-eu-model-clauses
- ISO 27018 https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-iso-27018
- FedRAM https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-fedramp
- FERPA https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-ferpa
- FDA CFR Title 21 https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-fda-cfr-title-21-part-11
- HIPAA / HITECH https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-hipaa-hitech
- PCI-DSS https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-pci-dss
- SOC 1 und SOC 2 Typ 2 Berichte https://docs.microsoft.com/de-de/microsoft-365/compliance/offering-soc
The PCI-DSS certificate for the secure storage of credit card data and HITRUST for the storage of health data, for example, deserve special mention. The Microsoft Azure platform is a pioneer in terms of the number and scope of certifications.
How is the data transmitted?
All network connections inside and outside the data centers are always encrypted. In your browser, you can recognize access via HTTPS (i.e. SSL/TLS encryption protocol) by the green certificate symbol.
The quality of SSL encryption is regularly checked for compliance with the latest security recommendations.
How is my user account protected?
Logging into the humbee system is only possible with the knowledge of an e-mail address in conjunction with a password. Your stored password is not stored in plain text, but in the form of a so-called hash value. The hash value can only be used to check whether the password provided for login matches the hash value.
The hash value calculation method used relies on established cryptographic procedures and software components (HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 repetitions).
If someone tries to log in to an account with an invalid password, these failed attempts are recorded and blocked for 30 minutes after the tenth failed attempt. This prevents so-called brute force attacks on your account.
Password rules mean that the simplest, easy-to-guess passwords may not be used (such as “secret”). Both upper and lower case letters, at least one special character and a minimum length of six characters are mandatory.
How is the data backed up?
The transaction data (such as processes, information, tasks, metadata for documents) is stored in an instance of Microsoft Cosmos DB. This database is designed for high availability and stores the data in multiple copies on different hard disks (replica sets). Full backups of the current database are created approximately every four hours. The last two are retained in each case, so that in the event of unintentional deletion from a time window of the last 8 hours. If the entire database or a so-called collection is deleted, backups are retained for 30 days.
The complete backups are not only stored in the data center in the Netherlands, but also in the data center in Ireland. In the event of a catastrophic failure of one data center, the system automatically switches to the other.
This document provides a technical background.
How are my documents backed up?
Files that you have uploaded to the humbee platform are stored with a total of six copies. Three copies are stored in the Dutch data center and three more in the Irish data center. In the event of a disaster, primary access is switched to Ireland via the Netherlands.
Files are stored using AES-256 encryption, one of the strongest available block ciphers compliant with the FIPS 140-2 standard and similar to BitLocker encryption under Windows.
Who has access to this data?
To operate the platform, two employees of humbee solutions GmbH have access to the Azure Service Portal and can administratively access the individual services used. This access is protected by multi-way authentication.
All data access by a user or other employees of humbee solutions GmbH takes place via the software components of humbee solutions GmbH, which only allow access on the basis of the authorization rules.
When is the data deleted?
For transaction data, the deletion request is forwarded directly to Microsoft Services. Direct retrieval ends immediately. The data is permanently deleted when all backups have also been destroyed. This is usually the case after 12 hours.
Documents are also deleted directly and permanently. The various replicas cease to exist within minutes and cannot be restored.
Data security
- Encrypted storage of your documents
- ISO certified high-security data centers in Europe
- Use compliant with EU-DSGVO
- Retention periods according to §147 AO and §§ 238 and 257 HGB
- GoBD-compliant storage