Cyber Security In The Cloud: Who Can Come In?
Many companies rely on the “zero trust” principle for cyber security in the cloud. This approach ensures that strict access control is guaranteed even in complex and mobile cloud scenarios. The security checks in the cloud environment sometimes look very different than in classic networks.
Company-critical shop systems, intellectual property, or confidential customer data: companies want to know who can access their sensitive systems or data. This is why they usually also deal intensively with the cyber security aspect when migrating to the cloud. Because now it is no longer primarily a question of where critical information is stored most securely in your network. Even the best separation between external and internal network segments falls short if, for example, many employees work regularly or even permanently in the home office. As a result, access to the data (and its limitations) becomes the critical question: Which new types of entry and ways need to be considered? Which visitors and which of the now often many mobile devices are considered trustworthy and when?
Trust Is Good; Control Is Better
In this context, the keyword “zero trust” is used more frequently. Contrary to what the term might suggest, this approach is by no means about trusting nothing and no one. The aim is to distinguish between harmless and untrustworthy digital identities and devices. However, Zero Trust assumes that its corporate network and its actors are not trustworthy per se. In many cases, attackers have been in the system unnoticed for a long time and operate with stolen identities.
Zero Trust focuses on three factors: identities, devices, and data.
- Secure Identities: is a user really who he presents himself as? This can be checked through staggered checks, for example, as part of multi-factor authentication.
- Manage Devices: Here, it has proven to be a good idea not to allow employees’ devices, but only computers managed by the company, for which, for example, hard disk encryption, current virus scanners, or regular (security) updates are guaranteed.
- Classify Data: Not all data and information is critical, so it must be classified with a view to its possible damage potential and, if necessary, provided with appropriate access hurdles.
A significant advantage of cloud technology: In the age of microservices, security functions such as multi-factor authentication or the classification of documents are usually only a few mouse clicks away, inexpensive, and easy to automate – especially compared to traditional on-premises solutions. For example, banks and insurance companies have been using Rights Management Services (RMS) for a long time, previously based on complex and expensive infrastructures. Today, just a few licenses for ready-made services are enough to regulate who can open, print, share or change a document – and who can’t.
Everything In The Cloud?
What moves medium-sized companies, in particular, is the protection of their intellectual property. Many are still reluctant to outsource such business-critical assets to the cloud. A football club shows an example of how this situation can be dealt with: It has outsourced its intranet to the cloud-based Office solution Microsoft 365 so that menus or sick notes are no longer on its servers. However, player scouting, i.e., the individual evaluation of one’s players, is still only found on on-site computers. Such hybrid models are ideal for those companies that see their cloud migration as a step-by-step project and start where the most significant benefit can be expected – particularly true for medium-sized companies.
Binding Rules For Everyone
Last but not least, cyber security in the cloud environment requires its governance that specifies binding rules of conduct – such as the consistent deactivation of all cloud access for an account when its employees have left the company. And what does it mean for security if a colleague changes departments or the communication with a customer changes? Who defines identities and user accounts in their organization? Who can access what under what conditions? Clear rules are needed for all of this.
Also Read: What Is Ransomware And How Does It Work?