It is easier to influence security guidelines in your own IT infrastructure than in public clouds. The providers are responsible for the basic infrastructure of the cloud, so some of the responsibility for security issues is transferred to the cloud provider and it is no longer possible to exert any direct influence. However, before a company decides to outsource services to a public cloud, an assessment must first be carried out from a security perspective. Typical questions are as follows:

• How are the interfaces between the two infrastructures secured?
• Can existing identity and access management solutions be used, or are other services from the company's own infrastructure also required by public cloud services?
• Does data created in the cloud require special protection?
• How can the guidelines of the General Data Protection Regulation be complied with?
• Are the applications already designed for public cloud infrastructures?
• How can the often highly dynamic applications be monitored?
• How can network bottlenecks between your own static IT infrastructure and the highly dynamic public cloud infrastructure be avoided?

In order to be able to provide the right answers here, the processes must be worked out in the form of an IT security concept before starting to implement both infrastructures.

As hybrid architectures become more widespread, complexity also increases. This means that the potential attack surface increases dramatically, while securing the perimeter at the edge of the network becomes less important. CISOs are now faced with the challenge of combining control and security responsibilities into a common concern. Faced with an ever-changing and more sophisticated threat landscape, they must therefore review their policies and technology choices to create an integrated, holistic and viable security strategy.

It gets even more complex with multicloud concepts. What else needs to be considered?

Basically, multicloud refers to the connection of several cloud implementations of the same type, for example the connection between two public cloud or two private cloud implementations. In principle, the procedure is similar to the first question. Similar issues must be considered and worked out in the form of a security concept. Only then should the implementation of the two infrastructures take place.

Multicloud concepts increase complexity by supporting multiple tools, APIs and internal protocols. In such scenarios, it is likely that different security practices will be required depending on the type of cloud service used, i.e. IaaS, PaaS or SaaS, as it is essential to perform a full risk-benefit analysis.

Which tools are absolutely essential for user companies - and why?

Unlike a company's own data centers, full access to cloud environments operated by third-party providers is not possible. While cloud providers offer basic metrics, they often don't have enough context and detailed insights for real-time operational monitoring and threat detection. Cloud Application Security Brokers (CASBs) address these and other security gaps in organizations' use of cloud services. CASBs provide detailed visibility into and control over user activity, consistent policies and governance simultaneously across multiple cloud services for users or devices.

How can the security requirements be implemented with firewalls?

Firewalls are an important tool for a company to achieve its security goals. Firewalls are used to segment systems with different trust levels. This allows communication types and topics to be controlled at the boundaries of these trust zones. The most obvious application is to control external access to a company's internal network. However, it is also advisable to have multiple security zones within an internal network. This means that if an attacker gains access to one area of a network, they are still prevented from moving through the entire company network. Examples of different trust zones could be: different departments (e.g. accounting & HR), different functions (e.g. IT & OT) and the separation of valuable commercial and proprietary data.

What impact does the IIoT have on security concepts in the manufacturing industry?

Security engineering is a clearly defined discipline in which systems are analyzed and modeled in such a way that required security standards are reliably and consistently met. Many applications of IIoT have so far mainly been designed to introduce additional information into a system in order to optimize issues such as efficiency, usage and maintenance. It is paramount that when IIoT devices are introduced into the realm of safety-critical applications, the same standards are applied when certifying the devices (e.g. reliability and failure statistics) for a given function and that the same level of analysis and modeling is used. This analysis should also take into account the additional cyber attack surface that may arise when adding these IIoT devices to an operational environment.

Which protocols must firewalls also cover in industrial applications?

Industrial firewalls must be able to understand protocols that are communicated in the data packets they process. Simpler IT-type firewalls typically look for indicators such as source and destination address and port number to decide whether the packet meets the security parameters. Industrial firewalls must also perform this primary inspection, but it must be supplemented by deep packet inspection to understand the context of the transmission. Is the user trying to send a command packet to start a pump or open a valve? Is this user/endpoint allowed to make this type of change to the system? These additional layers of inspection can provide valuable security features, and some industrial firewalls can also perform an IDS/IPS function, further enhancing system security.