In our first interview with Gerald Klump, Trivadis Co-CEO, on the topic of the Cloud, we looked at the aspect of database security. This time, we will focus on the risks associated with using the Cloud.
The seven most devastating security breaches in the history of the Cloud are described in detail in an article by the Washington Post from 2 March of this year. Through these incidents, organisations have realised that the Cloud has both advantages and disadvantages in terms of security.
Prior to the Cloud, sensitive corporate data was stored in secure rooms or local data centres. Only the company's employees could access it. But now, thanks to Microsoft, Amazon, Oracle and many others, there are new external, cheaper, simpler and more secure solutions for storing data and also running a variety of applications – for example, to analyze financial data stored in complicated proprietary formats.
However, the fact that the Cloud opens up so many more opportunities also requires companies to be particularly vigilant. An ever-increasing number of people and programs are being granted access to their networks, which also makes it easier for hostile parties to find potential gaps.
However, Cloud providers have been working hard to ensure that now not only the lower costs, but also the level of security encourage companies to use their services. And there is evidence for this: Gartner, a market research firm, estimates that the global Cloud market was worth more than 226 billion dollars last year and is expected to reach 263 billion dollars in 2020, equivalent to growth of 16 percent. Amazon Web Services, the first major public Cloud, was launched in mid-2007 and is now a 40-billion-dollar business.
Gerry, first of all, what exactly are the most important tips to avoid security gaps in the Cloud?
You will be surprised how obvious they are, although most of them aren't targeted particularly often. Here are a few tips on how to avoid security gaps:
- Directory integration
There is often a lot of amazement over back-up systems that are silos. In other words, they do not share user and identification data about people, systems and devices. Identity Access Management (IAM) systems share this data via directory services. Most people responsible for security on the Cloud either do not use IAM or do so without allowing information to be shared automatically through a directory system. Without directory integration, when someone retires and is removed from the directory system for the local systems, they will not be automatically removed from the back-up system on the Cloud. You would need to change the information in two different places.
- Integration of administration
Service and resource governance systems must work together, but most do not. For instance, think about the advantage of being able to monitor the potential misuse of a storage system if someone repeatedly violates governance guidelines. This person probably presents an increased security risk and should be locked out depending on the circumstances.
- Automated security tests
If security tests are part of the automated test systems, they can find problems at code and data level before they go into production. Applications moving through the toolchain are probably five times more secure than those passing through passive safety tests or no safety tests at all.
And what exactly does the term "Cloud computing" mean?
First of all, Cloud computing stands for the outsourcing of data and applications to the "Cloud", i.e. in external memory. Here, providers make applications available as Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS). Particular attention is paid to the availability of applications and efficient use of resources.
What are companies' specific concerns about the security of Cloud computing?
There are many reasons why companies feel unsure about database security in the Cloud:
- The multi-tenant and dynamic properties of the Cloud can jeopardize sensitive or regulated data.
- A lack of visibility and accountability of Cloud providers regarding security contributes to customers' anxiety.
- Not all companies are rushing to deploy inexpensive public cloud offerings; many prefer
private Cloud options and hybrid Cloud architectures that combine low costs with risk mitigation.
- Third-party audits/evaluations, incident response and operational/change management are particularly sticky issues.
- Customers have less preventive control over the infrastructure when using the Cloud and must instead try to transfer risks (where possible) or improve detection and deterrence through monitoring.
- Activities once carried out at endpoints, data centres and networks owned by organisations are shifted to open, untrustworthy networks.
Network perimeters are becoming less and less effective: More complex mechanisms for separating virtual machines and virtual networks are still in their infancy. Companies expect Cloud providers to take security precautions: Data backup, authentication and encryption during transfer and storage.
So, to what extent does Cloud computing change the way that IT works?
Cloud computing is changing the perception and usage models of IT. Driven by market forces, i.e. the business environment, and advances in the capabilities of Cloud providers, companies are shifting the alignment of their IT strategies. Cloud computing can improve availability. Private Clouds can support secure collaboration with external partners. Platform-as-a-Service (PaaS) offerings can integrate proactive security into the software.
What can you recommend to our readers when it comes to using Cloud computing securely?
Cloud computing of course also involves risks and requires a new way of thinking – but it does not call for a reinvention of security programs and architectures. When companies use public Cloud services in a structured manner in line with their own internal requirements and have a concept for identity and access management, auditing and reporting, network infrastructure and security management, the Cloud presents a lot of opportunities. And just to be on the safe side, it can be worthwhile to involve an intelligent partner who will guide you safely through the Cloud jungle. At Trivadis, we have the expertise, best practices and frameworks you need!
An alternative (albeit slower) approach may be to first take small steps towards the public Cloud with low risk or lower (variable) volume applications and use this as a basis for developing service-oriented hybrid Cloud architectures.
When it comes to cloud security vendors, one must demand better assessment criteria and ecosystems for third-party review and industry standards to improve interoperability and security.
The biggest risk we face today in the area of data security is the assumption of an identity and misuse of it. To protect you for this is our task.
Thank you Gerry.
https://blog.storagecraft.com/7-infamous-cloud-security-breaches/ – 7 Most Infamous Cloud Security Breaches
https://www.gartner.com/document/1405593?ref=solrAll&refval=261304823 – Cloud Computing Security in the Enterprise
https://www.gartner.com/document/3987212?ref=solrAll&refval=261304771 – IaaS and PaaS Cloud Security: FAQs From Gartner Clients
https://www.infoworld.com/article/3488500/3-cloud-security-hacks-to-consider-today.html – 3 cloud security 'hacks' to consider today