Using the public cloud securely
Cloud usage has become a rule rather than an exception in businesses of all sizes. In 2016, cloud usage in all businesses reached 65 percent in Germany. It doesn't matter how large or small a company is – while 64 percent of organizations with 20 to 99 employees get their IT from the cloud, 69 percent of businesses in the next largest group with 100–1999 employees also use cloud services. However, there are differences between company size and how cloud services are implemented. A 2011 study by the Federal Office for Information Security in Germany identified a need to improve IT security processes and preventative security measures. While large companies are approaching cloud usage with caution – which is in part due to complex internal approval processes – smaller companies see the fast availability of cloud resources and often place critical operations and data in the cloud without too much thought. However, this can pose a serious risk during a security incident, which does not even have to originate in the cloud. During such incidents, businesses need to be able to quickly identify which data and business functions are provided by the cloud, who has access to them and to what extent.
The cloud is just a few clicks away. Simple user interfaces and rapid deployment have led to a significant expansion of shadow IT – where users organize their own without explicit organizational approval. Going behind the backs of the IT department is extremely dangerous as this undocumented IT usage is not included in the organizational IT security strategy. Even if cloud services can be implemented with a minimum of organizational effort, businesses should follow internal procedures – especially as the business is responsible for any security issues. Although cloud service providers often talk about shared security responsibility, they see their share primarily in the availability of the platform and infrastructure. The customer, on the other hand, remains responsible for protecting applications and data in the public cloud.
Businesses must analyze potential attack vectors as part of their IT security strategy and counteract them with appropriate measures – both organizational and technical. Regardless of which security products businesses choose, they must fit into the security strategy and match the expertise available. Comprehensive protection requires proprietary security services from cloud providers such as firewalls, web application firewalls and IPS/IDS (Intrusion Prevention System/Intrusion Detection System) as well as VPN gateways to protect the connection between customer and cloud. These products can often be deployed both as a physical device and as a virtual appliance in the cloud. It is important to determine in advance which data and services can be migrated into the cloud to ascertain the security level required.
In order to gain the maximum benefit from using the cloud, businesses need to understand the advantages of cloud usage. This includes availability, which can be guaranteed by the cloud provider, depending on the contract. If there is always enough and sufficient computing power or services available in the cloud, business can decommission unused hardware or use it in a different way. Businesses also need to understand that resource bottlenecks are not solved in the cloud by purchasing extra hardware. They need to adapt and define process for automating the set up of cloud resources and transferring data – which is all part of a comprehensive cloud security strategy. Most large cloud providers usually have their own tools and processes for this which need to be integrated and adapted by the customer.
As ever, security is a holistic process. Securing part of a system to the point of excess but not addressing other areas sufficiently simply won’t work. A central security strategy with a management interface helps businesses to keep track of business critical information and functions protecting data and infrastructure in the best possible way.