Cloud Platform Security Archive - SITS

With DevOps, software development (Dev) and operations (Ops) grow together. Tools for process automation, continuous integration and teamwork between Dev and Ops units promote the efficiency of the entire development process. Agile development not only has advantages such as high software quality, innovative ability and rapid deployment, but also a flipside: Isolated security models become less effective because security checks and optimizations must now encompass the entire DevOps lifecycle and interlock.

DevSecOps: Security without breakpoints

DevSecOps has established a model that considers security aspects and procedures as an integral part of the development process from the very beginning, instead of treating them as a separate phase or post-processing, as was previously the case.

The goal is to identify and resolve security gaps at an early stage despite the heterogeneous collaboration between devs and ops and to be able to take preventative measures. This not only creates a culture of shared responsibility, security measures and tools now also cover the entire DevOps lifecycle.

This begins with the design and definition of security requirements and objectives as well as the selection of suitable architectures and technologies. Proven practices, tools and resources have also established in the Microsoft cosmos. First and foremost, this includes the Microsoft Security Development Lifecycle (SDL). SDL integrates security strategies and procedures into all phases of the development process, from planning, design and implementation to testing and maintenance. To reduce vulnerability to attacks during the development phase, tools such as the Microsoft Security Code Analysis Tools have proved their reliability. They make it possible to automatically and continuously check the developed code for vulnerabilities and fix them before the application enters the production environment.

Once the deployment has been defined in the specifications, a continuous integration and deployment pipeline (CI/CD) is advisable. It includes security tests and checks for each step: services such as Microsoft Azure DevOps Services can be used to create and manage the pipeline, for example, while components such as Microsoft Azure Security Center protect and monitor the applications and infrastructure in the cloud.

Protection for containers and microservices

However, new security strategies are also necessary when it comes to the implementation of container technologies and microservices. The following tools are generally used to identify and eliminate vulnerabilities in container images and microservices:

  • Microsoft Azure Container Registry uses trusted sources for container images and includes regular updates to close known vulnerabilities.
  • Microsoft Azure Defender for Container Registries scans container images for vulnerabilities before they enter the CI/CD pipeline.
  • Microsoft Azure Kubernetes Service (AKS) is used to implement security policies and rules for container orchestration and execution.
  • Microsoft Azure Monitor and Azure Sentinel are suitable for monitoring the status and behavior of containers and microservices and responding to anomalies.

Finally, to manage and protect the access and use of sensitive information in DevOps pipelines, secure storage locations such as Microsoft Azure Key Vault have become popular. Merging Azure Key Vault with DevOps tools, such as Azure DevOps Services, enables DevOps teams to automate authenticated access to sensitive content during the build and deployment process.

Preventing cyber attacks

Microsoft has also prepared a package to protect the DevOps infrastructure against potential threats such as DDoS attacks and other cyber attacks. These solutions include Microsoft Azure DDoS Protection. It enables adaptive and intelligent detection and defense against attacks that target normal application traffic patterns. In addition, Microsoft Azure Firewall offers the option of filtering and monitoring the incoming and outgoing data traffic of Azure resources. The filtering and logging of traffic follows various criteria, such as applications, protocols, ports, sources and destinations, ensuring centralized network security control for the DevOps infrastructure. Another significant step towards protecting modern DevOps environments is Microsoft Azure Sentinel. The cloud-based security information and event management (SIEM) platform collects security data from various sources, analyses them using artificial intelligence (AI) and machine learning (ML) and visualizes them for comprehensive security monitoring and analysis.

API: The weakest link in the chain

To ensure the security of APIs and other interfaces, development teams often use Microsoft Azure API Management, Azure Application Gateway and Microsoft Entra ID. These services cover a wide range of functions, including centralized management, protection against web threats and identity management. Furthermore, Microsoft Azure DevOps Services can be used to perform various tests such as static code analysis, dynamic application security tests and penetration tests.

Finally, Azure Security Center enables the monitoring and remediation of security risks and vulnerabilities in DevOps resources. To address security risks related to open source components and frameworks, it is recommended to use Microsoft Azure Defender for App Service to regularly scan for known vulnerabilities and Azure Application Insights to monitor and improve application performance and reliability. Finally, it is advisable to integrate solutions such as Microsoft Azure Sentinel, Azure Backup and Azure Site Recovery for incident response and disaster recovery into the DevOps environment.

No DevOps without Sec

What is certain is that DevSecOps is essential if agile development methods are actually to be used for business-critical purposes. This is especially relevant because security threats are constantly on the rise in an increasingly digitalized world. Traditional approaches, in which security is only considered at the end or in parts of the development process, are no longer sufficient. By integrating “security from the start” into the DevOps lifecycle, security vulnerabilities are identified and remedied at an early stage. DevSecOps also promotes a proactive security culture in which developers, operations teams and security teams work together to ensure that applications and systems are robust against security threats.

