More flexibility, efficiency and scalability: the cloud is a key technology that future-oriented companies can hardly ignore. Nevertheless, many decision-makers are still hesitant about storing data on the Internet – mostly because of security concerns. Janek Maiwald, Chief Technology Officer (CTO) of DGC, explains in an interview about cloud security how secure or insecure data is in the cloud, what exactly causes this and how decision-makers should counter these risks:
Cloud security is one of the top issues for companies when considering deploying cloud-based solutions. Are these concerns justified? How secure or insecure are data and corporate secrets in the cloud?
In general, it can be stated that offerings from established cloud service providers are more secure than any system operated on-premise in the company’s own local data center. The security risk, therefore, only arises on the part of the cloud administrators in their own company. More precisely, executing a non-professional cloud configuration: In practice, it happens from time to time that project managers – mostly out of ignorance – circumvent the intended security measures of the cloud. Understandably, they want to quickly meet the demands of the business side for more performance or storage space – for example at peak times such as the pre-Christmas period in e-commerce or with increased remote access from the home office.
However, incomplete implementation creates security gaps that put access, data and resources in the cloud at risk. Yet the cloud can also be put into operation quickly and efficiently from the necessary security aspects. You just need to know how – and ideally incorporate security best practices for the cloud model in question.
How can companies minimize security risks from a faulty cloud configuration from the outset?
Cloud configuration is a complex task even for seasoned IT professionals. While most technicians have in-depth knowledge when it comes to locally operated data centers and systems, they only have a manageable amount of cloud know-how. Therefore, user companies should provide training measures for internal knowledge building at an early stage of their cloud transition. Ideally, this should take place immediately after the selection of a suitable cloud model. The major cloud providers Microsoft, Amazon and Google offer a wide range of training courses on the proper implementation and use of their products.
Once they have received the necessary training, those responsible for a company should draw up a scenario of how the systems are to be used in the cloud at an early stage. The selected cloud design must be validated with the cloud provider. It is then advisable to conduct a pentest with a specialized IT security service provider such as DGC. Here, our IT security experts put the new cloud system to the test before go-live and identify vulnerabilities that could be exploited by cybercriminals. After appropriate optimization, cloud operations can be started securely.
With the private, public or hybrid cloud, companies can choose between different types of cloud. Are there any differences in terms of data security?
From the perspective of data security, the private cloud is a particularly secure and easy-to-handle option – especially for new customers. A company’s data is managed exclusively here and is isolated per se. The private cloud is also more likely to mitigate the effects of inadequately trained employees. However, due to increased services of the provider, the use of a private cloud is usually more cost-intensive than other variants.
In comparison, public cloud solutions, which provide resources for many users and are usually less expensive, are more likely to be vulnerable. For example, user companies can be affected by spray attacks with which criminal hackers cause widespread damage. However, those who have the appropriate know-how and ensure strategic protection will also find a high level of security in the public cloud.
Of course, the choice of cloud type should not only be made regarding data security. Companies must strategically consider what individual requirements exist for the new cloud system and what goals are being pursued with the use of the cloud – and select the best solution for them based on this. This could be a hybrid solution, for example. Cloud security should be considered from the outset and appropriate measures taken to minimize risk.
Who is ultimately responsible for cloud security: the cloud provider, the user company or the contracted IT security service provider?
Responsibility for data security in the cloud is the responsibility of the user company itself – or more precisely, of its own security officers. It must, therefore, be ensured internally that the basic level or the security tools provided by the cloud provider are used optimally. However, practice shows that a large number of companies are overburdened with the technical security analysis of all IT components and systems and call-in service providers such as DGC. Such outsourcing is advisable because it results in a clear division of tasks. While the internal IT team is responsible for cloud operations, a qualified service provider takes care of the counterpart of IT security, thus ensuring maximum security.
In this respect, we can talk about an interaction between the cloud provider, the user company and the IT security service provider. However, the final responsibility clearly remains with the cloud-using company, which must initiate and drive IT security from within.
How can companies approach the topic of cloud security strategically – and with which concrete solutions and services does DGC support them?
In order to make the cloud move and ongoing operations secure and successful, companies should develop a cloud utilization model. To do this, they should rely on the expertise of various consultants. Together with experienced specialists, the following strategic questions, for example, can be clarified: Which type of cloud offers the greatest potential for the company’s own business model? What should the cloud setting look like and what data should be transferred and by what method? And finally: Which cloud security solutions must be used to ensure maximum data security? A cloud transition is a highly complex undertaking and should therefore not be carried out single-handedly.
Interested in learning more about how to protect data and systems in the cloud?
Arrange a meeting with us – we’ll be happy to advise you on cloud security.
At DGC, we cover the security part and support our customers in creating and implementing cloud security concepts. Our consulting services include the development of a network strategy, the integration of IT security tools to increase data security and culminate in the above-mentioned pentests to test the new cloud system.
When it comes to securing ongoing operations, companies are supported by our IT security team at the Cyber Defense Operation Center (CDOC). They can also use our IT security tool cyberscan.io® for continuous vulnerability analysis. Ideally, the appropriate measures in each case are bundled within the framework of cyber security partnerships with the DGC – in this way, companies ensure maximum security in the cloud.
Why is cloud computing the future? Why does it benefit companies to invest in cloud security?
Agile and flexible IT infrastructures are critical to the success of modern companies – only in this way they are able to position themselves future-oriented and competitive on the world markets. Cloud computing forms an important basis for this and offers various advantages. In addition to the aforementioned flexible scalability, it ensures efficient workflows and processes with partner companies, customers and service providers because, for example, all players in a value chain can be integrated into a cloud architecture. The cloud also brings companies forward in the area of data analytics: Due to its performance, the potential of artificial intelligence and machine learning can be optimally exploited. In addition, the cloud offers geographical advantages. With global providers, companies can decide whether their own application or infrastructure should be hosted in Asia or in a specific country. For example, it allows them to be “close” to the end user and to ensure consistently high performance.
However, successful cloud use requires appropriate security standards. Security should therefore be part of any cloud strategy and necessary measures should be continuously tracked. Those who internalize this can drive digital business transformation in a targeted and risk-minimized manner.
Thank you very much for the interview!