Tag Archives: Tag 3

The Cloud is Someone Else’s Computer

Almost every day, you can read about “data richness”. This is a jargon term for when, all of a sudden, a company’s data is
available to everyone on the Internet; very often such data can be found in “the Cloud”. On the one hand, of course, a
company wants to avoid this, but at the same time it needs to remain efficient and competitive. Cloud computing in every
form is a must-have to increase efficiency. But what do you have to pay attention to, so you don’t end up as the victim of
a super data breach that’s all over the news? What is really important? As always, the answer to this question is not easy.

Encryption only offers limited protection

First of all, you have to understand that you are handing over your data. This fact must never be overlooked: encryption
protects data that is not currently in use and secures it during transmission. However, when it is in storage for processing,
data is always unencrypted. Even the best encryption is of no use, as anyone who can access the storage can also access
the data. So the next question is: Who has access to this storage? The Cloud provider will definitely have access, and
depending on the legal situation in the country of the provider, the authorities of the respective country may also have
access. This leads to the trust issue: Who can I trust to look after my data? Is outsourcing compatible with the duty of
care? Does the Cloud provider have the necessary expertise in security matters? Is the Cloud provider certified in
accordance with ISO and are SLAs provided?

Classifying data by confidentiality

With these issues in mind, data must be classified in terms of confidentiality. Securing the data can then be carried out in
a classic manner, according to the principles of “Need to Know” and “Least Privilege”, which determine which data can
be processed “outside” and which date can only be processed internally. First drafts of patent applications do not belong
on a Cloud drive! Once it is clear what data is in the Cloud, it is necessary to ensure that it cannot be manipulated without
authorisation, and that manipulation is detected immediately. Here, the same rules apply as within the company’s own
infrastructure: the technical implementation of encryption and integrity checks must meet the latest and highest standards.
Data which has been manipulated may give competitors unprecedented advantages on the market. Compliance with these
rules should be checked regularly and by an independent source.

Why Cloud Security Really Matters

Those who have implemented all of this correctly and defined their data classification, taking into account their “cloud
suitability” in their Security Policy can be considered to be on the safe side. It goes without saying, that the same, or even
more stringent security measures apply to servers and storage in the Cloud as they do to internal systems. In this case,
too, an audit may be useful, as an independent party always has a better insight compared to an internal point of view
which might be biased. So, what really matters is to be aware that a Cloud is someone else’s computer, to draw the right
conclusions from this, and to have a clear idea on what it is appropriate to do there, and what it is better to avoid.