Microsoft 365 Copilot - Is your company ready for AI?

  • Microsoft 365 Copilot is an artificial intelligence that is directly integrated into Microsoft Office programs, SharePoint and Exchange Server.
  • The system supports employees in everyday tasks and thus increases the efficiency of different departments.
  • The introduction of Copilot has significant implications for companies’ data protection and therefore requires comprehensive coordination and guidance.

Assessment of Copilot Readiness

The licensing of Copilot for Microsoft 365 represents a significant change to a company’s IT security architecture compared to the use of ChatGPT, Gemini or other AI assistants based on Large Language Models (LLM). Unlike ChatGPT & Co., Copilot does not just access predefined data. The Microsoft tool retrieves additional information from the Internet and – even more importantly – from the company’s own database. Copilot uses data from the SharePoint server, for example, and can also access emails, chats and documents via Microsoft Graph. This means that information that was previously only available locally in the data of individual employees and groups may also be visible in Copilot’s responses and content.

``The implementation of Copilot in an organization may have an impact on existing GDPR compliance, depending on how Copilot is used and what data is being processed. It is therefore advisable to re-check compliance after the introduction of Copilot to ensure that no breaches or risks arise.``

Oliver Teich (Strategic Consultant)

Check and/or implement authorization models

Microsoft itself advises in the Copilot documentation: “It is important that you use the permission models available in Microsoft 365 services such as SharePoint to ensure that the right users or groups have the right access to the right content in your organization.”

It is not enough to check the permissions of users and groups. Other access paths such as guest access, local SharePoint permissions, share links and external and public access should also be carefully reviewed.

Note: People who do not belong to your company can also have access to data via shared team channels.

Note: Copilot does not accept any labels assigned via Microsoft Purview Information Protection (MPIP) in its responses. Although the system ensures that only data that is relevant to the respective user is used for AI-generated content, the response itself does not receive an MPIP label.

Overall, a strict need-to-know policy should therefore be implemented in the company. With Copilot, it is more important than ever that employees only have access to the data that is relevant to their respective tasks. It is advisable to implement a zero-trust architecture based on the principle of least privilege, or at least a strict review of all access permissions if this is not possible.

Checking the data protection policy

Microsoft claims that both Microsoft 365 and Copilot comply with the General Data Protection Regulation. The company promises on its website: “Microsoft Copilot for Microsoft 365 complies with our existing privacy, security and compliance obligations to Microsoft 365 commercial customers, including the General Data Protection Regulation (GDPR) and the European Union (EU) Data Limitation Regulation.”

``Check whether you need to carry out a data protection impact assessment (DPIA) for the use of Copilot. A DPIA is a systematic analysis of the impact of data processing on the protection of personal data.``

Oliver Teich (Strategic Consultant)

Evaluation of additional agreements

However, the German Federal and State Data Protection Conference (DSK) and other supervisory authorities, such as ENISA, think that the Data Protection Addendum (DPA) offered by Microsoft does not adequately meet the requirements of European data protection law. They recommend that companies conclude an additional data processing agreement with Microsoft or at least review this carefully. The State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia describes in a handout which considerations are important here. Essentially, the experts recommend: “A supplementary agreement to the DPA to be concluded between the controller and Microsoft should make it clear that this supplementary agreement takes precedence over all conflicting contractual texts included by Microsoft and takes precedence over these in the event of a conflict.” This supplementary agreement should regulate the following points, among others:

  • Microsoft’s own responsibility in the context of data processing for business activities that are triggered by the provision of products and services to the customer,
  • Obligation to follow instructions, disclosure of processed data, fulfillment of legal regulations
  • Implementation of technical and organizational measures in accordance with Art. 32 GDPR
  • Deletion of personal data and
  • Information about sub-processors.

If such agreements have already been made or evaluated, they should at least be subjected to a new data protection impact assessment as part of the Copilot roll-out.

Data might leave the boundaries of the Microsoft 365 service

In general, Microsoft promises that all data in the Microsoft 365 system will be stored and processed within the EU. In the context of Copilot, however, the company points out two exceptions to this principle:

  • For example, a graph-based chat can be linked to web content. In this case, a Bing query required for this can also contain internal company data – and thus end up at Microsoft. To be on the safe side, all Bing functions of Copilot should therefore be deactivated.
  • Plugins can also be installed for Copilot. Here, Microsoft explicitly recommends: “Review the privacy policy and terms of use of the plug-in to determine how it handles your organization’s data.” Companies that use Copilot should therefore generally not allow plug-ins in the system or require a separate data protection and risk assessment for each plug-in used.

