How to use cloud services securely
Data security is an important topic in today’s digital age. Making and keeping cloud services secure for users seems to be one of the biggest challenges.
- Challenges of using the cloud securely
- Using cloud services safely
- Protecting access to your cloud: tips for business
IONOS Cloud Compute Engine
Medium-sized and large companies choose the cloud from Germany. IaaS and PaaS are services for champions.
Challenges of using the cloud securely
As much convenience as the cloud offers, their use is still associated with taking risks. To minimize these, you first need to be familiar with the dangers.
Data security dangers
People keep repeating that there is no such thing as a completely secure cloud – but what exactly are the security dangers? The unfortunate answer: there are a lot. As well as potentially losing data (e.g., due to provider insolvency, technical breakdowns, or unexpected account blocking), risks consist primarily of unauthorized or unwanted access by third parties. But who would be interested in accessing that kind of data? These are the usual suspects:
- Data Thieves: One source of danger is people who want to make money or a career out of stolen data. All personal information is of value to data thieves, not just bank information. Even industrial espionage can be conducted through data theft from cloud storage that is inadequately secured.
- Hackers: Hackers test their skills by trying to penetrate company or public institutions’ security systems. Some then report the vulnerabilities to administrators if the attack is successful, and others collect information with criminal intent.
- Organs of the State: The NSA scandal revealed to the public how much access intelligence services have to citizens’ personal information. Other authorities can gain access to cloud data in suspect cases by court order. Therefore, infiltration by state institutions is also a cloud security risk.
- In-house personnel: Active or departed employees pose a potential security risk to companies because they can abuse their internal knowledge about cloud access or even become susceptible to extortion. To combat this, larger organizations, in particular, should maintain controlled management of their cloud services.
Special challenges facing companies
Individuals and companies who want to effectively protect their cloud access face difficult challenges. Individuals can improve their security through general privacy practices – cleverly chosen password or encrypted data – but businesses face a more complicated issue.
Unlike individuals, businesses do not work with a single cloud service. Instead, they use complex cloud-based IT infrastructures that are accessed by many different people. Cloud-computing is the generic term for these infrastructures and they are rarely hosted over local computers at the company office, but are accessed over the internet by staff members. Security issues pop up here in a variety of forms: Many employees access cloud services from different locations, and on different devices, which obviously leads to security becoming a technical challenge.
Cloud hosting is also becoming increasingly popular with businesses. Cloud hosting can be considered a part of cloud computing, meaning that data is no longer hosted on a physical server, but in a virtual cloud. In most cases, cloud servers can be adapted much more easily to a company’s needs than physical servers.
The challenge lies in identity management, which means keeping track of which employees are accessing data, and regulating what kind of access they have within the cloud. To facilitate a better workflow, companies are required to implement the different cloud accounts of their employees in a central user administration. Challenges like these arise when companies just use file-sharing services like Dropbox, which are then accessed by multiple employees, all of whom have individual access to data. The bigger your enterprise, the harder it is to implement identity management in a multi-cloud environment – and the more important the focus on security should be.
Using cloud services safely
When it comes to private individuals, the quality of cloud security depends on how well general data protection measures are implemented. For example, users should put extra effort into creating secure passwords, and should also pay attention to the server location of the cloud provider, fair use of the cloud provider, and data encryption standards.
Server location and company headquarter location
Users should find out what country the company headquarters and servers are in. The privacy and security situation in that country plays an important role in securing cloud services. Both aspects (headquarter and server location) decide what happens to the data stored in their cloud. Users should be sure to research this before choosing a provider to entrust their data.
If the servers are located in Canada, for example, you are subject to Canadian laws as an American user. The legal situation is very important, because government agencies may be able to access cloud data without the consent of a user. Different countries have different levels of legal data protection and there are ongoing international disputes concerning the issue. Therefore, it is important to do your research on what country your information will be hosted in before choosing.
