Security in the cloud: it’s worth asking the right questions

The majority of office workers still work from home and the question arises as to whether the home office can be established permanently. With this questionnaire, companies are on the safe side.

According to current

OTRS survey
The vast majority of respondents (83 percent) believe that the Corona crisis has opened a new corporate trend towards more digitization and home office. What is certain is that IT systems have to be adapted for permanent mobile work.

The issue of security is also very important. Many companies are now increasingly thinking about entering the cloud. Thanks to the flexible access that employees have to the data in the cloud – no matter where, they can usually work just as efficiently from home as in the office and companies do not have to fear a loss of productivity.

One hurdle when stepping into the cloud is that companies believe that they have to make themselves dependent on one manufacturer, since cloud environments usually have to be tailored to the needs of a company.

Biggest fear when switching to the cloud: security

Another big sticking point where the introduction to the cloud often fails is security. I only recently worked with a company in the retail sector. Fearing that purchase prices in the cloud might not be sufficiently protected and visible to others, it decided not to use the cloud.

Switching to a cloud-based solution actually means relinquishing control of your own environment to some extent in order to achieve flexibility and scalability. In today’s world where cyber attacks are proliferating, this can be a difficult decision to make.

How critical the handling of data can be is shown again and again by examples from the media in which sensitive information is suddenly disclosed by hacker attacks and thus causes great damage. In view of the failure of the EU-US Privacy Shield, which means that a legal basis for data transfer from the EU to the USA has ceased to exist, as well as the increased work in the home office, the issue of data security is becoming even more explosive.

Despite the loss of control and fears about data security, I would like to motivate companies in these times to take the step to the cloud if it makes sense in view of employee interests and company productivity.

Therefore, before deciding on a cloud-based service provider, companies should find out how their own data is processed by external service providers. I have put together 12 questions that offer a good orientation when choosing the right service provider:

12 security questions for cloud-based service providers

1. Have you experienced security breaches?

What happened and what was done to prevent the incident from happening again? How is your security incident management organized?

2. Which certifications are there?

How and when are you checked for compliance?

3. How is data encrypted when it is exchanged?

How is stored data encrypted? How often are keys changed or updated?

4. What backup procedures are there?

Are backups encrypted?

5. Where is the data center located?

Which procedures are implemented for the security of the data center? Access control? Fire protection? Measures against power failure?

6. What authentication requirements have been introduced?

7. Are logs kept and for how long?

Who has access to these?

8. What patch management processes do you have?

9. How is data segmentation ensured?

10. What are your monitoring procedures?

What is the process of mitigation and notification when attacks are identified?

11. Are components of the service provided by third parties?

If so, which and which data protection efforts do they have?

12. What happens to our data when the contract is terminated?

There is not always one right answer to the questions, but when companies discuss these with their potential new service providers, they get a good feeling for the data protection of the service provider. For the client, the goal is to identify the security level that he needs in the respective situation and to compare this with the responses from the service provider. In this way, companies can clearly assess whether the provider’s security practices offer the level of protection they need. All agreements on the subject of data protection should also be contractually regulated before cooperation.

Create awareness of cloud security – also in other departments

In addition, senior management should discuss the issue with other departments so that they understand the importance of being careful when working with cloud-based service providers. Targeted training courses help to create awareness of high-risk situations. It is not uncommon for employees to register prematurely for a new service / tool because they want to improve their work and do not recognize the security risk that could be associated with it. It makes sense to have a process that ensures that an IT team routinely participates in the decision-making process when signing up for new cloud-based services.

Even if evaluating the security aspects may seem time-consuming, it is worthwhile. For most companies, it is too time-consuming to cover the services of cloud providers such as 24-hour monitoring or physical 24/7 security for a data center themselves. The price model based on resources used or per user can also be very advantageous.

Despite security concerns, sales of cloud solutions are increasing: a forecast by IT market researcher Gartner assumes that the global market for cloud computing will grow to 278.3 billion US dollars by 2021.


A step into the cloud can therefore make sense, especially with regard to permanent mobile work – but only with a corresponding security check in advance.


Related Articles

Back to top button