Cloud Security Volume 2 Best Practice

Introduction

Volume 1 [3] deals with the basics of cloud technology as well as the necessary, mainly organizational adjustments in the areas of governance, compliance, risk and information security management system ISMS.

Volume 2 takes an in-depth look at cloud technology and shows best practice for measures to be able to use cloud technology securely.

In the first step, the available cloud architectures are described and measures are discussed as to how security can be guaranteed for the respective type of architecture.

The following section deals with frameworks that deal with the topic of cloud security. It also answers the question of which frameworks can be used for one's own security considerations and how.

The focus of this book is the description of technical and organizational measures to achieve security when using cloud technology. This is done in relation to the respective cloud architecture. In addition, recommendations regarding cloud deployment models and cloud architectures are discussed from the perspective of information security.

Best practice for the introduction of cloud technology

To start with the topic of cloud security best practice, first consider how cloud technology should be introduced into the company. As already described in Volume 1 Cloud Security Basics [3], the decision to use cloud technology is a management task. With the decision, a multitude of tasks have to be solved. These stem from the area of compliance, and are also of a technical and organisational nature.

Compliance

The ¨considerations on governance, risk and compliance are discussed in detail in Volume 1 Cloud Security Fundamentals [3]. Therefore, the topics to be clarified and ensured are shortened here:

Governance

With the use of cloud technology, governance must be adapted. New guidelines are needed to be able to use the technology sensibly. A changed corporate culture towards a fault-tolerant culture is required. The manifold changes in the company processes, the organisation and the technology can only be implemented meaningfully in a fault-tolerant and agile environment.

Risk

With the use of cloud technology, risk must be expanded to include the area of cloud risk. The main issues to be considered are

• The consideration that the risks of the cloud provider [viii] must be taken into account in the own risk.
• Consideration of a possible dependency on the cloud provider [viii]. This arises from the fact that with the selection of a cloud provider [viii], its technology and processes are adapted too strongly. This makes it difficult or even impossible to switch to another cloud provider at a later point in time. Another consideration in this context is what should happen if the provider becomes unavailable, for example through takeover or closure. These aspects are taken into account in the vendor lock-out strategy and in the exit strategy.
• Consideration of the possible loss of data at the cloud provider, for example due to a faulty cloud infrastructure at the provider or due to cyber attacks on the cloud provider.
• Consideration of the loss of control over the data. In very few cases does the consumer have control over the data storage location [ix]. Rather, the cloud provider distributes the data to several data centres around the world, which puts the data within the sphere of influence of foreign states.
• The consideration that cloud services [vii] are not available. This can be due to an inadequate cloud infrastructure at the cloud provider, for example, or because the consumer's own internet connection is disrupted. In all cloud deployment models, with the exception of the private cloud, the internet has become a mission critical component, which must be taken into account in risk.
• Consideration of the fact that the organisational, corporate cultural and procedural changes to be made can lead to significant disruptions in the value chain in the company or that a significant loss of knowledge can result from employees who do not want to support the changes and leave the company.
• Finally, the consideration of risks arising from compliance as described in the following point.

Compliance

In the current "Explanations on Cloud Computing" [15] FDPIC 2019, the Federal Data Protection and Information Commissioner FDPIC describes its position on compliance.

For example, it must be taken into account that data is stored outside of Switzerland and that data comes into the sphere of influence of foreign states and foreign authorities. This requires an examination of how consumer data protection and data security are guaranteed and how other legal provisions are complied with.

Examples of this are the obligation to retain or provide evidence or compliance with confidentiality obligations [15].

If personal data are stored and processed, then the consumer [ix] must ensure compliance with existing data protection laws. For example, data security must be guaranteed and compliance with confidentiality, availability and integrity as defined in the Data Protection Act [15] must be ensured. In addition, the consumer must ensure that the right of access and the right to delete and correct the data is guaranteed at all times. [15]. Finally, the consumer should not only consider the situation with the cloud provider, but also include all possible sub-providers.

One particular consideration relates to the US government's CLOUD Act of 2018 [3].

On 23 March 2018, the US government signed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). According to this act, all US companies are obliged to give US authorities access to stored data, even if the storage location is not the USA. US companies are prohibited from informing their customers if their data has been accessed. The CLOUD Act also allows US foreign companies to access data stored by US companies abroad. [3]

Technical measures

As part of the technical measures, it must be clarified which systems and services [vii] of the existing IT can be migrated to the cloud and how. From a technical point of view, it is also important to consider whether services are to be newly created on the basis of the new technology or transferred to the cloud technology in an intermediate step.

As already mentioned, with the increasing use of public cloud technology, the internet becomes a mission critical component. Consequently, the company needs technical solutions to provide redundant and independent access to the cloud, with the required quality features such as availability and available bandwidth.

As described later in this book, new technologies are needed for the processes of development and provision of services, for monitoring, etc. Depending on the chosen cloud model and also on security-relevant considerations, it is necessary to technologically solve how and in which architecture these technologies are provided.

Organisational measures

The company is facing a variety of changes. (From [3])

First of all, it must be clear that a new technology is being introduced with the cloud. It is important to get to grips with this new technology. Learn to understand the philosophy of the cloud providers on the market, understand how the respective cloud provider makes its services available and which roadmap the cloud providers see for their services. In addition, the company has to get to grips with the respective cloud objects of the providers. What structures are offered and how can the company best use them for itself? Is it IaaS, PaaS or Saas, or a combination of all of them? The new technology also requires the development of new skills for the employees in the company. In IT operating, new skills and methods must be developed in dealing with IaaS, PaaS, SaaS and possibly with container technology. The tools of the respective cloud providers must be known in order to be able to configure and possibly administer the cloud services. The development team also has to get to grips with the new technologies. Container technology in particular means new challenges for software development.

Overall, the path to the cloud presents the company with new challenges. It is necessary to deal with the new technology, to develop the readiness, to develop new methods, to adapt to the philosophy of the cloud providers. However, it must be ensured that the previous services are available to the business in the usual quality and the existing processes must be adhered to despite the transfer of services to the cloud technology. Finally, the management must find ways and methods to use the cloud technology securely in terms of compliance and information security.

The company must be ready to adopt a new dynamic. The processes must be able to follow the dynamics of the changes of the cloud providers. The employees, and this is not only true for IT operations and software development, must also be ready to follow the new dynamics.

Overall, this leads to the company adapting its governance and establishing new rules of conduct. In addition, new processes are defined.

Finally, there must be clarity that the transition to cloud technology requires a transformation phase. The path away from the existing processes and infrastructures to the new services and structures must be planned and implemented. This means changes and uncertainties, not only in the processes, but also among the employees. Many of the employees...