Secure data sharing with the cloud

A company’s data and applications can be stored much more securely in the cloud than in the company’s on-premises data center. In particular, 365*24 monitoring of systems and rapid patching of operating systems and applications, as is currently the case with the Log4Shell vulnerability, are hardly affordable for medium-sized and small businesses, or the financial outlay quickly exceeds the IT budget.

However, most companies ask themselves: How do I secure the connection of my company, the production, the data that needs to be protected, such as human resources or financial information, between the company sites and the cloud? How do I connect an employee working remotely?

That’s why we’re looking at precisely this path – between corporate locations and the cloud:

Part of the cloud strategy that must precede any cloud use by an external cloud provider is Network connections to the cloud. Companies used to get along well with MPLS networks or direct connections. The change in the structure with one or more cloud providers and the ability to use the Internet as a low-cost means of transmission will increase the possibilities.

• VPN connections are often the standard methods for connecting to cloud providers, especially for remote offices and homeworkers. In this case, two-factor authentication and encryption must be ensured. However, the Internet does not provide a service level.
• SD-WAN, as a combination of all WAN technologies: When security and performance requirements are high, the flexible adaptation of bandwidths to service and availability requirements is a real advantage. The choice of encryption technologies and the central monitoring of all parameters is another advantage of this option. Key management can remain in the company, which also increases security.
• MPLS and fixed connections often offer high availability and best protection against DDoS attacks, as they are not routed over the Internet. Encryption can often be purchased additionally from telecommunications providers or implemented in one’s own locations. Overall, this is a secure, albeit rather expensive solution, which leaves much to be desired in terms of flexibility with long runtimes and deployment times of 6 months.

Criteria for choosing the right cloud method

In order to be really sure, the planning and conception as well as the verification of the implementation according to the following criteria is always paramount:

• Documentation and understanding of cloud provider security Requirements: Are all configurations managed by the cloud service customer and integrated into the IT processes?
• Understanding how the data packets ride through which nodes in and via the cloud?
• Understanding and documenting traffic, bandwidth and encryption: Who can connect to what? User Devices? VPN? Direct Network Connections? Who can change VPN configurations? Are the security rules clear?
• Checking the virtual firewalls of the Cloud Service Provider for VPN rules and segmentation by services.
• Check the approval process of employees’ or systems’ access to the Internet. Verify that there is only one way to access the Internet.
  -Review of the DDoS defense strategy, on all eligible ports. Explain the cloud service provider’s defense strategies against DDoS attacks, as well as highlighting the redundancies in the connections and access technologies.

It quickly becomes clear that the questions to your own IT organization and to a cloud service provider go deep. Blind trust can lead to the total loss of business over a longer period of time, as many customers of a cloud provider in France have discovered after the Datacenter fire. SPIRIT/21 and I are at your disposal if support in the verification of cloud connectivity concepts and telecommunications services according to BSI Grundschutz or ISO 27002 is required.