Cloud security - protection for outsourced data
Jan 18, 2022
Cloud security is increasingly becoming an elementary component of IT security in companies. Are you also thinking about outsourcing data or services to the cloud?
You're right on trend. According to the German Federal Statistical Office, one in three companies was already using the cloud in 2020 to access storage space flexibly or to use cloud services. The advantages are obvious: resources can be scaled precisely in this way and the effort required to maintain a local IT infrastructure is eliminated. The disadvantage, however, is that you place at least partial control of your data in external hands. In addition, access via the Internet opens up new attack vectors for cyber criminals. The topic of cloud security should therefore play a central role in your considerations right from the start.
Cloud security is important, but what actually is "the cloud"?
Every user of a smartphone almost inevitably comes into contact with the cloud. The accounts of market leaders Apple and Google, for example, each include a free quota of cloud storage space. Applications from the cloud are cleverly integrated, for example to store pictures or a calendar. In some cases, it is no longer clear to the user whether his data is stored locally or in the cloud.
For companies, cloud services are of course not limited to providing storage space. It is possible to have entire cloud servers, including the operating system, set up by hosting providers within a few minutes. These are basically in no way inferior to physical servers. On the contrary, resources can usually be added or increased with just a few clicks. A mixture of both models is the outsourcing of software to the cloud by means of Software-as-a-Service (SaaS). Here, users access a server provided by the provider with a client application or an app. In some cases, access is also possible via a web browser, so that the user does not have to install any software and even lower-performance software is sufficient for use. This offers flexible access, but increases dependence on external resources.
What is cloud security?
Cloud security deals with the protection of outsourced data. A basic distinction must be made between three areas, each of which should be considered separately:
- Secure authentication: Elementary is the type of access management. While in the early days of cloud services it was still possible to reset passwords by answering simple control questions, fortunately a lot has changed here. In addition to secure passwords, two-factor authentication is particularly worthy of mention. This requires another, independent characteristic for logging in, such as a PIN sent to a smartphone.
- Secure data transmission: Data sent unencrypted over the Internet is known to be viewable by third parties without much effort. Therefore, encryption is a must in this day and age. However, there are also differences in the procedures and protocols used. For example, security gaps become known on a regular basis. One example is the "Heartbleed" vulnerability in the widely used open source library OpenSSL, which has since been fixed. Accordingly, attention should be paid to secure and up-to-date encryption methods.
- Secure data storage: Secure storage begins with the location of the servers used. Thus, the applicable national law may be decisive for access possibilities by local authorities. This may conflict with data protection regulations to which you are obligated as a business owner. In addition, security standards should be adhered to by the provider, which are ideally verifiable through certifications such as the ISO 27001 standard. Encrypted storage also prevents unwanted physical access by intruders or employees of the provider.
Why do I need cloud security?
One of the main reasons is certainly the dependency on the accessibility and functionality of cloud resources, as already described. From a distance, you and your administrator have hardly any possibility to influence if problems occur. In addition, the secure storage of company and customer data is one of the most important challenges for companies. Problems in this area can lead to irreparable reputational damage for the affected company.
Irrespective of this, the General Data Protection Regulation (GDPR) obliges companies to process personal data in a secure manner. The current state of the art is to be used as a benchmark. Traceability is explicitly required. In principle, you can only comply with this if the cloud provider gives you corresponding guarantees, e.g. in the form of certifications.
Important measures for cloud security
A decision as to whether a company's data or services can be outsourced to the cloud should be made on a case-by-case basis after careful consideration. Basically, it is certainly difficult for responsible parties to close their minds to sensible and effective innovations in the long run. If a few security precautions are observed, the advantages may well outweigh the disadvantages. We have summarized the six most important basic rules for you once again:
1. Provider selection: A thorough examination of the cloud provider in advance is mandatory. The locations of the data centers should at least be in the European Union. If you need redundant storage, the servers must be located in physically separate places. Certifications and documentation of security measures taken on the part of the provider are important.
2. Secure authentication procedures: You should look for a two-factor authentication option for logins. For example, a cost-effective option is to use an Authenticator app that briefly generates valid PINs that must be entered in addition to the password. Automated logins via client applications can be secured with certificates or hardware tokens, for example.
3. Pay attention to a sensible authorization concept: Users should only be able to access absolutely necessary data. This form of data economy is also required by the GDPR.
4. Encryption: Both the transmission and the storage of data may only be encrypted. For example, the TLS protocol, which is secured with certificates, can be used for the connection. A connection via VPN provides even more security.
5. Think about the necessary interfaces for backups and a possible migration: It should be possible to store the important data in a local backup. In addition, provisions must be made for the event that there is a change of provider. In that case, it should be possible to transfer your data without any complications. Secure deletion must also be provided for.
6. Support: Support adapted to your business hours is absolutely necessary in a professional environment. In the worst case, a failure or security incident will paralyze the entire operation of a company.
By the way, it is also part of the portfolio of a penetration testing provider to put cloud applications through their paces. In this way, you can also prove that you have actively taken care of responsible cloud security.