Written by Uwe Sievers
Hardly any company still does without the use of cloud offers. At the latest since the Corona pandemic, employees want to access company data regardless of location. This also creates new challenges for IT security. But this is often not taken into account from the outset, as Stefan Strobel has observed. He is the CEO of the security consultancy cirosec and author of several specialist books in which he has also dealt with cloud security. He explains the essential changes in current cloud use as well as necessary security adjustments. Furthermore, Strobel illustrates the potential of new security technologies for the cloud.
Many organisations are currently running projects to introduce Office 365. Most of the time, it's not just about changing the licensing, but about introducing teams for video conferencing, setting up an Azure-AD and many other services. Even if the companies have not planned this at all at first, sooner or later the discussion comes up whether one should not also migrate to Exchange Online, because the service is usually already paid for in the Office 365 package anyway. This already includes basic protective measures against malware, so that a savings potential is recognised here.
Step by step, almost everything is gradually replaced by Microsoft services that are already included in the paid package. Along the way, many other things also migrate to the cloud. But then one is faced with the question of how all this is configured securely.
IT services that used to run on company servers are often outsourced to the cloud, for example so that they scale better or are easier to access from the home office. In Germany, Azure from Microsoft or AWS from Amazon are primarily used for this. In addition, many web applications that previously ran on hosts are also being moved there. This is sometimes done for cost reasons or to standardise the IT landscape. This creates further challenges for IT security.
The cloud platforms have their own form of managing identities, rights and roles. This is the case with all cloud service providers. In addition, access restrictions have to be configured everywhere, this works differently than on-premise and again differently with Azure than with AWS. This needs to be understood and set up correctly. For example, if S3 buckets are used as storage, you have to configure who can access them. Then there is the management of keys and certificates for encryption and the like. So it has its own complexity.
In addition, it is often the developers who first started working with containers almost entirely in the cloud. The security departments subsequently had to do justice to this development and first develop concepts on how to secure these structures and services. Agile software development is often cloud-based and a driver of this trend.
Using cloud services does not necessarily create new threats or forms of attack, but it is a new technology and it has to be configured correctly. To do this, you need to understand cloud platforms such as AWS or Azure, otherwise dangerous mistakes can easily arise.
For attackers, this results in changes in their preferred points of attack. In the past, they tended to attack perimeters, end devices or servers. Now, however, they attack identities with high rights in the cloud. If you can do that, then everything is open. There is usually no inside and outside in the cloud anymore. In the past, if someone knew my internal password, they still didn't necessarily have access to internal systems because the firewall blocked access from the outside. But that is obsolete in the cloud. That's why we see more phishing attacks and attempts at deception. Since you can access Office 365, for example, from anywhere, whether from home or on the road, all it takes is to take over the identity and an attacker has access to everything.
This is why new authentication methods such as two-factor authentication (2FA) via Authenticator apps have been increasingly introduced. Meanwhile, the trend is moving beyond this towards dynamic and risk-based authentication. This does not always require the same authentication everywhere. Among other things, the login behaviour of users is observed to detect anomalies. For example, it is very unlikely that someone logs on from Nuremberg and a few minutes later from Singapore. But these functionalities usually have to be paid for extra by the providers.
CASB (Cloud Access Security Broker), for example, is about controlling which cloud offerings employees are allowed to access. This can prevent the uncontrolled use of insecure cloud services. With SASE (Secure Access Service Edge), on the other hand, the perimeter itself is shifted to the cloud, so to speak. This also partly serves to secure one's own network. This includes a secure web gateway, which can be used, for example, to establish secure access for employees from home to the cloud. CASB can be a component of SASE. Furthermore, the connection to the corporate network can also be made via a SASE service and a ZTNA component (Zero Trust Network Access) contained therein, which aims to replace the classic remote access VPN .
CSPM (Cloud Security Posture Management), on the other hand, should help to get an overview of all security settings of all cloud services used by the company. Especially if you pursue a multi-cloud approach, i.e. use different cloud services, you can use it to monitor the security-relevant configuration very well. CSPM is therefore a very practical tool to prevent security vulnerabilities from arising due to errors. However, CSPM is still relatively new.
