With the cloud, they said, everything will be nicer. Better. Simpler. But also more secure?
This was the motto of the expert presentation held by Dr. Kai Schubert, Managing Security Consultant at usd AG, and Phillip Ansorge, Senior Security Consultant at usd AG, at this year's "CloudLand" festival of the German-speaking Cloud Native Community (DCNC). The focus of the community festival was on container & cloud technologies, microservices & domain-driven design, DevOps & methodology and CI/CD & automation.
"After many years of work and experience in the field of cloud computing, and in particular the performance of Cloud Security Audits, we realize again and again: Unfortunately, the cloud is not always as simple and secure as we would like it to be," says Kai Schubert. "That's why we were pretty excited to be able to draw the attention of a large professional audience to a topic that still does not get the recognition it deserves, and to create more awareness for cloud security in general."
But why is the topic of cloud security still neglected in many companies? In their presentation, the two experts shared their experiences from Cloud Security Audits, real-world examples and best practices on cloud service configurations with the audience.
Using a fictitious example, Kai Schubert explains in this article how quickly cloud and organization can grow apart and how they can come together again.
Cloud Security: Everything is connected
One thing has not changed when it comes to security in the cloud compared to traditional IT infrastructures: Only implementing individual protective measures is not enough. The interaction of all measures is necessary to achieve a sufficient level of security - similar to a medieval castle:
Our customers often ask us why they should set up one security measure, since another already exists. Example: "We have a good IAM, why should we encrypt our EC2 volumes?" The answer is: multiple lines of defense! In a castle, no one would think of leaving out the walls just because you already have a moat.
A cloud environment should therefore be secured by multiple defenses, much like a castle. In reality, however, this is often not the case. To understand why that is, let's take a look at how the first steps towards the cloud often work for companies.
How it all started …
Our department in our fictitious company has decided to move to the cloud. We create an AWS account with a few clicks, configure a few basics and voilà - the workload is up and running. It was easier than we thought. Much easier than asking IT for new VMs. And at first glance, cheaper, too.
A colleague from management overhears what we're doing and is ecstatic: "Cloud is the future!" And so he immediately comes up with a dozen new ideas and migration projects. Everything has to go to the cloud, as quickly as possible!
… and how it suddenly has to be secured.
Then, at some point, a compliance audit is suddenly on the doorstep. Our information security officer has questions. And no real idea about cloud yet. "We need a list of assets! Assessments of protection needs! And of course, a penetration test!" Someone still throws terms like VPN or full encryption into the room, because that's what the compliance guidelines say. Now is the time, at the latest, when it somehow stops being fun. The new cloud toy is supposed to be regulated, governed and controlled. By people who have no expertise in this area. But they have to get their lists of requirements through in order to meet the legal specifications.
So we have a problem. We built the castle without a plan, without letting the royal advisors in on it and taking them with us on our journey to the cloud. And that's how it often works in reality: Things start off with lots of drive, but unfortunately, little planning. Not to mention the end - also called exit strategy. Companies and their governance often "lag behind" technical developments. Old processes as well as unrealistic and inappropriate requirements are now supposed to apply to the cloud. "On-premise thinking" is "imposed" on the cloud.
And as if all this were not enough, we overlook or neglect the fact that the Shared Responsibility Model also makes us responsible for the secure configuration of cloud services. The shared responsibility model is thus not understood or lived by many organizations, resulting in partial "blindness" in IT operations.
How do cloud and organization come together?
So how can we achieve better governance? How, on the one hand, to meet the requirements for secure operations, but at the same time continue to reap the benefits of the cloud? Answers to these questions are certainly complex, but the following key points provide a solid foundation:
- Have a plan. Even better: a cloud strategy. Trial and error is okay, but a clear and documented definition of your requirements and goals will help.
- Also have an exit option. Choosing a cloud service provider should not be a one-way street. Clarify at the outset what options you have if the provider of your choice changes terms, becomes unavailable, or even if your own requirements and goals change.
- Take the company with you on your journey. Talk to the ISO, data protection officer, controlling and other stakeholders.
- Provide cloud basics in order to be able to communicate with others in the company on an equal footing about the cloud and its security. And last but not least, to prevent misunderstandings, misconceptions and prejudices.
- Take care of your part of the Shared Responsibility Model. Reminder: You can configure it? Then it is your responsibility! And in case of doubt it is also security relevant!
More about Cloud Security
usd Webinar: Secure Configuration of Cloud Services
26 October, 2023, 4:00 - 5:00 CEST
What are the most common stumbling blocks when configuring cloud services? How can they be avoided? Our cloud security experts Kai Schubert and Phillip Ansorge provide answers to these questions and share their findings from a large number of cloud security audits in the free usd webinar Secure Configuration of Cloud Services.