Available everywhere, but not for everyone: Security aspects of cloud computing.

Kept under lock and key

Author: Nadine Kampen, Information Security Officer, Fact Informationssysteme & Consulting

By definition, cloud computing means: valuable data stored on remote servers, cloud applications that can be accessed from anywhere via a web browser and massive amounts of data flowing through the public internet – all of this virtually screams for sophisticated data protection mechanisms.

Cloud computing would probably never have become so successful if answers to these challenges had not been developed early on. Some of the leading cloud providers are, in fact, also the largest employers of security experts in the world today. And not without reason.

It is crucial with cloud computing that data protection and IT security are consistently implemented at all levels of access. This begins with the physical protection of the servers, continues with sophisticated rights management and culminates in the complete encryption of all content during transport from the server to the user’s end device and also generally during storage. But people also play an important role.

Server and file storage protection

Data centre operations can be certified to the recognised ISO 27001 standard. The standard stipulates extensive protection of the managed IT resources. This includes both the physical protection of the server rooms against intrusion and access by unauthorised persons, as well as the hardening of the IT systems against hackers and intrusion attempts via the internet. And not as a one-off, but as a continuous, audited measure.

Sophisticated rights management

Cloud solutions are required to tie all the functions they provide to the availability of appropriate access rights. The approach of assigning users to freely definable groups and fine-tuning their usage rights with the help of group policies has proven successful.

A prerequisite for this is the correct identification of each user by logging in with the stored password or security key. For security reasons, the selection of weak passwords should be prevented or two-factor authentication should be used.

With the latter, the user has to confirm each login a second way. For example, the system sends a random security code to the user’s mobile device, which then also has to be entered.

Other options include a dedicated smartphone app for confirming the login or special hardware that has to be plugged into the respective end device, such as a security key in the form of a USB stick. Solutions for this are available.

Transport encryption

To secure the interaction between the user and the cloud application, all content should be encrypted as it is transmitted between the user’s device and the cloud server. Established technology such as SSL/TLS, which is supported by all web browsers and web servers today, can be used for this purpose.

This means that the data can neither be read nor manipulated while in transport. "HTTPS:" in front of the respective Internet address in the web browser’s address line indicates that this transport encryption is being used. With unencrypted connections, you will only see "HTTP:". You should then be cautious.

Human factor

Despite all the technical measures, the human factor must not be ignored. According to figures from the German Insurance Association (Gesamtverband der Deutschen Versicherungswirtschaft e. V.) for 2019, emails are the attack vector in over 70 percent of cyberattacks.

It should set off alarm bells if employees are asked in an email or chat to quickly help out a colleague with their password, to log on to a website with their name and password because of a supposed system change or urgent holiday planning.

Furthermore: Passwords must not be left out in the open in the office, and USB sticks seemingly found by chance at the front door or in the car park must not be inserted anywhere.

The dangers are manifold and, in my experience, can only be addressed by establishing a safety culture across hierarchies. Users need to be sensitised to these dangers and trained regularly. This is perhaps the most effective protection against cybercrime in cloud computing and beyond.

Also read:

  • Not every suit fits – Not all cloud computing is the same. It depends on the right operating model.

  • The A to Z of cloud computing – A concept in 20 terms. For anyone wanting to have a say on the trendy topic.

  • The financial industry is where it’s at – Why institutional investors are now betting on cloud computing

  • When apps learned to walk – A brilliant idea and its implementation: The building blocks of cloud computing.

  • A feast for the eyes – Information, interaction, intuition: With cloud technology to modern user interfaces.

  • The spirit of a new age – Much more than a buzzword: What cloud computing is all about.