Review IT security strategy

In a study on the use of AI language models in companies, the German Federal Office for Information Security (BSI) comes to the conclusion that, in addition to many advantages, these systems can also harbor new IT security risks or increase the threat potential of known IT threats.

The BSI therefore advises: “In response to these potential threats, companies or authorities should carry out a risk analysis for the use of large AI language models in their specific application before integrating them into their work processes. They should also evaluate misuse scenarios to determine whether they pose a threat to their workflows. Based on this, existing security measures can be adapted and, if necessary, new measures can be taken and users can be informed about the potential dangers.”

Before introducing the Copilot system, companies should therefore urgently gain an overview of the current status of their IT security architecture. To this end, not only Microsoft 365, but also all other programs, apps, services and plugins used should be checked. Microsoft itself recommends the introduction of a zero-trust model for Copilot.

Works council may be required to approve AI deployment

The start into the AI future cannot be decided by management or the IT department on its own. As a system such as Copilot has a significant impact on workflows and processes, an existing works council must be involved in the planning of the introduction or for a pilot project itself.

As the AI systems can monitor the performance and behavior of employees, the works council has a right of co-determination and can even demand the conclusion of a works agreement on the use of AI.

Employee training

Probably the most important step in the introduction of the Copilot system in Microsoft 365 is the training of employees. The following points should be communicated clearly and comprehensibly to all those who will later work with Copilot:

  • The AI’s results should never be accepted without verification. Microsoft itself admits: “The answers generated by generative AI are not guaranteed to be 100% reliable.” This somewhat slippery wording means that AI sometimes invents information. So before relying on the data provided by Copilot, it should always be checked by employees independently of the Copilot system. This is because Microsoft only provides Copilot information as part of its best-effort quality guidelines and therefore assumes no liability for the accuracy of the system’s statements.
  • The use of Copilot means that a so-called semantic index is created for each user. This is used to create content in future that sounds authentic and corresponds to the user’s style. To do this, the AI analyzes the characteristics and habits of its users over several weeks.
  • All requests to the AI are initially saved and can later be viewed by the user (and senior administrators) at any time in the Copilot interaction history. This applies not only to entries in applications such as Word, PowerPoint or Excel, but also to team meetings in which Copilot’s automatic transcription function has been activated.
``The creation of individual language profiles for individual users can be compatible with EU data protection law if a number of factors are taken into account and complied with. Copilot offers various options for controlling and managing the creation of individual voice profiles for individual users, for example by selecting the data sources, setting the data protection level and the deletion, accessibility and correctability of the data by the user.``

Oliver Teich (Strategic Consultant)

Ready for the AI revolution with Copilot

Copilot offers great possibilities: It simplifies everyday work, automatically creates conference recordings, designs presentations and prepares data in an easy to read format. However, these powerful capabilities also mean far-reaching intervention in a company’s data protection structure.

The introduction of the Copilot system must therefore be organized, supported and managed at many levels. Only if a company is fully prepared for the AI assistant can it take full advantage of the system’s possibilities and opportunities. If, on the other hand, mistakes are made during implementation, there is a risk of actual data protection leaks in the office architecture as well as regulatory problems.

Are you enthusiastic about cloud applications and services due to their numerous advantages or are you primarily concerned about data leaks and other issues? In the latest State of Cloud report, 70% of the companies surveyed stated that more than half of their IT infrastructure is already operated in the cloud. At the same time, according to another survey, 97% of cloud applications in companies are not approved at all because teams or individual employees are using online tools without knowledge or approval. In this context, the analysts at PwC call cloud attacks the “biggest cyber risk in 2024“. The number of companies that have recently suffered a data breach with damages of more than one million US dollars has risen from 27% to 36% compared to the previous year. Reason enough to focus on the topic of cloud platform security: You need to pay attention to this now to protect data, systems, reputation and employees in the best possible way.

Initial situation: The biggest threats to cloud services and data

To reliably secure cloud infrastructure, the challenges that can lead to data leaks, compliance problems and immense costs must first be highlighted. Three key trends can currently be identified: Cloud native malware, attacks on cloud-based AI platforms and software supply chain risks. Although public clouds can be found in almost all areas today, the security network and implementation often seem to suffer. IT teams are therefore called upon to rework hastily built or poorly designed cloud infrastructures to make them more efficient, reliable and cost-effective.

Risk 1: Beware of cloud native malware
With the increasing connectivity of cloud services and growing data transfer between different cloud platforms, the risk of being victimized by cloud-native malware is also increasing. Such malware specifically targets cloud environments and exploits vulnerabilities in cloud infrastructures and applications. Some are spread via cloud storage and collaboration tools.

