The decision has been made, your organization is “going to the cloud”. But what aspects does an organization need to think about when using cloud services? We have created a Competence Center that deals with precisely this question!
Shared responsibility: What your company remains responsible for (1)

First of all, it is extremely important to understand what a cloud service, and therefore a cloud service provider (CSP), actually does. What is the product and how can it help me overcome my challenges? Next, it is important to understand that migrating to the cloud does not mean relinquishing responsibility (i.e. obligations) per se.

According to the National Institute of Standards and Technology (NIST), the definition of cloud computing provides for three service models: I can buy the hardware, which I would traditionally set up in a data center, as a service; in other words, the entire infrastructure “as a service” (IaaS for short). It is also possible to purchase platforms “as a service” (PaaS for short). The CSP not only provides me with hardware, but also takes care of the provision and maintenance of the operating system. In a further level of abstraction, I can obtain software “as a service”, i.e. a specific application such as, for example, a software package. MS Excel. Here I don’t have to worry about the operating system or the actual application being up to date. In addition, there are almost endless variants of the three service models, which include: Function as a Service (FaaS), Backend as a Service or Everything as a Service (XaaS). Basically, no matter which service model you choose, you remain responsible for your own data and the data entrusted to you (as part of order processing). They merely outsource more or less work in order to fulfill this responsibility. Each CSP has a more or less individual shared responsibility model. Basically, however, the “shared responsibility” is as follows: In all service models, responsibility for the data center, the (physical) network and the hosts (i.e. physical servers) remains with the cloud service provider. If something fails, the CSP takes care of a replacement. But beware: it’s about replacing the hardware, not restoring the data! In the IaaS model, you are responsible for the security of all components to be installed in the infrastructure, including the operating system, application, middleware, containers, network, workload, data and code. You are also responsible for protecting the availability of your data by implementing an appropriate backup strategy. As a rule, every CSP offers countless services for your IT department’s area of responsibility, such as when encrypting your data in accordance with. of your cryptography concept. However, this is not directly accompanied by a transfer of responsibility. Secure configuration of all the cloud services you use remains your responsibility at all times. Your information security management system should take this shared responsibility into account.

A certainly helpful starting point is the Cloud Computing C5 criteria catalog of the Federal Office for Information Security. It provides characteristics that can be used to set up or evaluate a trusting and secure collaboration with a cloud service provider. CC Digital Security has also analyzed this catalog as the basis for our cloud service development (especially SaaS) and transferred it to the company. In this way, we ensure that applications that we provide as Software as a Service or prepare for operation as SaaS meet these characteristics. We have adapted our secure software development lifecycle to include the creation of cloud-enabled and cloud-native applications.

IT (security) governance: guidelines are also needed in the cloud (2)

Every organization sets framework conditions (organizational structures, processes, guidelines) for internal IT in order to enable them to implement the requirements as independently as possible. The applicability or viability of the framework conditions may be more or less impaired depending on the CSP and service model selected. IT governance (i.e. the framework conditions) must be adapted to the company’s own cloud strategy (including a hybrid cloud strategy if necessary). Business continuity management (BCM for short) and the emergency manual alone must be adapted to the new circumstances. SLAs with the CSPs must be coordinated with those of your own IT department. Emergency procedures may have to provide for other parties to be involved in an emergency.

The access control policy as part of IT governance also needs to be revised when migrating to the cloud. Identity & access management is one of the most important building blocks for secure applications in cloud infrastructures. This is due to the “nature of things”: cloud operation generally means shared use of resources. I can access these resources from anywhere in the world. I no longer have to be in my own company’s network. In addition, organizations migrating to the cloud are building increasingly complex IT infrastructures, precisely in order to gain maximum efficiency from the use of the cloud infrastructure. It is no longer one firewall setting that protects my infrastructure, it is many different identities, many different users and services for which access rules have to be defined.

There is no doubt that the threats posed by a cloud-based infrastructure are not the same as those posed by an on-premise infrastructure. The attack surface, the attack scenarios, the players, but also the possibilities are changing. Accordingly, the organization must also adapt its vulnerability and threat management. For which aspects can cloud service provider services be used? For which aspects are in-house or third-party solutions required? We provide an effective threat identification and analysis service that is tailored to the customers in our business areas. Depending on the degree of integration, the service should not only focus on detection, but also on reaction.

Furthermore, the specifications regarding logging/monitoring/alerting, cryptography and compliance must be adapted in the corresponding guidelines.

 

Legally compliant in the cloud – what obligations do you have (3)

Moving your own applications to the cloud significantly changes the setup of your company’s IT infrastructure. While the on-premise solution allows you to almost touch the data, with a cloud solution it is difficult to see where it is at all times (i.e. both in the database and during network transfer and actual processing). Against this backdrop in particular, it is important to be aware of regulatory and legal requirements in order to ensure that they do not prevent your decision to move to the cloud, which is often economically driven. In our Digital Security Competence Center, we have identified more than 30 references for our customer segments alone that are relevant to the transition of their own organization to a cloud infrastructure and thus have an impact on a possible deployment. It is also important to note that not only your organization has legal obligations, but also your partners, such as your company. the cloud service provider. It is important to ensure that these bonds do not conflict with each other. You can find a closer look at this challenge in our last Insight article
Public cloud, private cloud, no cloud – where the public sector is heading
. With the new EU adequacy decision, there is now slightly improved legal certainty here.

It is important to me that cloud and security do not work against each other. Information technology security requirements can be met at least as well in modern cloud infrastructures as in conventional on-premise infrastructures.premise-infrastructures, perhaps even more effectively and efficiently.

Tobias Müller // Competence Center Lead Digital Security // Westernacher Solutions

Your contact person

Tobias Müller

Competence Center Lead Digital Security

ALSO INTERESTING

  • Rule of Law 4.0: How digital solutions are making the judiciary and administration fit for the future
  • Information security – where to start?