Migrate to Cloud Services without jeopardizing Security and Compliance

Cloud computing will provide many companies with new opportunities and strengthen their competitiveness, but don’t forget due diligence before jumping to the cloud. Jeopardizing security and compliance will hurt your business in the longer run.

Companies want to achieve all the great benefits of cloud computing, but are they aware of the risks related to ignoring the security and compliance aspects of the decision? Many companies are lacking a cloud policy and the decision about buying cloud services is often insufficiently evaluated in regards to security and compliance.

The Cloud Hangover

In line with the past couple of years’ trend within IT business, your company is likely to already have started on or soon will be considering migration to cloud services due to a positive business case. The decision is typically driven by a wish to focus internal resources on business support rather than implementing and operating IT systems. Awareness about the benefits of cloud computing benefits is rising continuously.

Cloud technology can revolutionize your business operations, if you act wisely. Don’t forget to take into concern tomorrow’s issues, however. By doing so, you can avoid imposing a “cloud hangover” to the organization. As a decision maker, you must keep in mind that your company is accountable for adequate protection of company data and compliance with law and regulations. This goes in particular to companies with a need for storage of Personally Identifiable Information (PII).

The “cloud hangover” starts to kick in when the migration results in governance and compliance issues, loss of control, data loss and privacy risk, and risk of intellectual property theft. Furthermore, the cloud providers’ security and compliance controls are often not transparent and adjustable. These are all potential elements in a “cloud hangover” which can hurt your business – but which can also be prevented if you act wisely beforehand.

Are Cloud Services Less Secure?

It would be misleading to conclude that cloud services are less secure than in-house services. There is no ‘the cloud’; many different cloud providers offer different types of services. In fact, there are numerous examples of cloud vendors who perceive security and compliance as a foundation for their service and who provide a more extensive level of security than the typical company can afford.

The level of security controls must correspond to the business criticality and data classifications. For instance when requiring confidentiality, companies must demand security controls like data encryption and private key management, which can turn out to be irrelevant for storage of public classified information. The cloud delivery models (public, private, and hybrid) also impact the required security controls, as the delivery models have different characteristics and associated risks.

Maintain Control

When companies embark on traditional outsourcing, they typically have much more control which makes the risk of organizational “hangovers” smaller. They negotiate contract terms and obligations to ensure that the contract supports their business demands. Conversely, the cloud providers are often less flexible and agile in regards to contract terms because they want to stick to standard terms. It is crucial to choose a viable provider (also in regards to financial stability) to ensure business continuity and maintain control.

It is also important to have a plan in place for terminating a cloud service if the need arises in the future. The plan must support migration to another cloud provider or even to an in-house solution. There might be a lack of standards between cloud providers making it difficult to integrate different cloud solutions or ultimately migrate from one cloud provider to another. We all want to avoid being locked into a provider, or to become hostage in an expensive transition project.

Risk and compliance requirements do not disappear when migrating to cloud services. Keep in mind that it is still about computers – just someone else’s computer. When considering cloud services, there is a tendency to be calmer when specifying the requirements. It is still important to ensure that the required operational, compliance and security controls are applied to the company’s data when migrating to cloud services.

How to Take the First Steps towards Cloud

Begin with a due diligence phase focused on security and compliance. Make sure that you are aligned with the business and understand the business criticality and impact of a confidentiality breach, data integrity issue and prolonged service unavailability.

Then, conduct a data classification assessment of the different data types in regards to confidentiality and compliance with law and regulations. Knowing the confidentiality level and compliance requirements in regards to data is particularly important when specifying the security controls and service requirements.

Having completed these assessments, you can proceed by evaluating the different cloud delivery models and market offerings, including taking a closer look at the cloud provider’s terms and conditions for delivering and terminating the services.

It is all about knowing your business needs and mitigating the inherit risks to the business. Of course, your company could choose to accept a higher risk level, should the value of benefits justify it. The key is to make informed choices.

We are ready to assist you

NNIT has a large number of information security specialists ready to assist you. Together they have an enormous range and depth of competencies. We also have our own Cyber Defense Center, and if lightning strikes, we respond and assist you. Fast.