Cloud security: A mystery?

This blog post deals with the issue of cloud security and constitutes an initial assessment.

Blog Series about Security in Public Clouds

This blog is part of a blog series about security in public clouds. if you are interested in the topic more deeply have a look at the introductory blog where all related articles are listed and linked.

Is cloud security really a mystery and therefore a game-changer for information security? Within governance, risk and compliance (GRC), companies must adapt existing governance documents and risk management methods to cloud computing. In terms of technical information security, we can see that tried-and-tested security mechanisms such as multifactor authentication, protection against malware, patch management and firewalls can also be used in the cloud. Secondly, there are new cloud security controls available for cloud computing, e.g. Azure Key Vault, Azure Information Protection, conditional access, bring your own key, and cloud access security brokers. Companies must find and implement the right balance between traditional information security and the new cloud security controls and architectures, not least because cloud computing leads to hybrid IT architectures in most cases. It’s amazing, but true: Some corporate customers already have ICT environments that are located completely in the cloud. It goes without saying that the new cloud security controls are mainly being used and that special attention is paid to endpoint security and secure communication.

Chief information security officers are about to face some major changes: They must focus their role on the cloud and expand their knowledge accordingly. The existing security organisation and a company’s own security processes, such as security incident management and security monitoring, must be extended in a cloud-specific manner and be integrated into the functionalities of the cloud provider. In short, CISOs and their own security organisation must expand their skillset and their own security programme with regard to the cloud. Tracing a security incident in a highly automated and complex virtualised cloud environment requires specialist know-how.

Cloud security is no mystery

Anyone who studies the subject in depth eventually realises that information security can be safeguarded very well with cloud computing – indeed often functionally and qualitatively better than is possible in a company without its own security organisation. But one thing must be clear: Comprehensively protecting a company’s own critical information and sensitive personal data is absolutely paramount. It is imperative that companies are aware of what information they are transferring to the cloud. In these times of omnipresent industrial espionage, it may nevertheless make sense to process certain information exclusively on site. After all, quantum computing will in the medium term enable the encryption mechanisms currently in use to be cracked.

In summary, it is particularly important to address the new cloud security controls, microsegmentation using software-defined networking, containers and serverless computing, for example, and to implement these in line with the requirements, all while taking the general economic conditions into account. Much information about these topics can be found in the Cloud Security Alliance security guidance (link) and in my Swisscom cloud security white paper for MS Azure (link).

Further resources:

Swisscom has published whitepapers on cloud security in which security issues are dealt with in detail. These can be obtained as follows:

If you want to learn more about Swisscom’s portfolio and services on public cloud get in touch with us using the following links: