Cloud security includes various measures to secure cloud services and cloud environments. Consistent use of cloud security can minimize the risk of failure, data loss, hacker attacks or unauthorized access to data. Since cloud security is of great importance to users and operators of cloud services, it represents a central aspect of cloud computing. Cloud security is a set of rules, processes and technical specifications that ensure that legal requirements are complied with, the infrastructure of the cloud and its applications are protected and data is securely processed and stored.
What is the Necessity of Cloud Security?
The security of our data is an important issue in the digital age. The secure use of cloud services appears to be one of the greatest challenges: there is an opinion that data can never be secure within a cloud – which is why private users often shy away from using such services. But cloud security is not only important in private use, entrepreneurs in particular have to deal with this issue – after all, many companies store both sensitive personal data and their company secrets in the digital cloud in large quantities.
The volume of data stored in clouds is continuously increasing, because despite all the rumored security risks, clouds are extremely popular: private individuals take advantage of the convenience of having their own data available everywhere and in full and prefer to download backups of their hard drives to online storage. Companies, on the other hand, can use the cloud to better connect their employees with one another and thus make their work processes more efficient. You also save costs, because with cloud hosting, resources are scaled and less infrastructure is required.
The most common variant of cloud use is the so-called public cloud: cloud providers such as Google Drive or Box offer their customers a fully configured online storage space – including their own security solutions. However, if you want more control over your data, you can create a private cloud or a hybrid cloud. These online storage facilities are set up completely or partially independently of public providers. They thus offer more control over the security measures, but also require more technical effort. Companies in particular rely on private or hybrid clouds for reasons of data protection and IT security. With software like ownCloud, however, private individuals can easily set up a self-managed cloud. As more and more areas of digital life run via cloud services, the question of their security is all the more urgent.
We’ll explain which problems can arise and which security aspects are particularly important.
What are the Challenges of Secure Cloud Use?
People keep saying that there is no such thing as a completely secure cloud - but what exactly are the dangers? The unsatisfactory answer is that there are many problems with using cloud services securely. In addition to data loss (e.g. due to the insolvency of a provider, technical breakdowns or unexpected blocking of the account), the risks relate primarily to unauthorized or undesired access by third parties. Which groups of people could be interested in the data? These are the key players in this context:
Data thieves
A source of danger lies with people who want to make money or a career with stolen data. Not only bank details, but all personal data are interesting for data thieves. Industrial espionage is also carried out by stealing data from inadequately secured clouds.
Hackers
Hackers test their skills by trying to penetrate the security gates of public institutions or companies. In the event of a successful hack, some report the security gap to the administrators, but some also pursue criminal intent.
State organs
The NSA affair made a broader public aware of the extent to which secret services can access personal data of citizens. In suspected cases, other authorities can also use a court order to gain access to the data in the cloud. State actors are therefore also a risk factor with regard to data security.
Cloud providers
Many large IT companies such as Google or Apple derive their market power from the processing of user data. With vaguely formulated terms of use, they sometimes give themselves a lot of leeway to use the data for their own purposes. One problem is the providers' lack of transparency: users have little control over what happens to the data in a public cloud.
Internal actors
Active or resigned employees of a company also represent a potential security risk, because they can misuse their internal knowledge via cloud access or can even be blackmailed as a result. Larger companies in particular should therefore maintain careful identity and authorization management for their cloud services.
What are the Challenges of Secure Cloud Use for Companies?
If private individuals and companies want to effectively protect their cloud access, they each face different challenges. While private individuals use cloud services securely, primarily through general data protection measures – cleverly chosen passwords or encrypted data – the situation is somewhat more complicated for companies.
In contrast to private individuals, companies do not work with a single cloud service, but with complex cloud-based IT infrastructures that are used by many different employees. So-called cloud computing is the generic term for such infrastructures that do not primarily run on the company's local computers, but are mainly provided via the Internet. The question of security arises here in multiple forms: many employees access the cloud services with different devices from different locations – accordingly, security becomes a technical challenge.
Cloud hosting is also becoming increasingly popular with companies. Cloud hosting can be understood as part of cloud computing and means that the data is no longer hosted on a physical server but in a virtual cloud. Usually cloud servers can be adapted to the needs of the company much more flexibly than physical servers.
The particular challenge lies in identity management, which manages the access data of employees and thus regulates which resources they are allowed to access within the cloud. For a better workflow, companies are encouraged to implement the different cloud accesses of their employees in a central user administration. These challenges already arise when companies only use a file-sharing service such as Dropbox, with several employees’ access with individual access data. But in a multi-cloud environment, the bigger the company, the more difficult the identity management and, consequently, the more important it is to pay attention to cloud security.
Using Cloud Services Safely – Tips for Private Individuals
For private individuals, the quality of cloud security is measured by how well general data protection measures are implemented. In addition to using secure passwords, you should pay attention to the server location of the cloud provider, fair terms of use of the cloud provider and the encryption of the data.
Server location and location of the company headquarters
In order to use cloud services securely, the data protection situation of the countries in which they have their servers and their company headquarters is relevant. Both factors determine what happens to the data in the cloud. Therefore, private users should carefully consider which cloud provider they entrust their data to.
If the servers are in the USA, you are also subject to US law. The legal situation is crucial, because in addition to hackers, state authorities can also access cloud data against the will of the users. American laws provide less protection of privacy than EU law and so there are ongoing legal disputes over the handling of American companies with the data of EU citizens.
Data protection regulations of the cloud provider
The data protection regulations of the respective cloud provider explain what happens to the stored data. In this context, it is worth considering: nn particular, the large providers such as Google or Apple achieve the majority of their commercial profit not by charging usage fees, but by exploiting user data. Loose data protection guidelines, which data protection officials repeatedly criticize, create leeway that corporations know how to use for their own purposes.
In addition, large IT companies usually have more resources available to extract patterns from the mountains of data collected in the cloud and to create so-called digital footprints of individual users or user groups. These “digital footprints”, in turn, can be linked to those from your other services (in the case of Google with Search, Maps, Mail etc.) and thus become even more meaningful. If you want to avoid this, you should choose a smaller provider, where you pay a few euros a month for more data security.
Encryption of the data
Another important point when it comes to cloud security: if you save your data online, you should always encrypt it. There are many encryption methods, and since they are sometimes very complex technically, most users fall back on the encryption of the respective cloud provider. Less technical knowledge is required for this, but users cannot check whether these measures are sufficient. Public clouds therefore offer their users little transparency as to what is actually happening with the data.
In addition, the number of external encryption programs for cloud data is growing. Programs such as Cryptomator, CryptSync or Boxcryptor should ensure more data security independent of the cloud operator. The market for encryption software has become confusing, but external encryption makes it much safer to use a cloud service.
You should always make a backup of particularly sensitive or valuable data. After all, data in a cloud can be lost – be it due to a forgotten password, an insolvent provider or some other unforeseen circ*mstance. Therefore, important data should always also be saved offline.
Protecting Cloud Access – Tips for companies
The topic of cloud security is far more complex for companies than for private individuals. The server location and an effective encryption concept are also important, but companies are also faced with the challenge of protecting the cloud access of many employees and still managing this data centrally and efficiently.
This requires complex solutions for the rights management of employee clouds: the company's IT infrastructure is used by different employees, whose identity must be authenticated and whose access options within the clouds must be authorized. Authentication and authorization are therefore the key terms that are involved in well-protected cloud access for companies. We’ll present some effective solutions.
Cloud Access Security Broker (CASB)
A popular solution for using cloud services securely is the so-called Cloud Access Security Broker (CASB). CASB is software that has been specially developed to control and protect cloud access. This relatively new form of cloud security solution is placed between the cloud service and the cloud user, controls their communication and is therefore an external security gate to the cloud. CASB also has many other functions: it serves as a monitoring and management instrument within the cloud, provides information about irregular processes and determines which action should be taken in the event of a security message. CASB thus forms a new type of software that was specially developed for cloud-based workflows in companies.
In order to guarantee cloud security, CASB offers a wide range of services: they can be used to regulate user authentication, encrypt data traffic, block unwanted data traffic, identify malware, activate alarms in the event of suspicious actions or integrate additional access requirements. The latter would be the condition that a CASB must identify and authorize the device via which an employee wants to access the cloud. These security measures are defined in advance and then implemented by the CASB. Many CASBs work together with other security solutions, such as those for encryption, multi-factor authentication, IAM (Identity and Access Management) or SIEM (Security Information and Event Management).
Thanks to these services, CASB meets the current security requirements of companies very well. Currently, 85% of all companies secure their cloud access using a CASB service. In view of this, it is not surprising that some of the new CASB services have already been bought by larger IT companies: The Elastica service, for example, was taken over by Blue Coat Systems (part of Symantec), and Adallom in turn by Microsoft. This shows how much potential there is in this branch of industry – and also how important the topic of cloud security is.
