7 Feb 2024
On-Premise vs. Cloud
Potential vulnerabilities that are often overlooked
Almost every major company is involved in cloud computing and utilises the services to varying degrees and intensities. Most IT departments have been working on comprehensive cloud strategies for some time or have them on their agenda. However, with the entry into the cloud, either in the form of hybrid architecture or total cloud solutions, the cloud-specific security risks also increase. For this reason, large, globally active companies and cloud providers in particular are investing billions in securing cloud infrastructures worldwide. If you want to effectively minimise the security risk, you should also keep an eye on the smaller indirect vulnerabilities in addition to the major risk scenarios, such as the availability of the physical infrastructure, targeted cyber attacks or a vendor lock-in.
In this blog post, we therefore look at the following potential cloud security risks: Digital end devices, multi-cloud and shadow cloud as well as the human risk factor. And we use a practical example to show why companies are not just abandoning the cloud in whole or in part for security reasons and are instead opting for tried-and-tested on-prem solutions.
Cloud security risk of digital end devices
All digital end devices with which users access cloud services require the same high security standards as the cloud infrastructure itself so that they do not inadvertently become a gateway. Especially in large companies or organisations that work across locations and countries, this can become a constant challenge that consumes a lot of time and resources. Just keeping the large number of end devices in circulation, such as PCs, laptops, tablets, smartphones, but also servers or network printers, if they are connected to the cloud, at the currently required security level is literally an unachievable task. As a result, IT departments often standardise device security to a great extent and often under-dimension for it because indirect risks, for example interface problems, are not sufficiently taken into account.
Cloud security risks Multi-cloud and shadow cloud
While smaller companies often only use one or a few cloud services, medium-sized companies or corporations usually opt for a multi-cloud solution as part of their cloud strategy. The aim is to maintain the flexibility, availability and security of the required resources at a consistently high level. In particular, the aim is to avoid excessive and one-sided dependencies on one cloud provider, as with a vendor lock-in. The combination of a public cloud for standardisable and easily scalable workloads and a private cloud for sensitive data with applications is particularly popular. However, as with all systemic interfaces, these are also a preferred target for attacks in cloud computing and should be highly prioritised within the IT department as part of cloud risk management.
The well-known but often underestimated phenomenon of the shadow cloud, which usually goes hand in hand with another, so-called cloud sprawl, is more difficult. The uncontrolled spread of cloud software, for example on employees' personal cloud accounts or departmental accounts with more or less well-secured public cloud providers, is an ideal gateway for cyber criminals. As a rule, the internal IT department is unaware of this existing shadow IT, meaning that no specific security precautions have been taken. The risk is therefore particularly high and, depending on the attack scenario, can quickly threaten the business viability of the entire company. To minimise it effectively, it is important that companies continuously identify and manage shadow IT systems and either integrate them into the official IT strategy or replace them with secure alternatives. To do this, it is necessary to create awareness of the existing security risks in all organisational units, for example through regular training or self-learning courses.
Cloud security risk: humans
Cloud attacks are usually most successful when human error is involved. Typical examples are therefore vulnerabilities due to incorrect administration or interface configuration as well as errors in the application. Active cloud risk management, from regular tests to targeted simulated attacks on the existing IT infrastructure, ensures that these vulnerabilities are uncovered as early as possible and closed preventively.
The human factor takes on a further security-relevant dimension in the area of digital identities. If this is illegally taken over or stolen, the associated roles as user or administrator can also be misused. Even virtual machines are increasingly becoming users of cloud services. Active identity and access management, or IAM for short, integrated into the IT security strategy is therefore of corresponding importance when it comes to minimising cloud security risks.
Back from the cloud - why medium-sized company Swedex is going back to on-prem
Swedex, a medium-sized company based in Essen with around 300 employees, learnt that a total cloud solution not only poses a security challenge, but can also result in a cost spiral that is sometimes difficult to calculate. The consequence: the medium-sized company, one of Europe's leading providers in the field of document presentation, no longer wanted to accept both the dynamic rise in costs and its dependence on a large cloud provider and looked for an independent and affordable alternative. The result: after three years in the Microsoft cloud, those responsible opted for on-prem operation again. The integration of used software licences from PREO resulted in enormous savings of around 100,000 euros in ongoing licence costs. More information on this and other customer cases can be found here.
Extensive range of used volume licences
PREO offers companies, organisations and public administrations a large selection of used volume licences for current and older versions of standard software from market-leading manufacturers such as Microsoft and Adobe. Whatever the need for used software, with PREO small and medium-sized companies as well as large organisations have all the advantages on their side:
- High savings on ongoing licence costs of up to 70 percent compared to the respective new version.
- 100 percent legally compliant and audit-proof licence acquisition with maximum transparency in all processing steps, including complete documentation in the PREO "Easy Compliance" licence portal.
- Many years of expertise in the integration of used software licences into classic network structures or hybrid licence models.
- Existing software licence management capacities for large IT infrastructure projects with thousands of workstations and cross-border locations.
- Active contribution to reducing the CO2 footprint in the IT sector by entering into a resource-conserving circular economy, including the extension of software and hardware cycles.
- Convincing reference projects for numerous well-known companies from a wide range of industries.
By the way: PREO is happy to purchase obsolete and no longer required software at attractive conditions. Our licence experts will be happy to advise you personally and prepare a free and non-binding offer.