Cloud computing is a model that provides on-demand, convenient and needs-appropriate network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services). Resources can be quickly provisioned and released with a minimum of administration or with minimal interaction with the service provider. The services provided can be broadly divided into three categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). A distinction is made in cloud service provisioning between public and private clouds. Hybrid cloud environments, in which organisations use both private and public resources, are also possible.
The main advantage of cloud computing is that it enables organisations to:
Procure and pay for computing resources on demand, avoiding the need for major up-front investment and incurring only variable operating costs instead.
Access a professionally managed technology package that is being constantly refined and improved, and which frees organisations up to focus on their core business model instead of implementing and operating the technology infrastructure required for that model.
Benefit from the economies of scale generated by the joint use of public cloud infrastructure by a large number of customers.
The trend towards provisioning cloud-based computing resources exhibits a number of similarities with companies’ transition from generating their own electricity in their own small generation plants to buying it in from large third party-owned power stations. Unlike power generation, however, cloud computing is dominated at global level by a few major providers whose services are not easily interchangeable. This has major consequences, as we will see below.
Large-scale cloud computing first became widely available when Amazon Web Services launched Elastic Compute Cloud in 2006. In the meantime, Amazon, Google, Microsoft and Alibaba have become the dominant players in global cloud infrastructure. The availability of cloud computing infrastructure has led to the proliferation of Software as a Service offerings (e.g. Salesforce, ServiceNow, Microsoft 365, etc.).
Switzerland has not been a leader in cloud computing roll-out, not least because of concerns about compliance (including privacy) and security. Momentum is building, however, as cloud services have reached maturity in terms of security and controls (and the associated transparency), and major global providers (Google, Microsoft, AWS) have now opened cloud computing centres in Switzerland.
The key cyber risks associated with cloud computing are:
Compliance: Processing data in accordance with applicable legislation, requirements and organisational guidelines is not a straightforward task, given that the legislation, requirements and organisational guidelines in question can be contradictory, ambiguous or drafted with a more traditional technological infrastructure in mind. Furthermore, there is a general trend towards greater regulation of data processing, and this restricts free data flow because of data protection or national (security) interest concerns.
There are also concerns that certain laws and requirements contain provisions that could be broadened or misused, enabling (foreign) government agencies to gain access to organisations’ data via the cloud provider (e.g. US CLOUD Act or China’s Cybersecurity Law). To reduce this risk, organisations should proceed carefully when choosing a cloud provider and make sure that the contract with the provider includes provisions governing third-party access, including in particular foreign government agencies. End-to-end data encryption, in rest state as well as for data transfer, is another sensible measure.
Shadow IT: Organisations often have difficulty understanding where and how their data is processed. This is because departments frequently use cloud infrastructures and applications such as Google Drive, Dropbox or Slack to circumvent established governance mechanisms that are typically enforced by the organisation’s IT department. The result is a shadow IT system that does not comply with existing corporate guidelines and possibly does not have appropriate security controls.
Security and resilience: The fact that public cloud providers centralise data from a large number of customers on their computing infrastructure makes them an appealing target for cyber attacks. This problem is mitigated to a certain extent by the fact that the large cloud providers have the resources and expertise to implement and operate state-of-the-art security controls. Nevertheless, organisations that use cloud services should have a detailed understanding of how access to cloud-based data is controlled and supervised, and what can be done to protect the confidentiality and integrity of this data.
This often includes data encryption during data transfer and in rest state. However, data is largely unencrypted while it is being processed. The associated risks should be evaluated and handled accordingly, with the potential risks in terms of data confidentiality and integrity being compared and contrasted with improvements in resilience as regards availability. Thus a risk-based approach with corresponding measures and security controls is required here too.
Cloud migration: To exploit the expected benefits, the changeover to cloud computing should be accompanied by a transition to more agile and frequently automated operating processes for IT development, provision and security. The changeover to cloud computing therefore often goes hand-in-hand with the implementation of new methodologies such as (Sec)DevOps, which require substantial change in terms of organisation and practice.
Harmonising controls: Although responsibility for data remains with the companies that use cloud computing services, these companies have to be able to rely on cloud providers properly applying and implementing a significant part of the necessary security controls. It is therefore crucial to harmonise the control mechanisms used by customer and provider, to monitor the effectiveness of the controls and to establish responsibilities. Cloud providers often have themselves accredited to external standards (e.g. ISO, PCI, DSS, FIPS, etc.). Such accreditation aids customers significantly since it relieves them of the need to conduct their own audits or due diligence checks of cloud providers.
Even though it is not a cyber risk, the challenge created by vendor lock-in – i.e. the impossibility of changing cloud provider on technical or other grounds – should nevertheless be mentioned here. In certain situations, changing provider may be the only possible way of appropriately mitigating the cyber risks discussed above. The trend towards multi-cloud solutions of the type offered by the major cloud providers and other technology companies, as well as the growing use of container solutions that can be migrated from cloud provider to cloud provider, are helping reduce this risk.
Switzerland has no legal framework for cloud computing. Legislators and regulators should familiarise themselves with the basics, opportunities and risks of cloud computing so that they can provide intelligent legislation and regulation.
- Research into secure data processing (including homomorphic encryption1, pseudonymisation, confidential computing, trusted execution environments and others) and the development of related products should be promoted.
- International regulations such as the US CLOUD Act or China’s Cybersecurity Law have already been discussed by Switzerland’s financial industry and public sector and backed up by legal opinions on the subject. Application in other sectors could create a need for renewed discussion.
Research into secure data processing (including homomorphic encryption1, pseudonymisation, confidential computing, trusted execution environments and others) and the development of related products should be promoted.
Cloud computing has become an indispensable part of everyday life. Legislation and regulations that have an impact on data processing or operational models (data protection laws, cyber risk requirements, etc.) should take account of the new situation, carefully weighing up the risks and opportunities for business and civil society.
Organisations must understand the impact of cloud computing beyond the purely technical considerations.
- Develop an understanding of the opportunities presented by cloud computing with reference to business and operating models, improved innovation, product roll-out time, etc.
- Carefully weigh up the opportunities and risks; understand the options for minimising risk.
- Only move data and applications to the cloud if a suitable cloud strategy is in place. The shift should be treated as an organisational change project (rather than purely technical migration). Moreover, care must be taken to ensure that the risks are understood and effectively minimised.
NIST: https://csrc.nist.gov/publications/detail/sp/800-145/final
Cloud Act: https: //en.wikipedia.org/wiki/CLOUD_Act | https://www.gpo.gov/fdsys/pkg/BILLS-115hr1625enr/html/BILLS-115hr1625enr.htm
DevOps: https://en.wikipedia.org/wiki/DevOps
China Internet Security Law: https://en.wikipedia.org/wiki/China_Internet_Security_Law
Umberto Annino, Microsoft | Matthias Bossardt, KPMG | Dani Caduff, AWS
Endre Bangerter, BFH | Alain Beuchat, Banque Lombard Odier & Cie SA | Adolf Doerig, Doerig & Partner | Stefan Frei, ETH Zurich | Roger Halbheer, Microsoft | Katja Dörlemann, Switch | Pascal Lamia, BACS | Martin Leuthold, Switch | Hannes Lubich, Board of Directors and Consultant | Luka Malisa, SIX Digital Exchange | Adrian Perrig, ETH Zurich | Raphael Reischuk, Zühlke Engineering AG | Ruedi Rytz, BACS | Riccardo Sibilia, DDPS | Bernhard Tellenbach, armasuisse | Daniel Walther, Swatch Group Services | Andreas Wespi, IBM Research