In order for CASB services such as CensorNet, Bitglass, Netskope or CipherCloud to function smoothly, they must be well integrated into the company's existing infrastructure. This means that on the one hand they need a connection to the company's user management and at the same time they have to be deeply integrated into the clouds that they are supposed to protect. Many CASBs already support the cloud-based services that are common in day-to-day business such as Microsoft 365, OneDrive, Box, Google Apps or Salesforce. But they are also able to implement services that are unknown to them.
There are different ways of integrating CASB into a company network. CASB software either works cloud-based itself or is operated locally. It is integrated into the company's IT infrastructure either as a central gateway or as an API application. Both of these variants have advantages and disadvantages: If the CASB is implemented as a gateway, it is located directly between the user and the cloud service. It is thus switched into the data stream and can block undesired actions directly. A disadvantage of this variant, however, is that the performance of the cloud can be impaired as the workload increases. If a company has many employees, API-based solutions are therefore suitable. In this case, the CASB is outside the direct user-cloud communication. The CASB cannot intervene directly in these actions, but it does not have a negative effect on the performance of the cloud service.
Two- or multi-factor authentication (2FA/MFA)
CASB are complex meta-solutions for cloud security, while different authentication methods are their most important subcomponents. Companies now often outsource authentication to their own authentication services (identity providers). These act as the third parties between the cloud provider and the user: if an employee wants to use an IT service, they are first redirected to an identity provider, where they identify themselves, usually with a password. The identity provider or the selected authentication method is decisive for the secure use of a cloud service.
An authentication method is particularly secure if it not only works with a single password, but also uses at least one additional parameter for authentication Two-factor authentication or multi-factor authentication are considered to be the most important measures to protect cloud access. Strong authentication methods should be used, especially for security-critical areas of application. It is therefore advisable for a company to have administrative tasks authenticated multiple times within the cloud services. In addition to the combination of several keys (passwords), there is the option of using one-time passwords or integrating objects into the authentication process (e.g. a USB stick).
Dynamic authorization
The rights management of clouds does not only refer to the authentication of employees, but also to the authorization of rights. The word “authorization” describes the granting of usage rights within a cloud. These usage rights are assigned individually to each individual employee in a company's multi-user environment, usually by one or more administrators. Authorizations regulate, for example, who can make changes to settings, who has access to subdirectories, who is subject to restricted access times or who has viewing rights without changing the rights of documents.
In order to use cloud services securely, companies should have dynamic authorization procedures: Authorizations should be so individual and up-to-date that each employee can only view and edit the data that is absolutely relevant for his role or her in the company (least privilege principle). Authorizations should therefore be role-based and checked regularly. If an employee leaves the company, all authorizations must be withdrawn.
Authorizations, on the other hand, define which resources people are allowed to use within a cloud. For both areas of cloud security there are open protocols with which this can be implemented: openID is suitable for decentralized user authentication, while OAuth in turn guarantees secure authorization of desktop or web applications.
Protect company network
In order to ensure the necessary IT security, companies not only have to adequately protect individual services, but also the surrounding structure, i.e. the company network. This is particularly important as soon as a company is working with cloud services. Because employee passwords can also be skimmed off via an inadequately secured company network – and stolen passwords are still the most common method of gaining unauthorized access to clouds.
Larger companies that work with more complex networks should protect their internal network e.g. outsource individual security devices (security appliances), such as the firewall or virus protection. An external firewall (also called hardware firewall) has the advantage that it was specifically developed to control the connection between two networks and to prevent unauthorized network access.
Establish central identity management securely
IT and cloud security is a challenge, especially for large companies that have employees in many different cities and countries. If these companies want to convert their workflow to cloud-based work processes, they have to standardize and centralize the heterogeneous identities of their employees. While smaller companies often use external security services for central identity management, larger companies usually build their own infrastructure; and while younger companies have relied on cloud computing right from the start, traditional companies have to spend a lot of time "rebuilding". Establishing a secure central identity management is therefore another important task to ensure well-protected cloud access.
In order for the conversion to be successful and the employee identities to be brought together securely in a central structure, an additional "integration layer" is required, which is incorporated into the system architecture of the network. It bundles the identity information of the employees and enables the central administration of this data. By implementing such a merging integration layer, even large companies can safely switch to the use of cloud services.
