Cloud services open up new possibilities for innovative business models and efficient processes. The competitiveness of companies and financial service providers is improved with lasting effect through the systematic migration of functionalities from on-premise systems to a cloud or multi-cloud environment. A (multi-) cloud strategy can thus make a significant contribution to innovation and added value. In addition, however, companies must ensure that the right measures are taken and that control is maintained over the cloud. The use of cloud services currently goes hand in hand with legal and regulatory uncertainties which can present an obstacle to a migration to the cloud. In this blog post, we show you how to overcome these challenges.
We all use cloud services every day although we may not always be aware of the fact: Sending emails, using software packages from the cloud, streaming music or films or storing and sharing data via the cloud. And of course, businesses also want to take advantage of what works so well in private. Nowadays, due to various legal and regulatory uncertainties, – and sometimes doubts as well – this is interspersed with challenges.
Cloud for all? Yes!
With the cloud, the time leading up to market readiness can be shortened for innovative products and services, and competitiveness can be increased. New technologies, artificial intelligence, for example, could be used as a service on the user's hardware without the need for major investment. Access to a huge data pool and the corresponding processing power means the analysis of huge volumes of data is possible in real time. In the development and testing of new applications and systems, the cloud means efficiency gains and creates cost transparency. The development or procurement of relevant skills and resources is often no longer necessary. Migration to a cloud is therefore also appealing to smaller companies since, in this way, previously inaccessible technologies are made available to everyone. It is these companies who are increasingly failing to meet the growing demands on IT operations (IT security, updating of patches, management of the IT infrastructure lifecycle). That is why the infrastructure and services are being moved to the cloud more and more frequently – in spite of some concerns and regulatory uncertainties.
The world does not use just one cloud, it uses many!
Strictly speaking, in most cases it is not actually one cloud but increasingly multi-cloud and hybrid-cloud environments. According to the 2019 State of the Cloud survey by RightScale, 84% of companies have already defined a multi-cloud strategy. The important thing to note: No matter how many clouds, security should never be neglected!
This is the case in particular in the banking sector. That is why, on March 2019, under the guidance of the Swiss Bankers Association (SBA), a legal and regulatory guide for the user of cloud services by banks and securities traders was drafted. The good news for you: This guide is also suitable for non-financial service providers. It provides recommendations for the cloud lifecycle when using cloud services, from evaluation, procurement and operation to departure. We have summarised the four areas for action for you briefly here:
4 key factors for a secure cloud
- Selecting and changing cloud providers and suppliers
When selecting a cloud provider and its suppliers, particular importance must be given to data confidentiality and security as an integral component of the underlying due diligence. Of course, economic stability should not be forgotten either. It is also necessary to clarify whether or not the cloud provider is also willing, in addition to performance-based criteria, to accept the significant obligations under the applicable data protection legislation or industry regulations.
- Protecting confidential data in the cloud
Where confidential information or personal data is processed within the framework of the cloud services, the applicable security guidelines and data protection laws must be observed. This means taking into consideration technical, organisational and contractual aspects.
- Auditing the cloud service and the resources used
Compliance with the statutory, regulatory and contractual requirements applicable to the cloud provider must be checked on a regular basis. Audits are a snapshot of the security situation. This includes, in particular, requirements regarding outsourcing, data protection and information security. The audits should be performed by the company itself or by independent third parties. In most cases, a logical check of the infrastructure will be sufficient but an on-site physical inspection may also be added. Auditing of key sub-suppliers may be done indirectly via the cloud provider audit. We explained one way of managing your supply chain risk management and therefore your suppliers and sub-suppliers in detail in a previous blog post.
- Transparency and collaboration with cloud providers in the area of official and judicial measures
In the financial environment, in particular, there is the added issue that requests from authorities or proceedings may require the disclosure or transmission of protected information that is processed in the cloud. Foreign legislation may also require the disclosure of data by the cloud provider. Where legally permissible therefore, protected information should only be provided to foreign authorities with the written approval of the decision by a Swiss court with the appropriate jurisdiction, or with the consent of a Swiss authority.
Cyber security in the (multi or hybrid) cloud
You see: When it comes to cloud cyber security, the priority is risk management. Among other things, cloud computing (hybrid cloud in particular) uses application programming interfaces (APIs), new data flows and complex network configurations, etc. These factors generate new threat types. Hybrid and cloud computing is not in itself any more or less secure than on-premise infrastructures however. That said, a complex system such as a hybrid cloud must also be managed, which requires new tools and procedures. The conventional network environment safeguards are not sufficient. Hybrid cloud infrastructures, therefore, place additional security demands on businesses. The major ones are:
- Maintaining an overview of the entire environment, incl. all workloads with the cloud providers.