The EU has exceptional international data protection laws, Germany especially. German cloud providers are among the most secure in the world. IONOS offers cloud storage, and it is even free for mobile and DSL customers. Another advantage: Useful apps for documents, photos, and music can be stored in the cloud to make access more convenient. You can even request individual folders offline.
As privacy from government agencies becomes more of a concern for users, American companies are increasingly storing European customer data on servers within the EU. However, this is only helpful to an extent – the fact that the company headquarters are located in the USA is a decisive factor in terms of data protection: even if an American company’s servers are located in Germany, they can still be obliged to provide personal user data to American authorities at their behest. As previously mentioned, this topic is still the subject of political and legal dispute.
Cloud providers’ privacy policies
Additionally, large IT companies typically have more resources available to extract cloud patterns from their accumulated data banks, and can create digital footprints for individual users or groups. These “digital footprints” can then be linked to those from their other services (e.g., Google can link to Search, Maps, Mail etc.) and the data then becomes even more valuable. If you want to avoid this, you should choose a smaller provider that charges a small fee for more data security.
Another important aspect of cloud security is data encryption: All data that you store online should be encrypted for your protection. There are many different encryption methods and they are sometimes very technically complex, resulting in users often relying on their cloud provider for encryption services. This means that you do not need the technical knowledge of how to do it yourself, but also that you may not be able to verify whether the measures are sufficient or not. Public cloud providers offer their users very little transparency in terms of what happens to their data.
Additionally, the number of external encryption programs for cloud data is growing. Programs like Cryptomator, CryptSync, or Boxcryptor can provide encryption independent to the cloud operator for an extra layer of data security. The market for encryption software has become somewhat confusing, but external encryption is worth it, because it makes using a cloud service much safer.
You should always create a backup of any particularly sensitive or valuable data. After all, data stored in the cloud can still be lost – whether through a forgotten password, a bankrupt provider or some other unforeseen circumstance. Important data should therefore also be stored offline. To help reduce the workload, we recommend a synchronization software like SyncBack.
Protecting access to your cloud: tips for business
Cloud security is much more complex for businesses than it is for individuals. Although the server location and having strong encryption are important, the biggest challenge for businesses is protecting cloud access among many employees while still managing the data efficiently.
This requires complex access management solutions for employee clouds: the company’s IT infrastructure is used by a diverse workforce, whose identities need to be authenticated and whose accessibility needs to be authorized within the cloud. Authentication and authorization are the key areas where well-protected company clouds excel. Here are some effective options:
Cloud Access Security Broker (CASB)
An on-trend solution for securing cloud usage is a Cloud Access Security Broker (CASB). CASB is a software specifically designed to control and protect cloud access. This relatively new form of cloud security is found between the cloud service and its users, acting as an external security gateway to the cloud. However, CASBs also have many extra features: they serve as monitoring and management tools within the cloud, provide information about irregular operations, and determine what action to take in the event of a security alert. CASB is a new set of software designed specifically for enterprise cloud-based workflows.
To ensure cloud security, CASB offer very different services: they can be used to regulate user authentication, encrypt traffic, block unwanted traffic, identify malware, activate alerts for suspicious actions, or integrate additional access requirements. The latter would mean, for example that a CASB needs to identify and allow the device that an employee wants to access the cloud from. These security measures are defined in advance and then enforced by the CASB. Many CASBs work with other security solutions such as encryption, multi-factor authentication, IAM (Identity and Access Management), or SIEM (Security Information and Event Management).
Thanks to these services, CASB is very much in line with current worldwide security requirements. The market research institute Gartner predicted that as early as 2020, 85% of all companies will use a CASB security service. In light of this, it is not surprising that many early CASB services have already been bought by larger IT companies: the Elastica service, for example, was bought by Blue Coat Systems (owned by Symantec) and Adallom was bought by Microsoft. This clearly shows how much potential there is in the industry sector – and also how current the topic of cloud security is.
