How can I make it safe for our employees to use cloud services?

Numerous companies use cloud offerings such as Microsoft's Office365 or install their own systems on cloud computing platforms such as AWS. Administrators are faced with the task of securing their use in the company.

• Access to the cloud should only be possible via virtual private networks (VPN)
• Different cloud services require different security concepts

The survey also revealed that security issues are the most important criterion for almost all cloud customers. But in practice IT security often lags behind, because not everyone realizes that the company also bears part of the responsibility for it. Our experts explain what is important here.

Different cloud applications need different security concepts

Michael Weirich, IT security project manager at eco, the Internet industry association, advises accessing cloud services only via a virtual private network (VPN):

The first organizational measure is to protect access to the cloud services separately. Access to the company cloud should only be possible via trusted connections. A VPN ensures an encrypted connection between the employees' devices and the company network that provides the cloud services. 

Companies must take appropriate measures to secure cloud access on employees' user devices. Two-factor authentication should be used here in addition to a strong password. A rights system should be used to controll the sharing of data and services.

When selecting cloud services, attention should be paid to certifications as well as locations of the provider. One example is the EuroCloud SaaS certification: The benchmarks of this certification are the German and European laws on data protection and IT security as well as international standards. The Trusted Cloud website lists cloud providers with their security certifications.

Robert Couronné heads the Cybersecurity thematic platform at the Bavarian Society for Innovation and Knowledge Transfer, Bayern Innovativ. He points to the need for different security models for the various cloud models:

First of all, it is important to distinguish which cloud services are involved. Native cloud applications such as Office365 can offer significant security advantages, especially for SMEs. Since the protection of cloud services is in the cloud provider's own interest, it will use professional protection measures. This applies to the security of the application servers, the communication links and the associated user data.

If you only book "virtual computers" in the cloud and equip them with your own software, you are responsible for securing them yourself, similar to servers in your own data center. The advantage is then limited to the additional location.

If cloud services are used for data backup, they must be protected behind a firewall. To prevent ransomware attacks, they must not be part of your own domain and must not be accessible with Active Directory access rights. In this way, they also offer the advantage of a second location.

Cloud security requires special knowledge

While certain cloud services can bring significant security benefits, especially for smaller companies, in most cases it remains the responsibility of the company to take security precautions and secure cloud usage within the company accordingly. This includes secure access via VPN as well as multi-factor authentication (MFA). Also, a dedicated rights system is helpful so that access rights can be customized in each case and are limited to what is necessary. However, the security specialists in the company need appropriate expertise, because cloud configurations are often faulty and thus form a gateway for attackers.

Author: Uwe Sievers