“The cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.” (Bruce Schneier).

The quote comes from the context of the LastPass breach in 2022, in which attackers were able to allegedly compromise the well-known password manager LastPass and prompted us to take a closer look at the topic of IT security in the cloud.

Risk assessment in the cloud

From our point of view, this has two aspects: firstly, the fundamental question of trust. That is, do we trust the chosen cloud operator(s) and/or service provider(s), and do we think they can provide an adequate level of security to protect our data? The answer to this question should be thoroughly considered. In den meisten Organisationen wird es Daten geben, die einem höheren Schutzbedarf unterliegen – und solche, bei denen der Schutzbedarf geringer ist. Während möglicherweise nichts gegen die Verarbeitung der letztgenannten Kategorie in der Cloud spricht, ist für Daten mit einem hohen Schutzbedarf eine sorgfältige Risikoabwägung erforderlich.

Hat sich eine Organisation dazu entschlossen, einen oder mehrere Cloud-Dienste zu nutzen, kommt der zweite Aspekt ins Spiel: dieser dreht sich um die sichere Nutzung der Cloud-Dienste. “Secure use” here means adhering to appropriate best practices regarding secure use when using the cloud services. Using the example of the LastPass service mentioned above, this would be to use an appropriately strong master password. Especially in the area of Platform as a Service (PaaS) and Infrastructure as a Service (IaaS), the IT security of the environments stands and falls with configuring them in such a way that no compromise of confidentiality, integrity and availability can occur. A classic negative example of this is S3 misconfigurations, for example on AWS (Amazon Web Services), when an S3 bucket is made accessible without proper authorisation controls. As a result, confidentiality is compromised and the data stored there is then accessible to anyone without access control in extreme cases.

No blind trust in cloud providers

Many cloud users – whether in a private or professional environment – blindly trust their chosen cloud providers – and assume that the respective cloud service provider will already ensure adequate security. As many of our projects show, this is a fallacy. Very often, misconfigurations are the cause of glaring security gaps in applications that are operated in the cloud.

Therefore: Trust is good, control is better. Have your applications that use the cloud put through their paces by the experts at TEN Information Management. This not only detects any misconfigurations, but also identifies further security gaps. In this way, you effectively prevent security incidents – and protect yourself and your organisation from the negative consequences of a cyber attack.

Tags

Share post

More articles

In the past two years, more than a third (37 per cent) of all cyber security incidents in Germany were due to employee misconduct. Hackers were only responsible for around 27 per cent of cyber...
If we closely review the ISO 27001:2013 standard or the draft of the new 27001:2022, we see that the terms penetration testing and vulnerability scanning are not explicitly mentioned either as requirements or as a...
Cloud security myth busted: Common misconceptions about security ownership in the cloud In recent years, cloud technology has become one of the most important and widely used IT infrastructures. Organisations of all sizes are taking...