Cloud Security is changing

Views: 45

High security is considered the basis for the success of cloud services. But the image of what constitutes a secure cloud is changing.

Original article CIO: The cloud market is moving and evolving differently than the initial forecasts predict. A complete migration of IT services to the cloud has not happened and will not happen. There is not a large cloud but many cloud services.

However, the cloud is a success story. 65% of companies in Germany already use cloud services, as shown in IDG Research Services’ current “Cloud Security 2019” study. Only eight percent of businesses consider cloud services out of the question. 92% of companies already use cloud services, plan to do so in the next 12 months (17%) or consider it internally (11%).

As a reference model for cloud services, the private cloud is ahead with 61% of responses. Public clouds use 45% of the companies surveyed. Hybrid clouds are implanted in 32%, community clouds and multiple clouds in 20%.

The choice of reference model is not by chance: if you ask companies about their sense of security in cloud computing, private security is rated as the best (2.4), multiple clouds reach only 2.7, community clouds to 2.8

The price does not list the top ten criteria for choosing cloud services. At the top is data access security, followed by data encryption and provider reliability.

 

Cloud security is threatened

While most cloud services are considered relatively secure, companies in the new study report attacks on services they use in the cloud. Almost half (47 percent) of the company already has cyberattacks detected in their cloud services, twelve percent do not know if an online attack has ever taken place in their cloud services.

Obviously, more action is needed to protect cloud services. As the new study shows, many companies rely on familiar security concepts such as encryption, firewall, and local backups. Cloud companies also expect enterprise users to have more security classics than new cloud security concepts.

One of the reasons for this view of cloud security is the unilateral perception of the cloud’s risks, which is evident in the polls. Certain types of cloud attacks are rarely addressed by security measures, although attacks are occurring.

New requirements for cloud security

What is done to protect a cloud service should not depend on excessive risk creation in the cloud. There are clear security requirements in cloud computing.

In addition CIP -Betreibern and cloud computing service providers have to report security incidents to have significant effects on BSI, as the Federal Security Service clarifies in Information Technology in the recent report on the state of IT security in Germany . In addition, regulations for digital service operators stipulate a minimum level of IT security preventive measures and reactive management of security incidents.

“The demand and implementation of security requirements is an important aspect in the use of cloud services,” said BSI President Arne Schönbohm.

The Federal Office for Information Security has set new standards in the cloud industry with its cloud computing compliance catalog (C5 Compliance Controls Catalog). In the C5 catalog, BSI has grouped the requirements that cloud providers must address, regardless of application context, to ensure the minimal security of their cloud services. The C5 catalog is a standard that includes verifiable requirements, but does not determine which action should be taken.

As the new “Cloud Security 2019” study shows, cloud certification under the BSI C5 catalog is already one of the key compliance criteria when selecting a cloud provider. With a rating of 2.4, the certificate C5 is about the requirement that the cloud provider be based in Germany (2,6).

“Absolute security does not exist, because every company has a shadow IT – for the simple reason that every company uses e-mail.” Many people send information to their private e-mail addresses. Of course this is not allowed, but it is still A big role therefore plays the conscience. I am convinced that many companies are still doing very little there. ” Anja Hinnemann, Head of Cyber ​​Security DACH at Capgemini Outsourcing Services GmbH.

 

Privacy rules the selection criteria

Among the requirements for a cloud service and a cloud provider, privacy is particularly strong. For example, 35% of companies cite security issues and 29% privacy as reasons for not using the cloud. On the other hand, cloud services companies expect higher levels of security and privacy (34% and 32%).

An appropriate level of data protection in cloud computing is not only desirable, but a legal requirement to be able to use cloud services.

According to the General Rules on Data Protection (DSGVO / GDPR), cloud services are classified as so-called order processing. The DSGVO states: “If processing takes place on behalf of a responsible party, it will only work with processors who have reasonable assurances that appropriate technical and organizational measures will be taken to ensure that processing is performed in accordance with the requirements of this Regulation and Protection rights of the data subject. ”

 

Before a cloud service can be used, a company needs to be convinced by the data protection measures of the cloud provider, there must be guarantees for these measures. The DSGVO names as possible guarantees and proves a certification of data protection based on the EU regulation.

The importance of data protection certification is recognized by companies in Germany. 34% of the companies surveyed verify the certificates in the cloud of the providers. If the certificates are missing, pay attention to the privacy audits at the providers.

In almost 60% of companies, the General Data Protection Regulation has a strong or very strong impact on how they deal with data processed in a cloud. No effect of the DSGVO sees only two percent of the companies surveyed.