Data protection, integrity, availability: the core values of cloud-based data security

At the dawn of cloud computing, both companies and computer users were apprehensive about entrusting their data to the cloud. Today, using a cloud is as natural as getting electricity from a wall socket. Like any technical system on which value-creating business processes are executed, however, the cloud is vulnerable. As the cloud comes into greater and more widespread use, cloud security is attracting ever more scrutiny.


The cloud has dramatically changed the way we communicate and work, placing new demands on security. The shift from the traditional client-server model to virtually delivered services is changing the way IT departments plan and design technology and applications, as well as keep them running.

Cloud computing’s centralized systems as well as automated, standardized and virtualized services pose new challenges for service providers and their customers alike. Continuous accessibility via the Internet and the provision of functions such as authentication, access control and monitoring also offer vulnerable points of attack.

Despite sensational headlines about Trojans, DDoS attacks or stolen credit card data, statistics and surveys show that cloud services have increased data processing security by 30 to 50 percent compared to internal IT systems. And the public cloud impresses with its core advantages of flexibility, scalability and reliability.

The example of backups clearly illustrates the systemic advantages of a cloud solution. Data is stored outside the company IT at a reliable and specialized provider whose protective shields against ransomware are doubtlessly more up-to-date than internally deployed standard solutions. As the cloud also enables considerably shorter backup cycles and even real-time backup, up-to-date data is always available for recovery.

Cloud services consist of numerous system components, all of which must be perfectly coordinated in order to quickly provide users with the promised functions. Cloud providers are faced with the formidable challenge of offering their customers state-of-the-art technology along with maximum ease-of-use, while guaranteeing a high level of information security.

Statistics and surveys show that cloud services have increased data processing security by 30 to 50 percent compared to internal IT systems.

When it comes to operational security, cloud providers always keep a watchful eye out for faulty configuration, programming vulnerabilities, cyberattacks or technically-related operational failures. A high level of cloud security is based on the optimal interaction of rules of conduct, processes and technical specifications. However, the latter must not only comply with technical security aspects, but also industry-specific expectations and, of course, legal and regulatory requirements. Only the optimal interaction of all system components involved in cloud security can guarantee that the cloud provides users with the level of security they expect.

The three fields of cloud security

The issue of security concerns both the cloud services and their customers. It applies to all phases of a cloud strategy, from starting the planning process to selecting the cloud provider to terminating the use of the cloud service.

In each case it is always necessary to clarify what information and processes need to be shielded and what external – and, of course, internal – threats are lurking. It is a matter of protecting the confidentiality, integrity and availability of information – also referred to as the “core values of information security.”

These core values must be kept in mind in three areas: on the part of the cloud services (1),  on the part of the users (2), during operation, and before operation (i.e., during implementation), as well as when terminating a cloud service (3).

1. Threats to the cloud service

A cloud provider’s infrastructure and services typically need to be protected against both external and internal threats. The highest priority is protecting against data loss or information leakage. The continuous availability of the Internet and all network connections must also be guaranteed to ensure that customers can access data and applications at all times. Lastly, it is necessary to ward off all sorts of attacks, such as DoS attacks or the infiltration of ransomware, which have already crippled popular web servers such as Amazon, Yahoo and eBay and prevented the processing of requests for long periods of time.

Protection against external threats starts internally, for example with reliable, error-free cloud administration that is familiar with the high complexity of its services and is thus capable of preventing service interruptions and data loss. The IT department of a company using cloud services should also be aware that small internal errors or glitches can have a major impact on cloud-based processes, both in terms of data security and operational security.

2. Threats to the cloud users

The non-profit organization Cloud Security Alliance (CSA) publishes an annually updated list of the most important threats. According to CSA research, identity theft and misuse of user accounts top the list, followed by poor security of endpoints used to access cloud services.

This highlights the benefit of short, understandable instructions for consumers to help them make safe use of the cloud service, including newsletters with up-to-date information on how to recognize phishing emails, which PINs and passwords the cloud service would never ask for, or how to prevent data tapping by encrypting your home WLAN.

One issue that can cause problems for both providers and users is the failure to comply with European data protection requirements (GDPR). The latter are intended to protect the fundamental rights and freedoms of natural persons, in particular the protection of personal data and the free movement of data within the European Single Market. The major U.S. cloud providers have now made their peace with the strict data regulations in Europe, thanks not only to politicians but also to data protectionists and critical consumers.

A high level of cloud security is based on the optimal interaction of rules of conduct, processes and technical specifications.

3. Threats regarding cloud introduction and use

Alongside the threats involved with offering and using cloud services, there are also dangers that await companies and users moving to the cloud. The biggest pitfall is the lack of a well thought-out cloud strategy, meaning that the objectives to be attained through the use of cloud computing are neither clearly defined nor verifiable. Or critical moments in the introduction process are overlooked due to poor planning, which eventually results in project failure.

