The virtual world of data and services available anywhere and at any time is dependent on an entirely physical one - and this physical world is also quite vulnerable. In March 2021, a fire destroyed a data center belonging to the French cloud hosting provider OVH in Strasbourg with space for up to 12,000 servers. As a result, about 3.6 million websites and more than 450,000 domains were offline. Domains from France were the most affected, with 1.9 percent of them no longer accessible. Companies that had opted out of a fee-based backup of their data suffered immense data losses. Experts criticized the construction of the data center and the lack of fire-fighting equipment.[1]
Aspects of the physical security of data centers include protection against natural forces as well as precautions against power failures or protection against unauthorized access with possible criminal intent. Companies and organizations that are moving their applications and data to the cloud would therefore do well to examine these framework conditions - and should by no means forego storage in two non-adjacent locations.
But while all of this is just as true for individually operated and smaller scale servers or data centers, cloud security is thought of first and foremost in terms of data protection and data security.
In general, clouds can be categorized into three types, with all major hyperscalers offering each of the following services:
- Infrastructure as a Service (IaaS) in which the cloud provider merely provides the infrastructure, i.e., the hardware, for the services. The users of the IaaS cloud determine themselves which operating system, which security features and which software they require for their needs. Examples of IaaS clouds are Amazon Web Services (AWS) or Google Compute Engine.
- Platform as a Service (PaaS) provides not only the infrastructure but also the operating environment and enables users to install their own applications. Examples of PaaS are the Google App Engine or Microsoft Azure.
- Software as a Service (SaaS) enables the use of applications provided directly by the external provider. This means minimal administrative effort for users, as the operating environment and applications are supplied in addition to the infrastructure. Typical examples here are Microsoft 365, Google Workspace or iCloud.
Depending on the choice of cloud category, the responsibilities for cloud security differ. Whereas in the case of Software as a Service the provider is responsible for technical and application security, in the case of IaaS clouds it is up to the user to incorporate appropriate security features. But in any case, it remains the user's responsibility to ensure the security of their data or to check the precautions and obligations of the provider. In essence, this involves central control of compliance requirements as well as access and rights.
In addition to the public clouds that can be used by various companies, organizations and individuals, the operation of a private cloud is also an option for organizations. With a private cloud, the customer uses dedicated hardware from the provider under their own governance and does not share the systems with other clients. Thus, unlike with public clouds, users do not have to rely on the data protection measures of the public cloud providers, but retain full control over their security arrangements. The benefits of the easily accessible public cloud and the more secure private cloud can be combined in a hybrid cloud. In this model, non-critical applications and data are often available via a public cloud, while business-critical data is available in a private, exclusively used cloud.
In a multi-cloud solution, several clouds are used in parallel. The aim here is usually higher availability: If one provider should fail unexpectedly, business processes can be continued via the second cloud provider, and the data remains securely available. However, this requires a great deal of planning and configuration effort, since the use of several cloud providers for the same service in parallel operation is not something that can be implemented easily.
Cloud security components
Data protection in all the cloud models mentioned comprises several components. Physical protection of the data centers is followed by network and server security. This involves the technical configuration of the servers, i.e., ensuring that data from different customers flows separately and that the servers themselves are secure against external attacks.
Another component is the granting of access to certain data. The principle of “Least Privilege” (POLP) applies here. This principle allows users only the access or authorizations that are absolutely necessary for their activities.
Multi-factor authentication (MFA) should be standard by now. In addition, a Cloud Access Security Broker (CASB) can be set up. The CASB records and controls user access to the cloud services used. Predefined usage guidelines can thus be technically implemented and monitored. Furthermore, a CASB can automatically classify data and identify and report unwanted behavior in the company’s own cloud services (also from third parties). Role-based access control (RBAC) can be used to define different access rights depending on the user’s role.
In addition, the data itself must be protected under applicable law. Depending on industry or company rules, for example, some data may not be stored or processed outside the EU or Germany. Moreover, systems or applications that require a high level of security or process sensitive data in accordance with the GDPR require encryption of data and communication relationships. A Cloud Encryption Gateway (CEG) makes it possible to encrypt sensitive data before it is transferred in the internal environment. Of particular importance here is key management, which must be exclusively under the control of the user.
Confidential Computing (CC) is a further component that starts directly with the processing of the data itself. This is done by isolating data to be processed in the cloud. The entire data processing takes place in a separate capsule, which is implemented either directly on the processor chip or even distributed across several servers.
With ever new technical innovations and a constantly changing legal situation, it is clear that cloud security is an ongoing process that not only has a technical side, but must also be embedded and further developed in the organization. It is not enough to set up the measures once. Rather, this must be understood as a continuous process according to PDCA (Plan-Do-Check-Act cycle).
