Cloud security

Data has become the driving force of the modern digital economy—often referred to as the “new gold” for both private enterprises and the public sector. In today’s digitalized world, an unstoppable stream of new data sets is generated and made available online. Many of these data sets contain personal information, forming the basis of digital identities. The real challenge for organizations lies in carefully filtering, processing, and securely storing this data. This article aims to provide an overview of how data is managed in the cloud from a business perspective. Additionally, it highlights the types of contracts, architectures, and security measures that organizations implement to establish a solid foundation for secure data processing and protection against cyberattacks.

Before exploring cloud security in detail, it is essential to understand the fundamentals of cloud computing, its operational principles, and its structural models:
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud can be utilized in three primary service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Deployment models include private cloud, community cloud, public cloud, and hybrid cloud.”^[1]

In the realm of cloud computing, there are several provisioning models that define how cloud services are delivered to users. The four main deployment models are:

1. Public Cloud

The public cloud allows all users to access computing resources—such as hardware (operating systems, CPUs, memory) and software (application servers, databases)—on a subscription or pay-as-you-go basis. Typical use cases include application development and testing, file sharing, and email services, both for critical and non-critical tasks.

2. Private Cloud

A private cloud is dedicated to a single organization and can be managed internally or by an external IT service provider. While private clouds often require higher investments in acquisition and maintenance, they offer enhanced security and privacy, making them ideal for organizations with strict compliance requirements.

3. Hybrid Cloud

The hybrid cloud combines private and public cloud infrastructures, enabling organizations to scale their IT resources flexibly. For example, an online retailer may use public cloud resources during peak seasons to supplement the capacity of its private cloud, ensuring seamless performance and cost efficiency.

4. Community Cloud

A community cloud is shared by several organizations with common interests or requirements. Examples include universities collaborating on research projects or government agencies, such as police departments within a county, sharing resources. Access is restricted to members of the specific community.

Public clouds are typically cost-effective for end users, as they do not require significant upfront investments. In contrast, private clouds demand higher initial investments but can offer long-term savings compared to maintaining on-premises infrastructure. More importantly, private clouds provide greater security and compliance support, making them suitable for business-critical or sensitive data and applications. Many organizations therefore use private clouds for sensitive workloads and public clouds for less critical tasks, such as development, testing, and email services.^[2]

A hybrid cloud solution is an effective way to mitigate and diversify the risks of cyberattacks. It offers greater control over security compared to relying solely on public cloud services. Hybrid infrastructures also allow organizations to implement custom security standards and configure software on private servers, resulting in increased system reliability and improved problem assessment.

Additionally, hybrid cloud solutions are often more cost-efficient than purchasing and maintaining on-premises servers.^[3]

Cloud Service Architecture Models

Given the advantages of hybrid cloud solutions—from enhanced security to improved reliability—it is important to understand the different cloud service architectures. The three primary models—Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)—offer varying levels of service delivery and define distinct responsibilities for compliance and data management.

1. Infrastructure as a Service (IaaS)

IaaS providers deliver fundamental computing, storage, and networking resources, as well as virtualization through hypervisors. Users are responsible for creating and managing virtual instances, installing operating systems, deploying applications, and configuring the environment. IaaS is particularly attractive for small and medium-sized enterprises, as it offers a cost-effective alternative to purchasing and maintaining physical hardware.

Examples: DigitalOcean, AWS, Azure, Google Compute Engine, Hetzner Cloud

2. Platform as a Service (PaaS)

PaaS providers extend the application stack by including operating systems and middleware (such as databases). This allows users to focus on application development, while the platform manages the underlying infrastructure.

Examples: AWS Elastic Beanstalk, Google App Engine

3. Software as a Service (SaaS)

SaaS providers offer complete application stacks that users can access via web browsers. The SaaS provider manages all workloads and IT resources, while users retain control over the data generated by the application.

Examples: Salesforce, Dropbox, Google Workspace, aBusiness Suite^[4]

Cloud Contracts and Legal Considerations

SaaS contracts are not yet explicitly regulated by legislators. Currently, a SaaS contract is considered a mixed contract, incorporating elements of service, work, and rental agreements. The applicable legal framework depends on the specific service components. The core of a SaaS contract is typically governed by rental law, as the provision of software is most comparable to the temporary transfer of property under tenancy law. Since software is not classified as a “thing” in the legal sense, SaaS contracts are viewed as temporary transfers for use, aligning with the objectives of tenancy law.^[5]

PaaS contracts are largely defined by Service Level Agreements (SLAs), which specify minimum service levels and outline the rights and obligations of both parties.

Data protection and security are critical, especially since PaaS services often involve processing sensitive information. Contracts must include clear provisions regarding the protection of personal data. It is also essential to define intellectual property rights for applications developed on the platform—typically, the user retains ownership of the applications, while the provider retains ownership of the platform itself.^[6]

Conclusion

Whether you represent a startup, a venture capital firm, an SME, or a large enterprise, cloud security is a critical concern for every organization.

It is not only important to carefully select cloud providers, but also to establish clear contractual and operational frameworks.

Ultimately, security is not solely the responsibility of the cloud service provider. Employees play an equally vital role in maintaining cloud security. Regular investment in employee training and awareness is essential to ensure that staff are equipped to handle security policies and procedures effectively. To fully leverage the potential of cloud solutions, organizations should invest in both the maintenance of their own systems (or those of external partners) and in recruiting skilled IT personnel. This approach ensures system security, enhances customer satisfaction, and strengthens the company’s reputation in the long term.

A major challenge when selecting an external cloud provider is the potential dependence on foreign providers and their data protection regulations. Organizations address this by thoroughly reviewing data protection policies, adopting hybrid cloud strategies to minimize risk, evaluating security measures and provider certifications, conducting data protection impact assessments, and performing regular monitoring and audits. These strategies, which vary by company size and industry, all serve the goal of ensuring data protection compliance and minimizing risks when working with external cloud services.

References

• Cloud computing: https://www.swissbanking.ch/de/themen/digitalisierung-innovation-cyber-security/cloud-computing
• Cloud Deployment Model (2014): https://www.sciencedirect.com/topics/computer-science/cloud-deployment-model
• Understanding the cloud – do you know what a public cloud is and what a hybrid cloud is? (2023): https://www.speechlive.com/at/blog/die-cloud-verstehen-wissen-sie-was-eine-public-cloud-und-was-eine-hybride-cloud-ist
• What is IaaS? Definition and interesting facts: https://bsh-ag.de/it-wissensdatenbank/iaas-infrastructure-as-a-service/
• Platform as a Service (PaaS) (2022): https://www.computerweekly.com/de/definition/Platform-as-a-Service-PaaS
• What you should look out for when drawing up SaaS contracts (2022): https://www.top.legal/wissen/saas-vertraege
• Platform-as-a-Service contracts (PaaS contracts): A guide (2023): https://www.anwalt.de/rechtstipps/platform-as-a-service-vertraege-paas-vertraege-ein-leitfaden-216904.html

Related articles

Which type of backup is the best choice for my data?
This is how important data backup is in real life
The advantages and disadvantages of the different Windows file systems

Post a comment here...