The protection of data is often business-critical. Expert Markus Nöbauer from insideAx explains which aspects are crucial for security in the cloud and why the zero trust methodology is a good approach for a security concept. […]
Most companies now use cloud services. It is important to understand that the operation and thus also the security are jointly designed by the cloud provider and the user. The degree of personal responsibility depends on whether one obtains infrastructure, platform or software-as-a-services from the cloud. The cloud operator takes over the physical security (for example of the building through access controls, etc.).
If you use infrastructure-as-a-service, such as hosting virtual servers, you have to take care of issues such as firewall, network security, operating system, etc. yourself. With platform-as-a-Service, the developer must ensure application security himself. Although software-as-a-Service restricts the user more to the use and design, the cloud provider takes over most security aspects. In practice, there is often a mix of IaaS, PaaS and SaaS, whereby your own IT must be fit in all areas.
Zero Trust: Trust nothing and no one
The zero trust methodology forms a good basis for any cloud use. The basic assumption here is that nothing can be classified as safe if it has not been checked. This includes the identity of users, applications, devices, data, infrastructures and networks. What sounds like an unsolvable task is quite feasible thanks to the cloud operators, because they offer a large number of tools and services to implement zero trust. The typical functions are multi-factor authentication of users by means of tokens and biometrics as well as anomaly detection. In addition, there are proactive security tools that respond to threats and can be configured according to your own security requirements.
Use Best practices tools
Many cloud providers offer comprehensive security services. Microsoft’s Security and Compliance Center, for example, is supported by pre-configured best practices and industry standards that can be used as a template. In addition, the Security Center offers various assessment tools that examine a current configuration, identify potential threats, suggest improvements, and evaluate their impact on security and implementation effort. Services such as Azure Sentinel use log analysis to identify threats. If threats are detected, the system can react to them automatically.
Data protection as a top priority
The reliable protection of data and documents is often business-critical. First of all, it is important to find sensitive data (such as personal information, bank details, etc.) in the jungle of different applications and storage. Tools such as Information Protection can be used to define whether documents can be copied, printed or sent or whether they should be automatically encrypted. Documents, e-mails and applications can be automatically configured with the desired level of protection. The retention policies ensure that documents (such as invoices for a certain period of time) must not be deleted. This also allows us to comply with the deletion obligations under the GDPR.
In the cloud, users and cloud providers share responsibility for the security of data, applications and infrastructures. The zero trust methodology provides a solid and proven basis for a company-wide security concept. With the right tools and professional advice, this approach can be implemented to achieve the desired level of security.
*The author Markus Nöbauer is responsible for R&D for research projects in the context of business software at insideAx.