Cloud security

Focus on cloud security: strategies, architectures and contract models for protecting sensitive company data in a digitalized world

Data is a tool of the modern digitized economy, or the new gold of companies (private sector), but also for the state (public sector). In today's digitalized world, there is an unstoppable stream of new data sets that end up on the Internet in large numbers. Some of these data sets relate to personal data that represent a digital identity. The real art in a company is to filter this data carefully and, above all, to store it. The aim of this short paper is to show the data in a cloud and how it is processed from a company perspective. In addition, this short paper shows which types of contracts, architectures and suitable security measures against cyberattacks the industry takes in order to have a solid foundation for its own data processing.

Before we delve into the topic of cloud security, we first need to find out a few key facts about cloud computing, how it works and how a cloud is structured: "Cloud computing is a model of data processing that allows a shared pool of configurable computing resources (e.g. networks, servers, storage systems, applications and services) to be accessed conveniently over a network whenever and wherever required. These can be made available quickly and with minimal administrative effort or service provider interaction. The cloud can be used in three variants (Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (Saas)). The type of cloud differs depending on the type of provision (private cloud, community cloud, public cloud, hybrid cloud)" [1].

In the field of cloud computing, there are different types of provisioning, i.e. how cloud providers make cloud services available to their users. There are four main models associated with cloud computing:

1. public cloud

The public cloud enables all users to access computer resources such ashardware (operating system, CPU, memory) or software (application server, database) on a subscription or pay-as-you-use basis. Practical use cases include the development and testing of applications for critical and non-critical tasks, such as file sharing and email services.

2. private cloud

The private cloud is usually used explicitly by a single organization and can either be managed internally or managed by an external IT service provider. Although private clouds are often more expensive than public clouds due to investments in acquisition and maintenance, they more effectively address security and privacy concerns of organizations.

3. hybrid cloud (hybrid form of a physical data center or an external private cloud and/or a public cloud)

The hybrid cloud uses both private and public cloud infrastructures. Companies choose this model to quickly expand their IT infrastructure as required. For example, an online retailer can use public cloud resources during the vacation season to supplement or relieve the capacity of its private cloud.

4. community cloud

The community cloud supports several organizations that use computer resources together . These include, for example, universities that collaborate in specific research areas or state actors such as police departments within a county that share resources. Access to a community cloud is restricted to members of the community.

The cost to the end user is traditionally low for public clouds, without the need for major investment. Private clouds, on the other hand, do requireinvestments, but offer fundamental savings compared to the operating costs of your own infrastructure.savings in principle. Private clouds also guarantee more security and compliancecompliance support than public clouds. Therefore, some organizations use private clouds for business-critical or more sensitive data, applications and public clouds for basic tasks such as application development, test environments and email services.[2]

A hybrid cloud solution is a good way to mitigate or diversify the risks of a cyberattack. This offers greater control over your own security compared to the pure use of a public cloud. In addition, a hybrid cloud infrastructure offers the option of setting up individual security standards and configuring customized software on private servers.and configure customized software on private servers. This distribution leads to increased system reliability and better assessment of system problems.

In addition, the cost efficiency is higher than when buying and maintaining servers on site.[3]

Cloud service architecture models

Given these benefits of a hybrid cloud solution, ranging from increased security control to improved reliability, it is important to understand the different cloud service architectures. These architectures, namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), offer different levels of service delivery and define different responsibilities for compliance.

1. infrastructure as a service (IaaS)

IaaS providers provide basic computing, storage and network infrastructure as well as the hypervisor for virtualization.hypervisor for virtualization. Users are responsible for creating and managing virtual instances, installing operating systems, providing applications and data and for the entire configuration. IaaS is interesting for both small and medium-sized companies. The simple operation of a cloud infrastructure that is not operated in-house is a cost-effective alternative to buying your own hardware.

Examples: DigitalOcean, AWS, Azure, Google Compute Engine.

2 Platform as a Service (PaaS)

PaaS providers extend the application stack more than IaaS by adding operating systems and middleware (e.g. databases). Users focus more on the development of applications. The platform manages the underlying infrastructure.

Examples: AWS Elastic Beanstalk, Google App Engine.

3. software as a service (SaaS)

SaaS providers offer a complete application stack. Users can access the fully hosted application via a web browser. The management of workloads and IT resources is completely under the control of the SaaS provider, while users have explicit control over data created by the application.