For CASB services like CensorNet, Bitglass, Netskope, or CipherCloud to function smoothly, they need to be well integrated into the company’s existing infrastructure. This means that on the one hand, they need to be connected to the business’ user management, and at the same time, be deeply integrated in the clouds they need to protect. Many CASBs already support cloud-based services that are commonplace in everyday business life, like Microsoft 365, OneDrive, Box, Google Apps or Salesforce. However, they can also work with programs unknown to them.
To integrate CASB into a company network, there are different variants. CASB software is either cloud-based, or is operated locally. It integrates with the company’s IT infrastructure either as a central gateway or as an API application. Both variants have advantages and disadvantages: if the CASB is implemented as a gateway, it is located directly between the user and the cloud service. It is then switched on in the data stream and can directly block unwanted actions. A disadvantage of this variant, however, is that the cloud performance can be affected by the increasing workload. If a company has a large number of employees, API based solutions are an option. In this instance, the CASB is out of direct user cloud communication. Although the CASB cannot intervene directly in these actions, in does not have any impact on the cloud service performance.
Two or more factor authentication (2FA/MFA)
CASB are complex meta-solutions for cloud security, whereas different authentication methods are an important subcomponent. Authentication solutions handle the access control of a cloud service and control who is allowed to use it. In the meantime, companies often outsource authentication of their own services (identity providers). These are a third step between the cloud-provider and user: if an employee wants to use an IT service, he is first redirected to an identity provider, where he identifies himself, usually with a password. The identity provider or authentication method is critical to using cloud services securely.
An authentication method is especially secure if it works not just with a single password, but includes at least one extra parameter for authentication. This is referred to as multi-factor authentication. These are considered the most important measure to protect cloud access. It is recommended that companies have multi-step authentication processes. In addition to the combination of multiple keys (passwords), it is possible to use one-time passwords or to integrate objects into the authentication process (like a USB stick).
Managing cloud access does not just refer to authenticating employees, but also to different authorization rights. The word “authorization” describes the approval of usage rights within a cloud. These usage rights are assigned individually to each employee in the multi-user environment of a company, usually by one or more administrators. For example, authorizations regulate who can make changes to settings, who has access to subdirectories, who is subject to limited access times, or who has viewing rights without document change rights.
To use cloud services securely, organizations should have dynamic authorization procedures: Authorization should be personalized and up-to-date so that each employee can only view and work on data that is strictly relevant to their role in the organization (least privilege principal). Authorizations should therefore be role-based and regularly reviewed. If an employee leaves the company, all authorizations must be revoked.
Authentication controls which people have access to a cloud. Authorizations, on the other hand, define what resources people in a cloud can use. Open security protocols exist for both areas of cloud security: OpenID is for remote user authentication, OAuth ensures secure desktop or web application authorization.
Protecting the company network
To be able to provide the necessary IT security, companies must not just protect individual services, but also the surrounding structure (the company network). This is especially important as soon as a company starts working with cloud services. After all, employee passwords can also be skimmed off using an inadequately secured company network – and stolen passwords are still the most common way of gaining unauthorized access to the cloud.
Larger companies that work with more complex networks should be protected by their internal network by outsourcing security devices such as the firewall, or virus protection. An external firewall (also called a hardware firewall) has the advantage that it was specifically designed to control the connection between two networks and prevent unauthorized network access.
Ensure central identity management
IT and cloud security is a real challenge, especially for large companies that employ people in many different cities and countries. If these companies want to make their workflow cloud-based, they need to unify and centralize their employees’ identities. While smaller organizations often rely on external security services for centralized identity management, larger organizations tend to build their own infrastructure. And, while younger companies have relied on cloud services right from the start, traditional companies need to rebuild. Creating secure central identity management is another important task in providing well protected cloud storage.
To create a successful conversion, and for the employee identities to be securely merged into one central structure, an additional “integration layer” is required, which is then fed into the networks’ system architecture. It bundles employee identity information and allows the data to be centrally administrated. By implementing a merging integration layer, it is also possible for large companies to safely switch to the use of cloud services.