IT risks such as log4j can be easily fended off with cloud native technologies. Because: “Managed services from the public cloud offer SMEs many security advantages,” says Sönke Ruempler from superluminar. “Today, classic security mechanisms are no longer effective,” says Max Wippert from inovex. What SMEs should know about the public cloud.
Head of Project Management and Quality Assurance inovex
Winter in Germany – summer in the Caribbean. The boss is finally getting that longed-for time off. Why shouldn’t he, as the company is on a roll. So, just a quick check of emails and off to the beach. But instead of sand under his feet, he gets a spanner in his works. The access to the company’s IT system is down. Maybe it’s just a minor outage? But better safe than sorry. In no time at all, the phone line to the IT department is out of order – not to mention the holiday! No one in the office can open files. The company network is offline. Orders can’t be processed. All bad enough, if it weren’t for the shutdown of the servers that control manufacturing: The factory is at a standstill.
Log4j: Fend off IT threats with cloud native technologies
Ransomware attacking company servers in SMEs – At the beginning of December, a vulnerability in the widely used Java library log4j alarmed the IT world. This breach makes arbitrary program code execution by third parties possible. While this rapidly became a serious problem for many companies, it was calmly dealt with by the IT service provider QAware: “We patched our containers once and then rolled them out everywhere,” says Managing Director Dr. Josef Adersberger. “Within 24 hours, we had updated all systems while they were running.”
Modern cloud native technologies such as containers make it possible to avert threats on a more agile basis. While IT staff in SMEs would otherwise have to interrupt ongoing business processes to distribute patches manually, applications and IT systems can be administered more easily in the public cloud, which also equally shifts risks and workloads to the provider. And unlike monolithic legacy applications, cloud native software is composed of standardized components: loosely coupled components that can be centrally managed wherever they are in operation and – in the case of security risks such as log4j – that can also be centrally updated.
Cloud native in SMEs: know-how, tools, and experts
“Managed services from the public cloud offer SMEs many security advantages,” says Sönke Ruempler, Co-founder of superluminar. “Classic security mechanisms, such as penetration tests after a major release, are no longer effective today,” says Max Wippert, Head of Project Management and Quality Assurance at inovex. Current figures from the European Union Agency for Cybersecurity show where the problems now lie: 66 percent of all attacks target the code in the software supply chain. A code such as that which lay dormant in log4j. “To prevent this, SMEs need know-how, tools and, above all, experts who know where to look,” says Wippert.
Experts such as QAware, superluminar, and inovex. The three specialist cloud native providers represent approximately 20 others who are already involved in the cloud native initiative EuroCloud Native (ECN). In 2020, the ECN was launched under the umbrella of EuroCloud Deutschland to pool the interests of mostly young companies or startups, to foster exchange, and to create transparency. “Especially when it comes to security and public cloud, there is a lot of need for clarification in Germany,” says Ruempler. “On the one hand, companies fear technological lock-ins, but on the other hand they ignore the fact that self-developed applications present precisely such a lock-in.” These are lock-ins which have consequences for IT security: When individual software can hardly be updated in the server room, doors are open to third parties with sinister motives.
Cloud native applications in SMEs: securely managing agile meshes
Whether it’s via application programming interfaces (APIs), microservices, open-source software, or containers: “Today’s IT landscapes connect decentralized and public infrastructures,” says Wippert. “The public cloud brings all the strands together into a high-performance and agile mesh of applications, apps, and services.”
A mesh that, on the one hand, has to be managed securely – because the success of the entire system depends on the function of each small component. And a network that not only makes business models more flexible and that newly defines value creation, but that also automatedly and intelligently regulates itself in circumstances where hacks target software. The central prerequisite: “A landscape that is always up-to-date and patched,” says Wippert. “Otherwise, public cloud applications can be rapidly compromised.” Why this is so: IT invaders use the intelligent and automatic mechanisms to find loopholes, to scale attacks, and to maximize damage.
