Principal Architect, Director
Author: Gerald Reif
In 2019, two major public cloud providers, Microsoft and Google, opened data centers in Switzerland. For many Swiss companies, this means that a central hurdle has been cleared for the step into the Cloud: Data in the public cloud can be stored in Switzerland. But now the question arises: Is it safe to use the public cloud? The IT market research company Gartner International has accompanied many companies in this question and has come to the following conclusion
In an investigation of security incidents related to the public cloud, Gartner has found that incidents over the past two years are almost exclusively due to customer configuration errors (e.g. files in cloud storage are unintentionally made publicly accessible).
Many companies organize a security assessment at the beginning of their Cloud Journey and evaluate their strategic Cloud providers with the help of an extensive questionnaire. But each of the major cloud vendors (Microsoft, Google, Amazon) is certified by ISO, the Cloud Security Alliance (CSA) or the Federal Risk and Authorization Management Program (FedRAMP). Such an assessment can only provide additional security if points are checked that are aimed at specific requirements of individual services that go beyond the assessment criteria of the independent certification programs.
Since the greatest security risks do not stem from gaps in the cloud providers, it is much more important to ensure that the cloud is used securely within your own area of responsibility. This requires a rethinking of the threat situation with regard to the own data center.
In the on-premises environment, services such as databases, virtual machines, file shares or PoC implementations are protected against access from the Internet by the perimeter firewall. An incorrectly configured service (e.g. a database with a default password) is not directly exposed to the Internet. In the cloud, however, an innocent click can expose a service directly to the Internet, making it a potential point of attack. Exposed file shares prove to be the most common reason for security incidents in the cloud.
To address such and other security risks, security awareness, know-how and the consistent application of security mechanisms provided by cloud providers are necessary. Security must be thought of holistically in the four dimensions described below.
With the cloud governance concept, it is important to define the strategic guidelines on how the cloud is to be used. Security aspects must also be taken into account: in which geographical region must data be stored, the security classification of data and applications, and the roles with which developers may access cloud resources. Many of these aspects can be automatically monitored or enforced on the public cloud platforms via formal policies.
The architecture can be used to minimize the attack vector on the cloud resources. A perimeter in the cloud infrastructure can ensure that all inbound and outbound Internet network traffic is routed through this perimeter. A VPN channel from the perimeter to the on-premises network enables secure access to on-premises resources from the cloud. In addition, the firewall of PaaS resources should be restricted so that only authenticated and authorized resources from a desired network can access them.
Every cloud platform offers a portal where resources can be created and managed. These portals are a good place to familiarize yourself with the possibilities and configuration options. For the deployment of a productive application in the cloud, the portals pose a security risk. A forgotten or wrong click can override a security feature. Therefore, provisioning and deployments must be automated using Infrastructure as Code (IaC) and CI/CD pipelines. But even automation does not protect against deployments that violate governance policies. IaC code must therefore be checked by means of compliance rules or policies to ensure that the imposed governance is adhered to.
In addition to governance, architecture and automation efforts, the cloud environment must be monitored through continuous compliance to ensure that the defined security policies are maintained throughout the entire life cycle of the cloud applications. Continuous Compliance can be used, for example, to monitor exposed interfaces, unchanged standard passwords, prescribed network routes or prescribed minimum standards for the configuration of cloud resources. In contrast to penetration tests, which represent a snapshot, continuous compliance automatically checks the cloud environment on an ongoing basis and thus ensures governance.
The public cloud providers are making great efforts to make their cloud offerings secure. They have been so successful in their efforts that even the US Pentagon relies on Microsoft Azure . With the data centers in Switzerland, Microsoft and Google can also cover the need for data storage in Switzerland. This makes the step into the public cloud an interesting option for Swiss companies. For secure cloud adaptation, the security efforts of cloud providers must be consistently pursued. It is the customer's responsibility to ensure the secure use of the public cloud through a holistic view of governance, architecture, automated deployment and continuous monitoring of compliance with regulations.