Examples: aBusiness Suite, Salesforce, Dropbox, Google Workspace.[4]

The cloud in contract law

SaaS contracts have not yet been explicitly addressed in law by the legislator. To date, a SaaS contract can only be legally classified as a mixed contract, which includes aspects of service, work and rental contracts. The applicable area of law therefore depends on the respective service section of the contract. The central component of a SaaS contract is primarily rental law, because the provision of software is best compared to the transfer of property under tenancy law. As the software is not considered a "thing" in the sense of tenancy law, the current view is that SaaS contracts represent a temporary transfer for use. This harmonizes with the regulations and the objective pursued by tenancy law.[5]

PaaS contracts are largely characterized by service level agreements (SLAs), whichminimum services and define the rights and obligations of both contracting parties.

Data protection and data security play a crucial role, as PaaS services often involve the processing of sensitive data. The contract must contain clear provisions onprotection of personal data. It is also essential to specify in the contract who owns the intellectual property of the applications created, with the user normally retaining ownership of the applications and the provider retaining ownership of the platform.[6]

Conclusion

Regardless of whether you are a startup, a venture capital firm, an SME or a larger company, cloud security is crucial for every company.

It is not only important to consider which cloud providers you want to work with as a companyproviders, but also which framework conditions are set.

Ultimately, security is not the sole responsibility of the cloud technology service provider per se, but the employees of a company play an equally important role in the security aspect of a cloud.

It is essential to regularly invest in employee training and awareness to ensure that employees have the necessary know-how to deal with security policies and procedures. However, to realize the full potential of a cloud, companies should invest both in maintaining their own systems or those of external partners and in recruiting new IT staff. In this way, a company can ensure system security and thus increase customer satisfaction, which will enhance the company's reputation in the long term.

A major sticking point when selecting an external cloud provider has always been the company'sdependence on foreign providers and their data protection regulations. Companies meet this challenge with measures such as thorough examination of data protection guidelines, hybrid cloud approaches to minimize risk, evaluations of security measures and provider certifications, data protection impact assessments, regular monitoring and audits and preparation for possible data protection breaches. The strategies vary depending on the size of the company and industry, but all serve the goal of ensuring data protection compliance and minimizing potential risks when dealing with external cloud services.

List of sources

Cloud computing
https://www.swissbanking.ch/de/themen/digitalisierung-innovation-cyber-security/cloud-computing

Cloud Deployment Model (2014)
https://www.sciencedirect.com/topics/computer-science/cloud-deployment-model

Understanding the cloud - do you know what a public cloud is and what a hybrid cloud is? (2023)
https://www.speechlive.com/at/blog/die-cloud-verstehen-wissen-sie-was-eine-public-cloud-und-was-eine-hybride-cloud-ist

What is IaaS? Definition and interesting facts
https://bsh-ag.de/it-wissensdatenbank/iaas-infrastructure-as-a-service/

Platform as a Service (PaaS) (2022)
https://www.computerweekly.com/de/definition/Platform-as-a-Service-PaaS

What you should look out for when drawing up SaaS contracts (2022)
https://www.top.legal/wissen/saas-vertraege

Platform-as-a-Service contracts (PaaS contracts): A guide (2023)
https://www.anwalt.de/rechtstipps/platform-as-a-service-vertraege-paas-vertraege-ein-leitfaden-216904.html


[6] cf. https://www.anwalt.de/rechtstipps/platform-as-a-service-vertraege-paas-vertraege-ein-leitfaden-216904.html (2023)

Secure what counts

Protect your servers. Around the clock.

  Buy Now   Download now Langmeier Backupfor
Windows Server

About the Author
Founder and CEO of Langmeier Software


I don't want to complicate anything. I don't want to develop the ultimate business software. I don't want to be listed in a top technology list. Because that's not what business applications are about. It's about making sure your data is seamlessly protected. And it's about making sure everything runs smoothly while you maintain full control and focus on growing your business. Simplicity and reliability are my guiding principles and inspire me every day.
 

Articles relevant to the topic
Which backup type is the best choice for my data?
Why are optimized business processes important for your company?
This is how important data backup is in real life


Post a comment here...

This article covers:
Cloud computing