Virtually no company can do without IT services. With the ongoing digitization of business processes, the dependence on computer science becomes even greater. In addition, the complexity of the IT systems, both on the hardware and the software side, increases and thus the costs for computer science.

Cloud services offer a way out of this dilemma. There are several benefits to using cloud services, including:

• Use of standard software that a company alone could not have developed; a number of (large) manufacturers only offer their software as cloud services, a trend that is increasing;
• Variabilization of IT costs through the pay-as-you-use principle;
• lower IT costs, as the development, operation and maintenance of the systems do not have to be financed by themselves.

For a company, the use of cloud services means outsourcing important systems and data to a cloud; it massively enlarges its own system boundaries, and they become diffuse.

This puts a major dilemma in corporate management:

On the one hand, it wants/must go to the cloud in order to keep up with digitalization. On the other hand, there is a risk of losing control over IT. And at a time when IT is a critical success factor, it risks the reputation or even existence of the entire enterprise.

The solution to this dilemma is the goal of cloud security.

Cloud Security is more than just a tool

Cloud Security is not a tool that can be installed and all risks associated with using Cloud Services are included. Cloud Security is a bundle of individual measures that need to be coordinated. Good cloud security is based on a strategic approach and results from a combination of coordinated codes of conduct, processes and tools.

Identify the risks of cloud usage

Protection against risks can only be achieved if an undertaking knows the risks. In computer science, the term “attack vectors” has been formed; each vector is an approach to how an attacker can illegally gain access to systems and data in the cloud. Well-known examples of such attack vectors include phishing, bot networks, malware, DDoS attacks. Cloud services are exposed to specific attack vectors. These must be determined in a structured manner in order to design a resilient shield.

The specialists of e3 know the attack vectors from theory and practice. The experience gained from many projects is incorporated into these analyses.

Defining protective measures

Many cloud providers offer good protection against attacks at the technical level (network, operating system, databases). However, they cover only a part of the known attack vectors. At the application and data level, security is much more difficult to achieve. A company must therefore protect itself from many threats. What is the use of an encrypted network when employees transfer sensitive data to an insecure cloud application?

The e3 analyzes the relevant attack vectors with your specialists and derives specific protection measures. Behavioural measures (e.g. awareness campaigns) are combined with processes (adaptation of processes to the cloud) with a set of suitable tools from the e3 and other providers (shadow-IT detection, encryption, etc.).

Success control and optimization

the e3 will continue to accompany its customers after the implementation of the protection measures to ensure that the protection objectives have been met. In addition, new attack vectors are constantly appearing, it is a race between hackers and cyber defense experts. It is important to analyse new developments in good time and to adapt the protection measures to new threats.

IT is becoming more complex, despite or because of the use of cloud services. At the same time, a single company can reduce the capacity of its own IT specialists by using cloudservices. In addition, IT securityspecialists are expensive and a scarce resource on the labour market.

The e3 has a pool of proven ITsecurity experts. Not only are they well-educated, but they also have practical experience in cloud security that they have acquired in many customer projects.

the e3 has developed concepts that are used as a basis for the analysis of threat scenarios and defense measures. For example, the “Gated Community” concept provides a framework for protecting sensitive data over its entire digital life cycle, from end-user devices (incl. BYOD) to storage and use in various organizational units and legislatures according to the need-to-know principle.