How to use cloud services securely

Data security is an important topic in today’s digital age. Making and keeping cloud services secure for users seems to be one of the biggest challenges.

As much convenience as the cloud offers, their use is still associated with taking risks. To minimize these, you first need to be familiar with the dangers.

People keep repeating that there is no such thing as a completely secure cloud – but what exactly are the security dangers? The unfortunate answer: there are a lot. As well as potentially losing data (e.g., due to provider insolvency, technical breakdowns, or unexpected account blocking), risks consist primarily of unauthorized or unwanted access by third parties. But who would be interested in accessing that kind of data? These are the usual suspects:

1. Data Thieves: One source of danger is people who want to make money or a career out of stolen data. All personal information is of value to data thieves, not just bank information. Even industrial espionage can be conducted through data theft from cloud storage that is inadequately secured.
   
   
2. Hackers: Hackers test their skills by trying to penetrate company or public institutions’ security systems. Some then report the vulnerabilities to administrators if the attack is successful, and others collect information with criminal intent.
   
   
3. Organs of the State: The NSA scandal revealed to the public how much access intelligence services have to citizens’ personal information. Other authorities can gain access to cloud data in suspect cases by court order. Therefore, infiltration by state institutions is also a cloud security risk.
   
   
4. Cloud providers: Many large IT companies like Google or Apple get their market power from further processing user data. By having deliberately-vague terms of use, they give themselves leeway to use the data for their own purposes. A major problem is the providers’ lack of transparency – users have little idea or control over what happens to their data in the public cloud.
   
   
5. In-house personnel: Active or departed employees pose a potential security risk to companies because they can abuse their internal knowledge about cloud access or even become susceptible to extortion. To combat this, larger organizations, in particular, should maintain controlled management of their cloud services.

Individuals and companies who want to effectively protect their cloud access face difficult challenges. Individuals can improve their security through general privacy practices – cleverly chosen password or encrypted data – but businesses face a more complicated issue. 

Unlike individuals, businesses do not work with a single cloud service. Instead, they use complex cloud-based IT infrastructures that are accessed by many different people. Cloud-computing is the generic term for these infrastructures and they are rarely hosted over local computers at the company office, but are accessed over the internet by staff members. Security issues pop up here in a variety of forms: Many employees access cloud services from different locations, and on different devices, which obviously leads to security becoming a technical challenge.

The challenge lies in identity management, which means keeping track of which employees are accessing data, and regulating what kind of access they have within the cloud. To facilitate a better workflow, companies are required to implement the different cloud accounts of their employees in a central user administration. Challenges like these arise when companies just use file-sharing services like Dropbox, which are then accessed by multiple employees, all of whom have individual access to data. The bigger your enterprise, the harder it is to implement identity management in a multi-cloud environment – and the more important the focus on security should be.

When it comes to private individuals, the quality of cloud security depends on how well general data protection measures are implemented. For example, users should put extra effort into creating secure passwords, and should also pay attention to the server location of the cloud provider, fair use of the cloud provider, and data encryption standards.

Users should find out what country the company headquarters and servers are in. The privacy and security situation in that country plays an important role in securing cloud services. Both aspects (headquarter and server location) decide what happens to the data stored in their cloud. Users should be sure to research this before choosing a provider to entrust their data.

If the servers are located in Canada, for example, you are subject to Canadian laws as an American user. The legal situation is very important, because government agencies may be able to access cloud data without the consent of a user. Different countries have different levels of legal data protection and there are ongoing international disputes concerning the issue. Therefore, it is important to do your research on what country your information will be hosted in before choosing.

As privacy from government agencies becomes more of a concern for users, American companies are increasingly storing European customer data on servers within the EU. However, this is only helpful to an extent – the fact that the company headquarters are located in the USA is a decisive factor in terms of data protection: even if an American company’s servers are located in Germany, they can still be obliged to provide personal user data to American authorities at their behest. As previously mentioned, this topic is still the subject of political and legal dispute.

Each cloud provider has its own privacy policy, which reveals what happens to their stored data. It is worth noting that large providers like Google or Apple, in particular, do not obtain the bulk of their commercial profits by charging user fees, but rather by exploiting user data. Through loose data protection guidelines, which are often criticized by data protection activists, companies are able to take advantage of other peoples’ information for their own purposes.

Additionally, large IT companies typically have more resources available to extract cloud patterns from their accumulated data banks, and can create digital footprints for individual users or groups. These “digital footprints” can then be linked to those from their other services (e.g., Google can link to Search, Maps, Mail etc.) and the data then becomes even more valuable. If you want to avoid this, you should choose a smaller provider that charges a small fee for more data security.

CASB are complex meta-solutions for cloud security, whereas different authentication methods are an important subcomponent. Authentication solutions handle the access control of a cloud service and control who is allowed to use it. In the meantime, companies often outsource authentication of their own services (identity providers). These are a third step between the cloud-provider and user: if an employee wants to use an IT service, he is first redirected to an identity provider, where he identifies himself, usually with a password. The identity provider or authentication method is critical to using cloud services securely.

An authentication method is especially secure if it works not just with a single password, but includes at least one extra parameter for authentication. This is referred to as multi-factor authentication. These are considered the most important measure to protect cloud access. It is recommended that companies have multi-step authentication processes. In addition to the combination of multiple keys (passwords), it is possible to use one-time passwords or to integrate objects into the authentication process (like a USB stick).

Managing cloud access does not just refer to authenticating employees, but also to different authorization rights. The word “authorization” describes the approval of usage rights within a cloud. These usage rights are assigned individually to each employee in the multi-user environment of a company, usually by one or more administrators. For example, authorizations regulate who can make changes to settings, who has access to subdirectories, who is subject to limited access times, or who has viewing rights without document change rights.

To use cloud services securely, organizations should have dynamic authorization procedures: Authorization should be personalized and up-to-date so that each employee can only view and work on data that is strictly relevant to their role in the organization (least privilege principal). Authorizations should therefore be role-based and regularly reviewed. If an employee leaves the company, all authorizations must be revoked.

To be able to provide the necessary IT security, companies must not just protect individual services, but also the surrounding structure (the company network). This is especially important as soon as a company starts working with cloud services. After all, employee passwords can also be skimmed off using an inadequately secured company network – and stolen passwords are still the most common way of gaining unauthorized access to the cloud.

Larger companies that work with more complex networks should be protected by their internal network by outsourcing security devices such as the firewall, or virus protection. An external firewall (also called a hardware firewall) has the advantage that it was specifically designed to control the connection between two networks and prevent unauthorized network access.

IT and cloud security is a real challenge, especially for large companies that employ people in many different cities and countries. If these companies want to make their workflow cloud-based, they need to unify and centralize their employees’ identities. While smaller organizations often rely on external security services for centralized identity management, larger organizations tend to build their own infrastructure. And, while younger companies have relied on cloud services right from the start, traditional companies need to rebuild. Creating secure central identity management is another important task in providing well protected cloud storage.  

To create a successful conversion, and for the employee identities to be securely merged into one central structure, an additional “integration layer” is required, which is then fed into the networks’ system architecture. It bundles employee identity information and allows the data to be centrally administrated. By implementing a merging integration layer, it is also possible for large companies to safely switch to the use of cloud services.