Public cloud mitigates unauthorized logins, vulnerable libraries, and DDoS attacks
“The components of cloud native applications are all interdependent,” Ruempler says. “Those who rely on managed services have to hand over responsibility for security to the respective cloud platforms, but then they get to take advantage of the full range of security features.” Amazon Web Services (AWS), for example, offers services that are fully automated to defend against unauthorized credential use and distributed denial-of-service attacks. Other services detect when developers inadvertently publish databases or continuously scan for vulnerable libraries and code packages, as was the case with log4j. It’s a different story when companies implement their own apps, use customized container images, or configure virtual machines. “Those who program on a customized basis have to ensure themselves that their own code is secure in the end,” says Ruempler. “In the cloud native world, a customized code is not an asset, but rather a burden that requires continuous maintenance.”
Whether it’s firewalls, logical layers, or the segregation-of-duties principle, “‘Never Change a Running System’ can be looked back on as a ‘once upon a time’ approach,” says Wippert. “Cloud native software is never finished and must be continuously adapted, refined, further developed, and updated, even in terms of security,” says Ruempler. This is the only way to keep applications up-to-date and secure. How it looks in many SME companies is somewhat different. Wippert: “Those who conserve the existing status in the server room lose the technological connection and end up even adapting their own company processes to software.” A wrong approach and an attitude that runs counter to cloud native technology: “If you cultivate a standstill, platforms will inevitably patch you at some point in order to close security breaches,” says Ruempler.
Security in the software supply chain: verify, sign, certify
“In a system made up of many agile managed service components, the risks are not limited to the applications developed in-house,” says Wippert. “The supply chain now in use must also be taken into account, which requires special skills and tools. This is the only way, for example, to adequately address security risks brought about by compromises in open-source code.” Take colors.js, for example: the popular open-source library colors text in command lines. As Ruempler says, “It’s easier for those who program to keep track of things.” In early January, the developer made its own software unusable. Not to do harm, but to send a message: Too often, open-source providers are still too poorly paid by users. “AWS was also affected by the problem,” Ruempler says. If attacks exploit such mechanisms with malicious intent, they target the casual matter of course with which the cloud native ecosystem meshes in a highly automated manner. “That’s why it’s important to continuously verify and minimize everything that moves in the software supply chain in terms of data, services, or services to prevent attack vectors from appearing in the first place,” Ruempler says.
“In the SME sector, there is only partial knowledge concerning what cloud native security entails,” says Dr. Nils Kaufmann, who heads the ECN. “Often, companies just want to get into the cloud.” The problem: “Those who are then not properly familiar with it quickly make mistakes,” says Kaufmann. “If you’re using AWS for the first time, you’ll just find a box full of screws and bolts, so to speak,” Ruempler says. “If you want to use these to assemble high-performance and secure applications, you have to know how to tighten the screws and bolts.” To take the example of the open-source product superwerker: Together with the provider kreuzwerker, superluminar provides an AWS setup for beginners that also includes the baseline services required in terms of security. “In the public cloud, everything can be purchased in exchange for small coins,” says Wippert, “but anyone who moves into the cloud native world and thinks in terms of long-term release cycles is on the wrong track.”
Core business or cloud operation: SMEs need to prioritize
What the experts recommend to SMEs en route to the cloud: “Prioritize!” says Kaufmann “And ask yourself how important applications, apps, and software actually are for your own business model,” says Wippert. “While everyone needs electricity,” says Ruempler, “hardly anyone produces it themselves, but buys it in.” A recent joint survey by ISG and ECN shows that 85 percent of companies already using or planning to use cloud and cloud native technologies already consider it important or very important to work with specialist cloud native providers. The IT market researchers surveyed 200 IT managers from companies with 50 or more employees in Germany.
Nils Klute is IT Editor and Project Manager Communication Cloud Services at EuroCloud Germany. He is responsible for content marketing activities on topics such as GAIA-X and AI, supports initiatives such as Service-Meister, EuroCloud Native or systems integrators on their cloud journey. Prior to his start at eco in 2018, Nils worked as a corporate journalist for IT corporations (like SAP, T-Systems, and QSC at Cologne-based communication agency Palmer Hargreaves) and previously held public relations positions at market and economic research institutions.