Lots of organizations today rely on cloud services to conduct their business. Due to the increasing complexity of cloud environments, assessing their IT security level is growing more and more demanding for companies. Especially when sensitive customer or company data is processed in the cloud, security issues must be continuously addressed with current and sustainable solutions – a major challenge for many companies. Dr. Kai Schubert has been accompanying organizations on their way to the cloud for many years. We asked him about security issues and concerns.
Kai, you are a cloud security consultant and a critical observer of cloud solutions at the same time. How does that go together?
Kai Schubert: I have been fascinated by the possibilities of cloud computing for a long time. On the other hand, I have been dealing with issues such as privacy and data protection for much longer. Here, the use of cloud computing is still controversial. Unresolved legal issues are one of many reasons. US providers, who strongly dominate the market, are obliged by the CLOUD Act to guarantee US authorities access to stored data even if the storage does not take place in the States. This contradicts European law in parts, such as the General Data Protection Regulation (GDPR). A specific example: for private communication, I use messengers like Signal, which are usually easier and more secure than e-mails in everyday life. However, an app like Signal itself uses the cloud services of Amazon, Microsoft and Google and would hardly be conceivable in its current form without them. So I have a certain ambivalence and critical distance to the whole thing – both of which help me in the productive discussion and further development of the topic of cloud security. And it is part of my self-image as an independent consultant and auditor who wants to accompany our customers on their way to the cloud and make its use more secure.
Why do you think security is so important when it comes to the cloud?
KS: The number of our customers who are establishing cloud computing as a central technology is increasing. However, cloud projects often fail to consider that the outsourcing company is and will always remain responsible for the security of the data and the applications operated there. This misunderstanding leads, for example, to an application operated in the cloud being checked for security, but the configuration of the cloud services themselves is not taken into account and vulnerabilities thus remain undetected. Attackers can then exploit these vulnerabilities to gain control of the environment running in the cloud and thus access to sensitive data. This attack vector represents an enormous risk for companies.
How can companies protect themselves against this risk?
KS: As already mentioned, despite outsourcing, a company remains responsible for configuring the cloud services itself, i.e. it must do this itself. In addition, it must adapt existing technical and organizational company processes or, if necessary, even set up new ones. At regular intervals, the cloud configuration and associated processes must also be checked for up-to-dateness, correctness and other security aspects. In all these steps, various aspects of IT security must be taken into account. Appropriate experience and specialist know-how are absolutely essential for this.
How can you support companies here?
KS: On the one hand, we advise companies that are planning a migration to the cloud or have already done so on all IT security issues. On the other hand, we carry out security audits of the cloud environment after the migration has been completed, in the event of changes to the environment, and ideally at regular intervals. Together with our client, we determine the depth and scope of the assessment in each project based on the their individual wishes, needs and risks. In recent years, we have developed various test procedures for this purpose, which enable us to identify cloud-specific risks and vulnerabilities in the configuration at an early stage. This enables us to ensure that our clients comply with a wide range of requirements – as well as their partners and service providers. We base all our assessments on internationally recognized security standards and best practices, such as the benchmarks of the Center for Internet Security (CIS). We also take into account recommendations from the cloud service providers themselves and, of course, our clients’ own company specifications.