There is no reason why companies shouldn’t discuss moving to the cloud. The benefits—such as flexibility, lower costs or greater operational security—are too promising for that. But what do company managers need to know about the security aspects in the context of cloud migration? This much is definitely true: a company will only genuinely benefit from greater cybersecurity if the specifics of the collaboration with the cloud provider are governed by contract.
Something that seems uncomfortable from an IT administrator perspective offers considerable advantages when viewed by managing directors, CEOs, CISOs and other decision-makers: migrating individual applications or even whole data centres to the Cloud. Administrators fear a loss of control and deterioration in the availability of outsourced applications if the respective hardware and software are no longer in-house. But companies can cope with this discomfort—because ultimately cloud services providers generally operate their data centres at a higher level than even bigger SMEs are able to do.
Starting with physical security—entry controls, intruder protection—and through fire protection to multiply redundant provision of emergency power supplies or network infrastructure, for Cloud data centre operators the higher expenditure is a basic requirement for successful customer acquisition. Without these measures, no corporate client would sign a contract with them. And for that reason decision-makers can be certain that the availability of outsourced applications is not going to drop off due to migration.
But what about actual cybersecurity? Here, too, professional operators come out well, as they generally have their own cybersecurity teams looking for signs of successful attacks round the clock. But that brings us precisely to the crux of the matter, which many cloud users only become aware of after the contract has been taken out: the services of such specialists can only be called upon if they have previously been assured under contract. Negotiations with cloud providers are therefore by no means a task solely for the IT specialists. Company management also needs to be sitting at the table, in order that contracts are framed to be as watertight as possible.
That’s because even services which would be a matter of course in-house, such as backups or installing antivirus software, are often only performed by cloud service providers if they are contractually obliged to do so. To say nothing of more challenging issues, such as encryption of dormant data or transferred data. When it comes to encryption, the customer also needs to ensure that all key material is in its possession and does not come into the possession of the provider.
When it comes to compliance issues such as the General Data Protection Regulation (GDPR), companies themselves remain obligated. They need to ensure themselves that all the requirements of the GDPR are satisfied, irrespective of whether the data are held locally or in the cloud. The only exceptions are where cloud providers give a contractual assurance that they are dealing with GDPR compliance. Additionally, potential cloud users should check to ensure that the operator is certified under recognised standards such as ISO 27000 or BSI C5.
In order to eliminate the notorious “shadow IT” (hardware and software used by employees without the knowledge of the IT department) via cloud migration, plenty of reflection by company and IT managers is called for regarding the choice of cloud offerings. That’s because if employees find they are missing key tools, such as solutions for team communications or file storage, despite migration, they may simply and unceremoniously book the necessary cloud services themselves—without IT knowing about it. As far as possible, company managers should prevent this, since data leaks can readily come about through these services (which are then used without monitoring)—thereby increasing the risk of infringing the GDPR. Conversely, where specialists for IT and cybersecurity define the aims of migration jointly with company management, such risks can largely be excluded.