The example of the catastrophic fire that occurred at web host OHV in March 2021 shows how important the topic of geo-redundancy is for data centers. One of the safety deficiencies identified by the French fire service was the physical proximity of the two data centers that burned down and the lack of fire protection. This is where the term geo-redundancy comes into play.

Geo-redundancy differs from redundancy through spatial separation, which only involves the logical duplication of systems – the latter would also be possible in the same location. However, redundancy without geographical separation can only provide protection against technical failure, in the event of local (natural) disasters, both systems would be equally affected.

That Federal Office for Security in Information Technology (BSI) defines geo-redundancy as follows: “Purpose of […] A characteristic of geo-redundancy is that the data centers (DC) that give each other geo-redundancy, in addition to the individual consideration of the requirements from Chapter 2, are also so far apart that even a major disaster cannot affect multiple data centers of one geo-redundancy group at the same time or in a timely manner.”

To meet these requirements, the BSI recommends a minimum distance of 200 kilometers between sites. The distance may in no case be less than 100 kilometers. However, these are only recommendations, there are no explicit specifications. Ultimately, the choice of location always depends on individual factors such as local geography.

When you talk about data loss prevention and data backup, you quickly come across the term backup. But this should not be equated with redundant data management. A backup is just a snapshot at a time X. Anything that happens after this time would be lost in an emergency,

In addition, backups are a hierarchical principle: all contents of a main system or main memory are replicated from time to time and stored in a second, subordinate storage location. Redundancy, on the other hand, means that you leave this hierarchy behind and mirror the systems one-to-one and run at the same time. Simply put, you can imagine a PC user having two computers that always perform the same operations, rather than an external hard drive that he occasionally backs up data on. Of course, such an effort is only worth it for really sensitive data.

With critical systems, the permanent double effect ensures that if one data center fails, another can immediately take over the calculation load. This is done by an automatic transfer. Here’s another advantage of redundancy over backups: only historical data is backed up during backups. In theory, this could be done almost seamlessly by increasing the backup frequency. But even then, there are problems with the hierarchy.

If the main system goes down, all services and applications hosted on it go down as well. The services can therefore no longer be used until they are restored. Redundancy should therefore also be seen from the point of view of the availability of services. After a failure in a data center, it can take hours or in the worst case days before a data center can be set up again after an incident.

Continuity and security are also points of attention when working with a trust service provider. Certified and accredited trust service providers ensure that digital services such as electronic signatures meet high security standards, for example by issuing qualified certificates. However, a central aspect of this work is the traceability of transactions. It can have unpleasant consequences for the customers of a trust service provider if they suffer data loss: If there is a legal proceeding involving digitally signed documents, the trust service provider may also be involved.

Therefore, these companies must be able to demonstrate the technical process behind a signature within the legal retention period. The legal retention periods can sometimes be very long – eleven years in Switzerland and sometimes even more than 30 years in the EU. If the trust service provider fails to submit the necessary supporting documents for identification or registration and a so-called activity diary, which includes the time of signing, the company can in principle be held liable.

Geo-redundancy is not yet a legal requirement for trust service providers. During the planned eIDASchange, however, could change this situation. Until then, it remains the responsibility of providers to provide the most resilient environment for their customers. (adv)