InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Cloud services open up new possibilities for innovative business models and efficient processes. The competitiveness of companies and financial service providers is improved with lasting effect through the systematic migration of functionalities from on-premise systems to a cloud or multi-cloud environment. A (multi-) cloud strategy can thus make a significant contribution to innovation and added value. In addition, however, companies must ensure that the right measures are taken and that control is maintained over the cloud. The use of cloud services currently goes hand in hand with legal and regulatory uncertainties which can present an obstacle to a migration to the cloud. In this blog post, we show you how to overcome these challenges.
We all use cloud services every day although we may not always be aware of the fact: Sending emails, using software packages from the cloud, streaming music or films or storing and sharing data via the cloud. And of course, businesses also want to take advantage of what works so well in private. Nowadays, due to various legal and regulatory uncertainties, – and sometimes doubts as well – this is interspersed with challenges.
With the cloud, the time leading up to market readiness can be shortened for innovative products and services, and competitiveness can be increased. New technologies, artificial intelligence, for example, could be used as a service on the user's hardware without the need for major investment. Access to a huge data pool and the corresponding processing power means the analysis of huge volumes of data is possible in real time. In the development and testing of new applications and systems, the cloud means efficiency gains and creates cost transparency. The development or procurement of relevant skills and resources is often no longer necessary. Migration to a cloud is therefore also appealing to smaller companies since, in this way, previously inaccessible technologies are made available to everyone. It is these companies who are increasingly failing to meet the growing demands on IT operations (IT security, updating of patches, management of the IT infrastructure lifecycle). That is why the infrastructure and services are being moved to the cloud more and more frequently – in spite of some concerns and regulatory uncertainties.
Strictly speaking, in most cases it is not actually one cloud but increasingly multi-cloud and hybrid-cloud environments. According to the 2019 State of the Cloud survey by RightScale, 84% of companies have already defined a multi-cloud strategy. The important thing to note: No matter how many clouds, security should never be neglected!
This is the case in particular in the banking sector. That is why, on March 2019, under the guidance of the Swiss Bankers Association (SBA), a legal and regulatory guide for the user of cloud services by banks and securities traders was drafted. The good news for you: This guide is also suitable for non-financial service providers. It provides recommendations for the cloud lifecycle when using cloud services, from evaluation, procurement and operation to departure. We have summarised the four areas for action for you briefly here:
You see: When it comes to cloud cyber security, the priority is risk management. Among other things, cloud computing (hybrid cloud in particular) uses application programming interfaces (APIs), new data flows and complex network configurations, etc. These factors generate new threat types. Hybrid and cloud computing is not in itself any more or less secure than on-premise infrastructures however. That said, a complex system such as a hybrid cloud must also be managed, which requires new tools and procedures. The conventional network environment safeguards are not sufficient. Hybrid cloud infrastructures, therefore, place additional security demands on businesses. The major ones are:
For you, this means new challenges, in particular, the compliance requirements become increasingly stringent. It is precisely this maintaining of and evidence of compliance that can be difficult with a hybrid cloud, however. It is more than simply ensuring that on-premise, public cloud and private cloud compliance is up to standard. Evidence is also required of the fact that the possibilities of coordination between the clouds are ensured and secure.
Multi-cloud environments require a platform-independent and standardised approach to security. A key principle here is shared responsibility. The shared responsibility model, under which the cloud service provider is responsible for the "security of the cloud" itself and the client is responsible for "security in the cloud", has proven its worth here. The provider and the customer share the responsibility with the provider being responsible for the operation and the security of the physical environment, and the client for the logical environment.
In the cloud, not only are the traditional attack scenarios relevant, but there are also challenges posed by workload portability and multi-client capability. Workloads, in particular, require security strategies that keep up with the constantly evolving and ever increasing threats. Starting new workloads easily is a key advantage of the hybrid cloud but it also involves security-related risks. It is easily possible to move and operate workloads on different platforms and environments, from local to private and public infrastructures. Traditional approaches to security quickly reach their limitations here, not least due to the use of containers and microservices. To ensure container security, the following points must be taken into consideration at a minimum:
To ensure container security throughout the entire application lifecycle, it is worth using a dedicated platform such as "Twistlock". Twistlock is the leading platform for full-stack and full-lifecycle container and cloud-based cyber security for teams using Docker, Kubernetes and other native cloud technologies. You can find out more about this subject on our website.
For companies using DevOps, this can be particularly difficult. Incorporating security into an approach that focuses on rapid development and provision is a challenge. Security is forgotten far too quickly when schedules are tight. The DevSecOps methods, integrating security into the development processes and frequent and fully automated deployment, provide the ability to apply patches and thus improve security early on. DevSecOps does not patch existing systems however, just the templates from which the workloads are generated, and brings these into production.
Enough of requirements and regulations? We get it but there is one more important point that should not be overlooked. Cyber security and data protection requirements must be complied with in the shared use of clouds. In other words, data belonging to the various users must remain separate, even when the IT resources such as storage capacity and processing power are shared. Specifically, this can be implemented, for example, with an appropriate finely structured permissions system and independent encryption in each instance. In addition, availability problems, such as data loss or security flaws, for another client must not affect the user's own company.
Use of the cloud (or multiple clouds) is a critical success factor. Not only for companies, but also for the entire Swiss business hub. But don't be put off by the challenges! If you follow the requirements and regulations, hybrid and multi-cloud environments offer huge potential that you should take advantage of.
Do you know which cloud services are already being used within your company? In our experience, cloud services are often being used for specific projects or within certain departments that IT knows nothing about. Our cloud access audit will give you complete transparency, thereby highlighting the associated risks clearly and concisely.