Cloud Security in Brief

There are many challenges related to cloud services that both cloud service providers and buyers need to take into account. At best, the cloud service provider has taken good care of their part. The basics have not changed as such. The organization is responsible for the requirements that apply to them and also for their implementation. Normally, the organization’s threat model changes very little. In order to understand the impact of transferring functions and data to the cloud, it is necessary to set up a threat model for the current state and a threat model for the future. This gives a more accurate picture of how and where the cloud shift affects the operation.

There are basically three types of clouds: SaaS, PaaS and IaaS. Every model has threats, but in most cases the opportunities are greater than the threats. This does not mean that threats can be ignored: If services are transferred to the cloud uncritically, it will raise the risk levels – both technical and administrative – without the organization being able to do anything about it, or even notice it.

The approach to cloud services is either a business approach or an architectural one – focusing on business needs, business requirements, supplier management, risk management, technology and continuity. All of these include data security and data protection as components.

What Mint Security Delivers

We deliver skills and expertise

• for organizations utilizing cloud services
• for organizations delivering cloud services

Our experience gives us a seat on both sides of the table. In fact, cloud security is a combination of many things – there is no single lever for switching on cloud security. Cloud security is not technology, even though it is essential to know how to use technology in the right way (and refrain from using it the wrong way). Cloud migration can be a strategic or tactical tool for the organization. The introduction of a single SaaS service can be carried out with a short checklist and by scrutinizing the contract. In a more extensive IaaS outsourcing, the future of the whole company may depend on successful implementation.

For competitive reasons alone, the organizations delivering cloud services need to be able to discuss openly about data security and show how critical things are handled. Customers are enlightened – or bring an enlightened partner to the negotiating table – whereby the vendor must be able to demonstrate their excellence in a competitive environment.

Customer Needs and Challenges to Be Solved

It is important for customers to get some kind of strategic vision of what the cloud service solves and what it can achieve. In this regard, purchasing cloud services and migrating to them is like furnishing a home – moving stuff endlessly from one place to another without a vision or a clear goal is fruitless.

For organizations that use, buy or acquire cloud services, the following issues, among others, are important:

• Understanding what changes the new target state will mean for security (contracts, response times, licenses …)
• Understanding how the demands that have currently been solved can be migrated safely to the cloud with at least the same quality
• Cost consciousness and realistic forecasting of costs
• Validation and auditing of technical solutions
• User management and the organization’s identities
• Data protection
• Control and monitoring – transparency
• Continuity, availability of information – managing the organization’s business risks
• Automation

For organizations that produce cloud services, the following issues, among others, are important:

• What value promises can and should be marketed – what requirements may be imposed on the customer
• How to pack a variety of security levels
• How is the security of services measured and how is it demonstrated to the customer – how is this built into contracts
• How to handle vulnerability management and take care of the own environment
• Liability restrictions
• Data protection
• Control and monitoring – transparency
• Security capability of technical implementations
• Managing own commercial and technical risks
• Automation of security

More details about our methods and tools

Since cloud security is not a single lever but a combination of different (often quite traditional) things that are utilized in a new way, we use our entire service palette.