© 2021 Production
and publisher: BoD - Books on Demand GmbH, Norderstedt.
MniConsult GmbH
Switzerland, Appenzell
Uwe Irmer
Dipl. Ing. Univ.
Dipl. Wirtschaftsing.
ISBN: 9783752697315
What you see is not what the
cloud knows about you.
Uwe Irmer, March 2021
According to analyses by IDC in cooperation with Swisscom [1], over 70% of Swiss companies are considering using cloud technology. The same applies to companies in the European Union EU, as analyses by Forrester [2] show.
The main reason given by the companies surveyed for switching to the cloud is the savings for operating costs and costs for operating. The expectation is the shift from capital expenditure (CapEx) to operating expenditure (OpEx), the shift of operational risks as well as the increase of flexibility with reduced expenditure.
At the time of the publication of this book, another aspect is added. The Corona crisis, which is affecting the entire world as of March 2020.
Against this background, companies are urgently looking for solutions outside their own IT infrastructure with the intention of being able to relocate services. This is in order to be able to maintain operations should their own personnel fail to maintain the IT infrastructure.
But what is the path to the cloud?
How can a company move its existing IT infrastructure to the cloud while complying with the applicable regulations and ensuring the protection requirements?
What risks arise and what changes does the switch to cloud technology mean?
In many companies, mainly in the area of software development and services, the motivation to achieve shorter delivery times for new products or product versions by means of cloud technology is predominant. For this purpose, new processes such as CI/CD (Continuous Integration/Continuous Delivery) are introduced in the conviction that everything necessary has been done in the area of product and service creation. However, practice shows that such projects often fail.
An important realisation is that there is no cloud technology implementation project without fundamental organisational changes in the company. Thus, it is not only the company divisions that are directly related to products or services that are affected by changes. Rather, the entire company needs a new culture, new procedures, new processes or, in short, new governance.
Volume 1 of this book series Cloud Security discussed the basic organisational aspects that need to be considered when moving to cloud technology. It also described the basics of cloud technology.
This volume 2 of the book series takes an in-depth look at the possible cloud architectures and delivery models as well as technical and organisational measures in order to describe a best practice path that companies can use to successfully use cloud technology in a targeted and sustainable manner.
| CaaS | Container as a Service |
| CDN | Content Delivery Network |
| CI/CD | Continuous Integration/ Continuous Deployment |
| CISO | Chief Information Security Officer |
| DDoS | Distributed Denial of Service |
| deploy | Distribute, for example, install an artefact into the production environment. |
| IaaS | Infrastructure as a Service |
| IAM | Identity and Access Management |
| IoT | Internet of Things |
| ISMS | Information Security Management System |
| IT | Information technology |
| AI | Artificial intelligence |
| Major Release | Main version |
| PaaS | Platform as a Service |
| PC | Personal computer |
| SaaS | Software as a Service |
| VPN | Virtual Private Network |
| WAF | Web Application Firewall |
| WLAN | Wireless Local Area Network |
| Number | Title |
| 1 | Migration to cloud technology |
| 2 | Responsibilities according to service model |
| 3 | Cloud models and influence |
| 4 | Cloud Kube Model |
| 5 | Data Life Cycle |
| 6 | Containerisation |
| 7 | Use of different container orchestrators |
| 8 | Procedure of agile teams according to Scrum |
| 9 | Kanban Board |
| 10 | DevOps |
| [i] | Asset | The values of the company, these can be monetary values as well as reputation, patents, processes, employees, etc. |
| [ii] | Entity | The entity is an object within information technology and describes how relationships are established in the processes of information technology. Entities are natural persons, processes or services. |
| [iii] | leased privilege | This principle ensures that entities are only granted the minimum privileges they need. Further privileges are not granted. |
| [iv] | Artefact | Result from a work process, for example a new service in information technology |
| [v] | Deploy | Distribute, bring an artefact into an operational environment to provide the service. |
| [vi] | Resource | A resource in the context of cloud technology is a component that is obtained from the cloud and that can be combined. Examples of resources are virtual networks, storage or virtual servers [3]. |
| [vii] | Service | A service is the combination of resources needed for business-relevant processes. An example of this is the customer relationship management system CRM. This consists of the combination of virtual networks, virtual application servers, database servers, user authentication, etc. [3]. [3]. |
| [viii] | Provider | A provider makes services available to third parties. Depending on the form of the contracts, the provider takes over the operation and maintenance of the associated resources to a greater or lesser extent. [3] |
| [ix] | Consumer | The consumer obtains services from a provider. [3] |
| [x] | Epic | Epic is a user story that is structured into further user stories. The epic describes the requirements of a product in a general way, which will be defined in more detail at a later stage. |
| [xi] | Item | Component or element |
Volume 1 [3] deals with the basics of cloud technology as well as the necessary, mainly organizational adjustments in the areas of governance, compliance, risk and information security management system ISMS.
