The migration and integration of data into cloud services is in full progress in many industries. During implementation, it often becomes apparent that the approach in companies is sometimes still the wrong one. What path should be taken to properly address aspects of security and data protection in the cloud environment according to today's standards? We spoke to Mark Großer, Managing Consultant and Security & Compliance expert at Detecon. Read part 2 of 2 of the interview here.
Detecon: Many companies are considering how to integrate cloud services into their own processes. What is the current situation with cloud applications in industrial companies?
Mark Großer: We observe a certain heterogeneity in the industrial sectors when it comes to the application of cloud services. Basically, every company has to consider the question: Am I going to the cloud - yes or no? If so, in which way and why? First of all, the question should be: What is actually the benefit of it? The cloud myth says that especially cost savings are the main priority. However, much more important are the factors of flexibility, efficiency, future viability and innovation options, also for new business models. At the same time, companies are required to maintain data security, compliance and data protection when using cloud solutions. We observe that the "Schrems II" question has brought entire cloud projects to a stagnation. If data is processed internationally - e.g., if it is transferred to a non-EU country, currently there is uncertainty: "Are we allowed to do that?" The EU General Data Protection Regulation (EU GDPR) is behind this. It requires a review of the adequacy of the level of data protection if the GDPR does not apply in the "target country" or "third country". In general, this is of course possible, but be careful with generalised statements. This will not become easier in the future; on the contrary, it will become even more complex. But: it can be solved - already now!
Basically, it is the task of every company to protect its own data and information (assets) - as in the traditional "on-prem" world. The situation in the cloud is technically different, but it contains the same information that is still worth protecting.
The starting point is different: some companies already use one or more platforms in a multi-cloud environment. Others deliberately want to integrate additional cloud solutions into their environment only for specific services. Often, tried-and-tested on-prem solutions simply reach their performance limits, or the software and hardware are no longer maintainable or are expensive to maintain, or - not infrequently - special skills are required for operation, but the employees concerned are likely to retire.
Cloudification is therefore not proceeding in the same way in all sectors, but gradually and with varying speed and intensity. Automotive companies, for example, are already quite far along, many insurance companies are in the midst of a changeover wave and have already shifted services to the cloud. Overall, however, it can be observed: Everyone is dealing with it, new "vertical" cooperations between technology providers and companies from all sectors are emerging, also with regard to the IoT world. And yet: many IT services and processes are still being structured for cloud use.
Is everything solved if I, as a company, acquire a proven cloud provider as part of my vendor strategy? What else should be taken care of?
Unfortunately, this is not enough. Many think that a tool solves everything. A colleague of mine says: "A fool with a tool is still a fool". Those who assume that cloud providers have already clarified and delivered all important aspects can be mistaken - especially with regard to security and privacy elements. Even at the initiation stage or in contract negotiations and workshops, this is not as clear and unambiguous as it seems. If I choose the wrong service level agreements, it can really come to a horror scenario: If I terminate the contract, I will be in for the nasty surprise of receiving CDs with my own data - unstructured - as a data retransfer. Admittedly, this is striking - but it has already happened.
What process mistakes do companies often make when integrating cloud services?
Many act according to the motto: "I adapt my company to the tool and not the tool to the company". This raises the question: who controls what? This is a challenge for governance in companies.
Different efforts in the introduction processes also naturally result from cultural differences. In the competition between systems, we in Europe place by far the highest value on individual data protection compared to the data-driven, capitalist USA and China, which is now also a technological leader but authoritarian. However, the result is that implementations of cloud processes in the USA or China are comparatively quick and smooth, while we are busy with good intentions, but rather complex European solutions and regulations and the development of our own alternatives such as GAIA-X. The discussion about Cisco, Huawei and few other remaining vendors was similar - there used to be Siemens and other network equipment suppliers in Europe. Now we are faced with a choice of products when selecting technology providers, but actually it seems like a "proxy war" of systems. Who do we want to trust? Also, and especially, the Brexit does not make this any easier - despite transition periods granted during which the UK is not considered a third country under data protection law.
Here in Europe, questions of law, such as the international transfer of health data following the Schrems II ruling, are coming to the fore. Where may these data be located? Here, the fundamental rights trade-off is between freedom and security versus efficiency and usability in the cloud! In the course of the pandemic, even aspects of (survival) life and health are opposed to data protection.
The interview was conducted by Gerhard Auer.
