With no end of readily available services to choose from, the pull of the cloud is hard to escape. Doing business up in the air is now as easy as flipping through an online photo album. Software is deployed as a service in close to no time and fed with company data just as fast. And then you have to make sure it doesn’t start hailing trouble.
It usually starts out with a test account. It’s free. You get to trial a service with no strings attached. How does it work? What can it do? Is it for us? And then, of course, you want to know how it stacks up against other offers. More often than not, at the end of all the testing there’s a bunch of dead accounts—with live company information sticking around online. And it may come back to haunt you.
Five Cs for cloud security.
Germany’s Federal Office for Information Security (BSI) has compiled a Cloud Computing Compliance Criteria Catalogue (C5 for short) that helps both providers and users prime their installations against risks based on criteria that also satisfy external audits and evaluations. In early 2020, the BSI published a revised version to account for the growing complexity and variety of cloud applications.
Or, you may pick a service and keep using it. It’s super easy after all. But with all the excitement, security often slips the mind. One thing leads to another, and you’ll quickly end up with a wild selection of square, triangle and hexagon apps that just don’t fit into your circle IT infrastructure. They may all be nice and shiny on the surface, but they can leave the door wide open to your digital assets.
Users want services to be easily accessible, and so do cloud providers. There’s no warning sign that says STOP, CHECK YOUR SECURITY! So you go in.
How easy it all is often depends on the maturity of your organisation. Start-ups typically just want to get going. Young entrepreneurs habitually use the cloud off the clock and often adopt that same laissez-faire attitude towards data protection and security when they do business, too. But with fast growth comes the risk of a hard-to-read cloud formation building up. It’s not unthinkable that this could at some point impact how a business is rated.
On the other hand, big established companies don’t necessarily follow their own policies either. Individual departments may simply bypass IT when they tap into the cloud. And with IT staff none the wiser, they can’t implement the necessary security. Plus, users often have no idea what happens with their data in the cloud.
That’s a far cry from how IT was managed way back when. IT admins used to hold the keys to everything, and the best thing you could do to get a software update was twiddle your thumbs and wait. Thankfully, this is the past. The cloud delivers updates all by itself. And that’s not all it does; it’s also taking different shapes all the time—and that includes the fine print that nobody likes to read. So what may look like a no-brainer really demands constant attention.
You must never forget that public cloud providers run their data centres according to their own rules. Company assets are scattered all over the world. They can literally be on any server, in any country, and moved anywhere else, e.g. when there’s a technical issue on the current host system. This means your data can also end up on the wrong side of a firewall, or an application may be temporarily inaccessible. This is not something you can control. But what you can do is build your own security architecture and enforce it across your organisation to help users stay safe in the cloud.
The first thing to do is get an understanding of just how much security you need. Without it, you can’t plan a sound foundation, and yet this crucial step is often skipped. That’s how e-mail ends up without mail protection, virtual servers without a firewall, or databases without a regular backup routine. All the things you’d think go without saying really have to be said, such as two-factor authentication, password policies, personalised admin accounts and granular admin roles. Something that’s often overlooked is that many cloud providers offer automated security checks to evaluate configurations. That can be a good starting point.
All in all, there’s still a bit of a learning curve ahead of all of us. The cloud is everywhere, but its proliferation has outpaced our instinct to use and integrate it in corporate settings in a way that keeps our data protected. The good news is that organisations can get professional support, also beyond mere advice. “We help our customers identify the cloud services that align to their security needs and configure a setup that gives them peace of mind,” says Christian Dittrich, head of Bechtle’s Security Competence Centre in Cologne. “This is complemented with security software that detects data leaks and malicious download links. Customers may also choose a monthly security audit.” Bechtle can also operate cloud environments and keep them patched and up to date on behalf of customers. If you choose to go it alone, you’ll have to remember to keep an eye on changes, updates and security issues. It’s a full time job.
Bechtle update editorial team
Get the best from the Bechtle update every two months directly into your mailbox. Click here to register:
Published on Apr 7, 2020.