Volume 2 takes an in-depth look at cloud technology and shows best practice for measures to be able to use cloud technology securely.
In the first step, the available cloud architectures are described and measures are discussed as to how security can be guaranteed for the respective type of architecture.
The following section deals with frameworks that deal with the topic of cloud security. It also answers the question of which frameworks can be used for one's own security considerations and how.
The focus of this book is the description of technical and organizational measures to achieve security when using cloud technology. This is done in relation to the respective cloud architecture. In addition, recommendations regarding cloud deployment models and cloud architectures are discussed from the perspective of information security.
To start with the topic of cloud security best practice, first consider how cloud technology should be introduced into the company. As already described in Volume 1 Cloud Security Basics [3], the decision to use cloud technology is a management task. With the decision, a multitude of tasks have to be solved. These stem from the area of compliance, and are also of a technical and organisational nature.
Compliance
The ¨considerations on governance, risk and compliance are discussed in detail in Volume 1 Cloud Security Fundamentals [3]. Therefore, the topics to be clarified and ensured are shortened here:
Governance
With the use of cloud technology, governance must be adapted. New guidelines are needed to be able to use the technology sensibly. A changed corporate culture towards a fault-tolerant culture is required. The manifold changes in the company processes, the organisation and the technology can only be implemented meaningfully in a fault-tolerant and agile environment.
Risk
With the use of cloud technology, risk must be expanded to include the area of cloud risk. The main issues to be considered are
Compliance
In the current "Explanations on Cloud Computing" [15] FDPIC 2019, the Federal Data Protection and Information Commissioner FDPIC describes its position on compliance.
For example, it must be taken into account that data is stored outside of Switzerland and that data comes into the sphere of influence of foreign states and foreign authorities. This requires an examination of how consumer data protection and data security are guaranteed and how other legal provisions are complied with.
Examples of this are the obligation to retain or provide evidence or compliance with confidentiality obligations [15].
If personal data are stored and processed, then the consumer [ix] must ensure compliance with existing data protection laws. For example, data security must be guaranteed and compliance with confidentiality, availability and integrity as defined in the Data Protection Act [15] must be ensured. In addition, the consumer must ensure that the right of access and the right to delete and correct the data is guaranteed at all times. [15]. Finally, the consumer should not only consider the situation with the cloud provider, but also include all possible sub-providers.
One particular consideration relates to the US government's CLOUD Act of 2018 [3].
On 23 March 2018, the US government signed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). According to this act, all US companies are obliged to give US authorities access to stored data, even if the storage location is not the USA. US companies are prohibited from informing their customers if their data has been accessed. The CLOUD Act also allows US foreign companies to access data stored by US companies abroad. [3]
Technical measures
As part of the technical measures, it must be clarified which systems and services [vii] of the existing IT can be migrated to the cloud and how. From a technical point of view, it is also important to consider whether services are to be newly created on the basis of the new technology or transferred to the cloud technology in an intermediate step.