But that’s not all: threats also lurk in new infrastructures, including edge systems for data-intensive use cases, non-x86 architectures for specialized workloads, serverless edge architectures and 5G mobile services.

Risk 2: The curse and blessing of AI – attacks on cloud-based AI platforms
Another field that is becoming increasingly important in terms of cloud security is – unsurprisingly – artificial intelligence. In a global survey by McKinsey, a third of all respondents stated that their companies already use generative AI on a regular basis, and the trend is rising. AI can be a valuable tool in the fight against security threats. On the other hand, attackers are also increasingly relying on AI to expand their arsenal of weapons and exploit the trust that developers place in automated systems. Experts predict that AI-driven attacks will increase in 2024, forcing rapid adjustments. This will require ever smarter AI-based security measures that can not only identify threats in real time, but also predict and prevent them.

Risk 3: Software Supply Chain Risks
But that’s not all, because attacks on the supply chain have also become increasingly important in recent years. Imagine a single line of code, hidden in a framework, bringing your entire digital world to a standstill: this is what software supply chain security is all about. As with any supply chain, the security of your software is only as strong as the weakest part of the system. More and more companies are falling victim to software supply chain attacks. If users and assets are distributed all over the place, this additionally increases the risk of attacks. Hackers can either exploit supply chains to gain important insights or they can cause damage within supply chains. Cyber criminals are increasingly focusing on exploiting vulnerabilities in third-party services, such as software or code that are critical to production or Continuous Integration (CI), Continuous Delivery or Continuous Deployment (CD).

The good news: Gartner analysts predict that global spending on security and risk management will amount to 215 billion US dollars in 2024, an increase of 14.3 percent compared to 2023. Companies therefore appear to be aware of the threat.

The bad news: Experts from the international Cloud Security Alliance criticize insufficient cloud security expertise. According to the latest study, 77 percent of respondents do not feel adequately prepared for security threats.

It is clear that the cloud is a completely different environment to an on-premise application. Therefore, cyber security teams that copy and paste security policies into the cloud will quickly realize that this approach won’t work. Since the cloud is predisposed to automation and speed, native cloud security tools are a key requirement. However, such tools require expertise, otherwise companies will soon be faced with environments that their teams are not equipped to protect. It’s about implementing tools that are optimized for cloud environments. Investment must also be made in cloud security training. This includes knowing current guidelines and requirements. We have compiled the most important ones.

These are the security guidelines and specifications you need to know

Compliance with security guidelines and legal requirements, for example within the EU, is essential for companies that use cloud services. This is the only way to ensure the confidentiality, integrity and availability of important data and avoid potential administrative fines and legal consequences.

  • General Data Protection Regulation (GDPR): The GDPR, or General Data Protection Regulation, came into force in 2018 and applies to all companies that process personal data of EU citizens, regardless of where the company is based. The GDPR sets strict requirements for the security of personal data, including data processing in the cloud. Cloud service providers must implement appropriate security measures to meet the requirements of the GDPR.
  • NIS Directive: The Network and Information Security Directive, or NIS for short, is an EU law that aims to strengthen the security of network and information systems throughout the European Union. It obliges operators of central services and providers of digital services to take appropriate security measures to ensure cyber security. This includes securing cloud infrastructures used to provide these service.
  • ISO/IEC 27001: ISO/IEC 27001 is an international standard for information security management systems (ISMS). Although it is not a legal requirement, it is often used as a best practice guideline for securing information and data in companies. Many European companies using cloud services require their cloud service providers to be ISO/IEC 27001 certified to ensure that appropriate security controls are implemented.
  • Cloud security certifications: There are also various cloud security certifications that have been developed by European authorities and organizations to assess and guarantee the security of cloud services. Examples include the Cloud Security Alliance (CSA) STAR certification program and the EuroCloud Star Audit. They help to select trustworthy cloud providers that meet high security standards.
  • National laws and regulatory requirements: In addition to the EU-wide directives, certain European countries have specific national laws and regulatory requirements relating to the security of cloud services. You should be familiar with these specific regional regulations and ensure that your cloud infrastructures comply with the respective requirements. Examples for Germany: The Federal Data Protection Act (BDSG) regulates the handling of personal data in Germany. The IT Security Act 2.0 is an extension of the IT Security Act and aims to strengthen the security of critical infrastructures in Germany. The Technical Guideline BSI TR-02102 of the Federal Office for Information Security (BSI) provides recommendations for the secure use of cloud services in German federal authorities and organizations.

Conclusion Cloud Platform Security

Well-planned user management, policy compliance, accompanying security tools and cloud adoption strategies help to reliably control data and devices in the cloud in 2024 and beyond. To ensure that the cloud only provides advantages and does not mutate into a data-guzzling thundercloud, it is worth relying on profound expertise.