IT services in the cloud are becoming more and more popular these days. Many companies have already made their way to the cloud or are in the process of migrating their infrastructure to the cloud. Obviously, this offers a number of advantages: fast service delivery, high scalability, seemingly unlimited resources, and very high availability at a reasonable price. In addition, you do not have to purchase your own server hardware and do not have to maintain it. Despite all these advantages, the security of the company’s applications and data in the cloud should not be overlooked. Even if conventional security technologies cannot be integrated into the cloud solution so easily, the security objectives remain the same: preventing unauthorized access, preventing data loss and maintaining availability.
So, what needs to be considered when it comes to cloud security?
Choosing the right Cloud Provider
When selecting a cloud provider, it is of course not an advantage to simply choose the cheapest one. Currently the two largest cloud providers are Amazon with AWS and Microsoft with Azure. This does not mean, however, that they are automatically the best choice for every company. A company must be aware that it will store its data and work on their provider’s infrastructure. Therefore, in addition to meeting technical and legal requirements for the cloud infrastructure, a certain amount of trust in the provider is also necessary. Once the cloud environment has been set up and configured at one of the cloud providers, it is quite complicated to transfer it to another one, which results in a certain “vendor lock-in”. It is advisable to conduct a structured evaluation of the potential providers based on the requirements in order to examine the technical, organizational and legal aspects and provide a solid basis for a decision.
Who is responsible for what?
The distribution of responsibility depends on the cloud solution used. With “Infrastructure as a Service” (IaaS), the cloud provider provides the network functionality, the physical servers and the virtualization environment and is also responsible for it. The company itself is responsible for the virtual operating system used, the software running on it and the processed and stored data. In the case of a “Platform as a Service” (PaaS) solution, the cloud provider’s responsibility also extends to the operating system and its functionality. In this case, a company only has to take care of the application used and the data belonging to it. Software as a Service” (SaaS) solutions are also offered in which the cloud provider is responsible for everything, including the operation of the application. A company is only responsible for the data generated. In any case, the responsibility for development, operation and maintenance of all components should be clearly defined before “moving to the cloud” and also checked against the requirements. This also refers to the subsequent interaction of the security mechanisms, whether they are of a technical (such as central monitoring and logging) or organizational (such as the handling of information security incidents) nature.
IAM -> Who is allowed to do what?
IAM stands for “Identity and Access Management”, which manages access rights of employees in the cloud interface. In general, you should never work with the root account, and you should always take great care to make sure that root access keys are never made public under any circumstances, as they allow full access to the cloud system. Of course, the use of multi-factor authentication is also mandatory for additional security in the cloud. An authorization concept should be implemented in the respective solution right from the start in order to comply with principles such as “segregation of duties” or “least privilege”.
Maintain an overview
In order to not overlook any vulnerability in the cloud environment, an overview of the resources used should be available at all times. If a cloud environment spans across several providers, it is even more important to introduce a central monitoring to constantly monitor the applications in use and their configurations and keep them up to date. That way, security risks that come from outdated software can be limited. Effective processes for asset and configuration management as well as patch and vulnerability management are essential for secure operation.
Modern cloud providers offer a wide range of “serverless applications”, which allow certain services to be accessed without the need for a dedicated virtual machine. This saves resources and prevents configuration errors, which represent an enormous security risk. Examples are API gateways, databases, online storage and e-mail dispatch. To meet compliance requirements, it is recommended to check lists provided by cloud vendors to find out which services are compliant to certain standards.
Failover in the Cloud
In order to ensure reliability in the cloud, most cloud providers offer the possibility of deploying services in several regions or different “availability zones”. If one fails, it will switch to another region, which in the worst-case results in higher latency for users. In addition, “load balancers” can be used to distribute the load evenly over several machines. Major cloud providers also offer services for DDoS protection. The only problem that remains is that if your Internet connection in the office fails, you will of course not be able to connect to the cloud and the services running on it.
Backup and Recovery
Most cloud providers offer a backup service. From single instances to complete databases, encrypted backups can be created. These backups can be automated and centrally managed. As a result, backup policies can be implemented in the cloud to comply with internal and legal requirements. Additional services offer the option of replicating entire regions and, if required, restarting them in another region. A backup plan and related recovery plans should include all stored data and should also be tested regularly.
Web Application Firewall
To secure web applications and APIs, “Web Application Firewalls” (WAF) are offered in the cloud, which contain pre-defined rule sets against common attacks such as SQL injections or cross-site scripting. These rule sets should be individually adapted and extended for the technologies and applications used.
Regular vulnerability and penetration testing in your own cloud environment helps to identify and address existing security issues. However, it is important to know what can be tested. For example, virtual machines created in the cloud can be tested without any problems, but “shared” services provided by the provider are usually not allowed to be tested. For extensive testing, coordination with the cloud provider is required. Often, the tests can also be simply registered by using online forms. For vulnerability scans in the cloud, special scanning technologies can also be used, this applies in particular to container virtualization.
With our expertise in cloud security, we will be happy to assist you with your migration to the cloud, e.g. to conduct evaluations, architecture reviews and penetration tests in the cloud.