Introduction to cloud security

Due to the constant growth of cloud infrastructures, cloud security has become an unavoidable topic. The cloud brings many benefits such as scalability, the switch from capital costs to operating costs, the ability to use resources on demand and the variety of cloud offerings (SaaS, PaaS, IaaS). However, these flexible and agile cloud solutions also entail security risks. Exploiting the risks can lead to high financial and legal consequences, as well as damage the company's reputation. 

This makes it all the more important in today's digital world to develop a comprehensive understanding of cloud security and take appropriate measures to protect your data and systems. This blog describes the basic principles and best practices of cloud security that can help companies to use their cloud environments securely and efficiently.

The Shared Responsibility Model

One of the most important concepts in cloud security is the shared responsibility model. It describes how security responsibility is divided between the cloud provider and the cloud customer. This model is crucial to ensure that all security aspects are covered in the cloud. The following list shows who is responsible for which aspect. 

Responsibility of the cloud provider

• Physical security: This includes physical security in the data centers where the cloud services are hosted. This includes access control, fire protection and server maintenance. 
• Network security: The provider must ensure that the integrity, availability and protection of the network are guaranteed.
• Hypvervisor and infrastructure: This is the security of the one that derives the physical infrastructure and divides it into the virtual machines. 

Responsibility of the cloud customer

• Data management and security: The customer must ensure the integrity and security of the data stored in the cloud. One example of this is the encryption of data at rest. 
• Access management and identity management: Logically, this must also be done by the customer. They must determine who can access which resources. The provider provides several tools for this, such as MFA (multi-factor authentication) and RBAC (role-based access control).

An example is now shown for each model:

SaaS: With Microsoft 365, the provider assumes responsibility for the application and infrastructure, while the customer manages the user accounts.

PaaS: An example of PaaS is the Google App Engine or the Microsoft Azure App Service. The provider is responsible for virtualization, network security and the operating system. The customer is responsible for the security of the application through security guidelines and security configuration as well as access management. 

IaaS: In this model, the provider, for example Azure or AWS, is responsible for the physical infrastructure and the network, as well as for the server hardware and the virtual machines. The customer is responsible for security, i.e. data encryption, access management and monitoring. 

Access control and identity management

Access controls and identity management are an essential part of cloud security. As cloud services enable access from different endpoints and users, it is all the more important to use these tools correctly. They are used to control and monitor access and prevent unauthorized access. 

Access control

Access control raises the fundamental question of who is allowed to do what. There are various tools provided by the providers for configuring access controls in the cloud. 

• Multifactor authentication (MFA)MFA is now very widely used as it is a simple method of improving access control in a system. MFA requires the user to not only authenticate themselves with a password, but also to use a second security measure. This could be, for example, a one-time generated code (TAN) or biometric identification. 

• Role-Based Access Control (RBAC): The condition for RBAC is the role of a user within an organization. Each user only receives the authorizations that they need for their activity. For example, a worker from department A only receives the authorizations of department A and not those of department B. This minimizes the risk of unauthorized data access.

• Least privilege principle: This principle means that users only receive the most necessary authorizations. For example, an intern does not receive the Owner role, but only the Reader role, as this is sufficient for their activities.

Identity management 

In addition to access control, identity management is also crucial to ensure that only authorized persons have access to cloud resources. 

• Centralized identity management: Centralized management of identities has many advantages. It simplifies the control of authorizations and access guidelines. This increases security. Examples of this are AWS Identity and Access and Entra ID (formerly Azure Active Directory).

• Management of external users / Automated user creationNowadays, it is not uncommon to grant external partners, customers or suppliers access to certain cloud services. Identity Federation makes it possible to grant access to external parties without creating a separate account. Automated user creation and deactivation also come into play in this scenario. Automation simplifies administration and terminated employees or external parties who have completed their work automatically lose access.

Conclusion

Cloud security is central to the correct use of the cloud. Understanding the shared responsibility model is important in order to understand which security aspects are the responsibility of the cloud provider and which are the responsibility of the cloud user. Effective access controls and functional identity management ensure that only authorized users access the resources. Long-term security in the cloud requires continuous security adjustments and constant implementation of best practices.