If the strategy is appropriate, but the cloud service to be booked is vaguely defined, there may be disagreements about the provider’s service quality after going live. The result can be time-consuming disputes between the parties as well as expensive rework.

As cloud providers themselves often procure services from partners (e.g., administration or backup of data), personal data may, for example, end up in unauthorized hands or security certification may be put at risk because an auditor cannot track the subcontractor’s services.

Since the path to the cloud is often rocky and time-consuming, a company’s IT or legal department can easily overlook the importance of giving thought to a path out of the cloud. Companies without an exit strategy run the risk of dependency on a cloud provider, which, in combination with vendor lock-in, can turn into a bottomless financial pit.

What is a secure cloud?

The German Federal Office for Information Security (BSI) answers this question with an example from the automotive sector. When experts classify a mid-range car as safe, customers have every right to ask: Why are more assistance systems installed in the luxury class? The senior executive of a DAX company might ask: Are the windshields bulletproof? A family would not want to do without roof racks and bike racks to safely transport recreational equipment.

When it comes to buying a car, categories (small cars, mid-size cars, SUVs) and certain makes are assumed to provide a certain level of safety. There are also legal regulations (airbags, seasonal tires...) that set minimum safety standards. And in the end, the pinch to the pocketbook plays an important role, since security needs to be financed.

Conclusion 
Just as there is no one safe car for every situation, there is also no one secure cloud for all cases. As with the car, personalized questions must also be asked and answered for the cloud. Only then can a security concept be put in place. Once this is implemented, operators and users only have to comply with the security requirements. The real cloud security objective is therefore “secure cloud computing” rather than “the secure cloud.

The most important cloud computing security aspects

The primary goal of cloud security is to protect data and systems against unwanted access, whether by internal users or from outside the company. The security system also ensures trouble-free operation and prevents system failures. It is (almost) irrelevant whether a potential incident is triggered by criminal intent or by an unintentional employee action. All data must be protected against unauthorized deletion, modification, copying and reading at all times.

The security requirements for IaaS, PaaS and SaaS cloud services generally differ regarding responsibilities and access options:

    • Iaas (Infrastructure-as-a-Service), .i.e. the provision of a cloud structure for the installation and use of software such as operating systems and applications. Although users have no control over the underlying cloud infrastructure, they do have a say when it comes to operating systems, storage, installed applications and possibly network components such as a firewall.

    • PaaS (Platform-as-a-Service) allows users to install applications themselves. Although users have no control over the underlying cloud infrastructure (network, server, operating system, storage), they do have a say when it comes to applications, associated settings and the data to be processed.

    • SaaS (Software-as-a-Service), i.e. applications provided as cloud services. The user has no access to the underlying infrastructure and only limited access to the user-specific configurations of the applications.

It is a matter of protecting the confidentiality, integrity and availability of information – also referred to as the “core values of information security.”

Depending on the type of cloud service you are looking at and the type of data being processed, the different components are either the user’s or the cloud provider’s responsibility. The storage of personal data is thus handled as follows:

    • IaaS: Users install their applications on their own. The cloud provider, therefore, has no knowledge about whether the data loaded and processed in the cloud service is personal data. The responsibility for processing said data in a GDPR-compliant manner therefore lies entirely with the user.

    • SaaS: If the scope of services of the software provided includes processing personal data, the provider must install appropriate security functionalities, such as encryption and access controls.

 

HIGHLIGHTS

Looking for secure cloud computing? Five points to consider:

1. Security standards and compliance

As the owner of the data, the company is responsible for meeting security and compliance requirements, which must be clearly defined so that the provider can implement them before processing said data in the cloud

2. Access protection and data separation

Sensitive data to be stored and processed in the cloud must be protected against access by the provider’s administrative personnel, while ensuring separation of personnel roles, encryption and verification of personnel

3. Identity and access management

Managing accounts, permissions and access in the cloud services is essential to prevent unauthorized access and enable auditing; the provider should furnish the relevant auditing information at the service level

4. Availability and network connectivity

When a company outsources its IT components and data stocks to the cloud its business processes become dependent on the availability of the cloud, making it essential to agree binding service level agreements with the cloud provider

5. Switching providers and migration

If a provider can no longer offer the cloud service and a partner takes it over, contractual regulations must be agreed to ensure that the data distributed in the cloud can be exported, securely deleted and imported into the new provider’s cloud.

YOU MIGHT ALSO BE INTERESTED IN:

Managed Cloud
Managed cloud service providers relieve companies of routine tasks and enable optimal cloud utilization right from the start.
Cloud Migration
Cloud computing is one of the biggest drivers of digital transformation. If you want to be agile and efficient, you no longer ask yourself whether you want to go to the cloud - but which cloud.
symbol-prod-plussecurity
Cloud Security
We offer comprehensive cloud security and cybersecurity services. Our security concept takes into account our internal controls and procedures as well as all security services for our customers.