- The cyber resilience against attacks must be extended to all cloud components.
- With regard to risk management, complexity and dependency must be taken into consideration with cloud service providers.
- Vulnerability management of the cloud components: workload, container, services, interfaces, data transfer, authentication, etc.
- Incident detection and management must be extended to the cloud components.
- Good governance and compliance with standards and regulations must remain ensured and must be traceable.
- Secure access to and in the cloud environment by the various parties involved (user, supplier, provider, etc.) must be ensured and monitored.
- Protection of the data within the cloud and transportation to the cloud must be ensured (in accordance with data protection legislation, regulations and industry guidelines). The key issues here include anonymisation, pseudonymization and encryption. A cloud access security broker (CASB) can play an important role here. Find out how here.
- The cyber security of cloud providers, services and containers must be audited regularly.
Cloud security is only possible with collaboration
For you, this means new challenges, in particular, the compliance requirements become increasingly stringent. It is precisely this maintaining of and evidence of compliance that can be difficult with a hybrid cloud, however. It is more than simply ensuring that on-premise, public cloud and private cloud compliance is up to standard. Evidence is also required of the fact that the possibilities of coordination between the clouds are ensured and secure.
Multi-cloud environments require a platform-independent and standardised approach to security. A key principle here is shared responsibility. The shared responsibility model, under which the cloud service provider is responsible for the "security of the cloud" itself and the client is responsible for "security in the cloud", has proven its worth here. The provider and the customer share the responsibility with the provider being responsible for the operation and the security of the physical environment, and the client for the logical environment.
Workload portability challenge
In the cloud, not only are the traditional attack scenarios relevant, but there are also challenges posed by workload portability and multi-client capability. Workloads, in particular, require security strategies that keep up with the constantly evolving and ever increasing threats. Starting new workloads easily is a key advantage of the hybrid cloud but it also involves security-related risks. It is easily possible to move and operate workloads on different platforms and environments, from local to private and public infrastructures. Traditional approaches to security quickly reach their limitations here, not least due to the use of containers and microservices. To ensure container security, the following points must be taken into consideration at a minimum:
- Defence in depth security as a paradigm: This provides an overview of the entire lifecycle of the application, workload or software.
- Ongoing vulnerability management and compliance across the entire application lifecycle
- Integration in the development cycle to prevent weaknesses from development getting into production
- The security of the registry and container runtime environments must be continually monitored
- Help with the organisation
- Protection of running applications with native cloud firewalls (layer 3 – layer 7)
- Runtime defence and access control
To ensure container security throughout the entire application lifecycle, it is worth using a dedicated platform such as "Twistlock". Twistlock is the leading platform for full-stack and full-lifecycle container and cloud-based cyber security for teams using Docker, Kubernetes and other native cloud technologies. You can find out more about this subject on our website.
For companies using DevOps, this can be particularly difficult. Incorporating security into an approach that focuses on rapid development and provision is a challenge. Security is forgotten far too quickly when schedules are tight. The DevSecOps methods, integrating security into the development processes and frequent and fully automated deployment, provide the ability to apply patches and thus improve security early on. DevSecOps does not patch existing systems however, just the templates from which the workloads are generated, and brings these into production.
Do not forget the multi-client capability of cloud providers!
Enough of requirements and regulations? We get it but there is one more important point that should not be overlooked. Cyber security and data protection requirements must be complied with in the shared use of clouds. In other words, data belonging to the various users must remain separate, even when the IT resources such as storage capacity and processing power are shared. Specifically, this can be implemented, for example, with an appropriate finely structured permissions system and independent encryption in each instance. In addition, availability problems, such as data loss or security flaws, for another client must not affect the user's own company.
We shed light on your existing cloud use
Use of the cloud (or multiple clouds) is a critical success factor. Not only for companies, but also for the entire Swiss business hub. But don't be put off by the challenges! If you follow the requirements and regulations, hybrid and multi-cloud environments offer huge potential that you should take advantage of.
Do you know which cloud services are already being used within your company? In our experience, cloud services are often being used for specific projects or within certain departments that IT knows nothing about. Our cloud access audit will give you complete transparency, thereby highlighting the associated risks clearly and concisely.