Cloud security - highly relevant and yet neglected by many companies. Why?
by Svenja Koch
Data security in the cloud - a topic that should be a top priority for more and more companies as digitalisation progresses. It should - because according to a study by Thales, an overwhelming proportion, namely 80%, of German companies even forgo basic encryption of sensitive data stored in the cloud. At the same time, cybercriminal activities are increasing significantly, as the current BSI situation report, among others, drastically expresses. The question that arises: Why do so many companies forego cloud security? We set out to find the answers.
Data security in the cloud begins with data protection
Cloud security means not only reliably protecting the data stored on online storage from criminal access, but also complying with data protection regulations. The General Data Protection Regulation places high demands on the protection of personal data - at the same time, most cloud providers have their location and infrastructure in the USA. In some cases, this can lead to conflicts of interest, because all data stored in the USA is subject to the so-called Patriot Act. The Patriot Act stipulates that all data must be submitted to the US government in the event of reasonable suspicion.
To be on the safe side and to maintain cloud security also in terms of the GDPR, you should:
- Whenever possible, choose a server location in Germany or Europe.
- Make sure to take advantage of options for data encryption and anonymisation
- Check whether the cloud provider can provide certificates confirming legally compliant handling of the stored data
Data protection in a cloud environment can therefore be ensured with quite little effort. An important protection component that must not be neglected under any circumstances!
No uniform approaches to data security in the cloud discernible
According to the Thales study mentioned at the beginning, 17 % of the German companies surveyed host their sensitive data in the cloud. Even if some trends for securing data in the cloud are recognisable across companies, there is still a lack of a uniform strategy. Almost a third of the companies surveyed use multi-factor authentication - but only 20% of German companies encrypt more than half of their data in the cloud. And even if the data is encrypted, 34 % of companies trust their cloud provider with the keys instead of taking data security into their own hands. The problem with the lack of a uniform strategy for data security in the cloud: if the majority of companies do not value encryption, possible access points would have to be focused on. This, however, remains absent. Zero-trust strategies as effective protection are not an issue for most companies in Germany. Yet, according to Sebastien Cano, Senior Vice President at Thales, "robust security strategies are essential to ensure the security of data and business processes."
Cloud security often fails due to complexity
While companies lack a common security strategy, they are largely in agreement on one point. Dealing with data protection and data security in the cloud is much more complicated than with in-house solutions. More than half of the German companies surveyed in the Thales study said they prefer hybrid solutions to a complete switch to cloud approaches. This non-uniform infrastructure in combination with increasing introductions of cloud-based solutions leads to a further increase in complexity in terms of security.
Multi-cloud: practical, but unfortunately also a real challenge for data security
Many companies, also in Germany, are increasingly relying on multi-cloud models. This means that not only one cloud provider is used to store the data, but several. While company data is stored with one provider, services from other providers, such as Microsoft Azure, are used for user administration or service control. However, multiple providers also mean a further increase in complexity in the area of management - and also increasing demands on IT security.
Do not leave cloud security to the cloud services
Cloud service providers are responsible for the physical security, reliable power supply and permanent connectivity of their data centres. In addition, many providers offer rudimentary protection against cyber attacks - but this is far from sufficient. However, companies that rely on this basic protection are acting grossly negligent! Because even if the company data is stored by an external provider, thus freeing the company from expensive acquisition and maintenance costs for data centres or server racks: The responsibility for sustainable cloud security always remains with the respective company. Encryption, access controls or multi-factor authentication should therefore always be implemented in addition to the basic protection. This is the only way to ensure data protection and data security in the cloud.
When cloud security is torpedoed by your own employees
Transferring a file to a customer via file sharing or storing sensitive data in a cloud not authorised by the company is a widespread bad habit in many companies. Of course, fast, largely barrier-free data transfer is practical and can be carried out quickly even by employees with little technical experience. However, careless handling of company data harbours immense problems. With digitalisation, "shadow IT" is increasingly becoming a threat to cyber security. One thing above all helps here: education. Only if all employees are aware of the dangers of uncontrolled file sharing or the use of unauthorised (and thus also unsecured) cloud storage services, can a safe use of the cloud in a company succeed. In addition, security solutions are required that protect sensitive company data both at the storage location and during transmission, and of course also at the end points.
Focus on data security in the cloud right from the start
The German Federal Office for Information Security (BSI) has summarised the minimum requirements for secure cloud computing in its Cloud Computing Compliance Criteria Catalogue (C5). The criteria catalogue was first published back in 2016 and has been continuously updated and supplemented since then. The criteria catalogue is an extremely effective tool for orientation in the context of selecting a cloud provider. Cloud services that implement the C5 criteria and then have their implementation certified by certified auditors can gain an attractive competitive advantage. Conversely, companies that choose a cloud service provider certified according to C5 criteria benefit from an increased level of data security in the cloud. However, this does not release them from the obligation to implement their own risk management in the company!
"My company is so small, who wants my data?"
This or similar objections are often heard from owners or managers, especially of small companies. It is precisely here that IT security usually plays a very subordinate role - if it exists at all. However, it is a fallacy that cyber criminals primarily target the "big players", i.e. large corporations or globally operating medium-sized companies. On the contrary, small companies in particular are increasingly becoming victims of cyber attacks of all kinds. If sensitive data is also stored in the cloud, disaster is almost pre-programmed. Because cyber criminals know exactly who is worth attacking the data of - and these are also, and especially, poorly or not at all secured small businesses.
More data security in the cloud with external professionals
The lack of skilled workers, financial bottlenecks or carelessness: there are many factors that prevent cloud security in a company. If there is a lack of in-house resources and internal IT specialists, an all-round secure use of the cloud is nevertheless possible. External service providers specialised in cyber security, such as secion GmbH, secure cloud access around the clock and 365 days a year. With customised security solutions, security service providers enable reliable protection of sensitive data - and prevent cyber attacks, blackmail attempts or espionage.
Conclusion
Data security in the cloud has become more important than ever before in the course of digitalisation. More and more companies are turning to cloud providers to store and process their data. The advantages are obvious: reduced costs, location-independent access to all relevant data and acceleration of work processes. However, cloud security is neglected in far too many companies, especially in Germany. Company data is entrusted to cloud services that are not subject to the strict data protection and data security rules of the European Union. Data security in the cloud is left to the operators - who in the best case offer really only rudimentary protection. Yet studies clearly show that the amount of cyber attacks is not decreasing. On the contrary, last year almost half of all German companies suffered a successful cyber attack. It is irrelevant whether a company belongs to the big players on the market or operates as a small specialist business in the provinces. Cyber criminals know exactly who is worth attacking - and where data can be tapped most easily and without great risk. If your own company lacks IT specialists or the budget does not allow for an IT security team, external security service providers can ensure the urgently needed level of cyber security.