Many private individuals, but also companies, are reluctant to use clouds or take full advantage of their possibilities because they fear for the security of their data. Is this concern justified and what are the potential risk factors when using this storage medium?

Eckhard Schaumann, RSA Security. © RSA Security.

There is no reason to describe a cloud solution as less secure than local data storage. In fact, the opposite is true: most established cloud providers work very professionally and have implemented processes and (security) standards that can rarely be met or even surpassed by in-house operated stationary data centers. The same applies to IT security and includes everything from protecting individual files to securing data centers. In comparison, cloud providers undergo additional intensive certification and are therefore usually subject to stricter regulations. Concerns are more of a legal nature and are raised at the level of international data protection regulations. Since the "Patriot Act" as part of the anti-terrorism measures in 2001, US authorities have been granted extensive access rights to national data. However, many German companies have already recognized the advantages of contract data processing within the European Economic Area and have created the contractual requirements in terms of data protection and data security.

What options do companies have to be on the safe side when dealing with clouds?

The best way to host data in compliance with data protection regulations is to use cloud platforms from the EU. The legal requirements here are stricter than in the USA, for example. In addition, special Data Processing Agreements (DPA) can be concluded. The scope and purpose of data storage and further processing are thus contractually regulated between the parties and at the same time guaranteed by the EU General Data Protection Regulation (GDPR). In this way, it can be ensured that cloud providers only process the data on behalf of and on the instructions of the company. The "commissioned data processor" authorized in this way thus has a comparable legal position to an internal data center of the company. Ultimately, the Patriot Act is therefore no reason to refrain from using clouds. Above all, it is important to negotiate and, if necessary, renegotiate contracts with foresight and in compliance with data protection regulations.

How can you help companies to set up and maintain cloud solutions and how do you establish trust in the solution?

In order to set up cloud solutions as a company, it is usually necessary to standardize or adapt the IT infrastructural processes in such a way that the integration capability of existing applications in cloud offerings is guaranteed. In most cases, there are various options for parameterizing the cloud applications or slightly adapting the configuration, but the principle of "use-as-designed" always applies and should always be considered when migrating and realigning processes. Cloud-based system solutions cannot be customized to the same extent as is the case with the installation of stationary "on premise" structures - this must be clearly communicated.

What will change for users and employees after moving local data to the cloud?

Cloud migration should not be rushed. Many migrations can take months or even years. However, the IT infrastructure is only gradually converted and there can always be restrictions during the process. However, there is always the option to use new features live during the migration and therefore it is not necessary to wait until the last dependency of an individual product has been clarified before being able to access the new versions, as is the case with local applications. However, users should be prepared to find that their familiar IT environments and applications have not been "moved" one-to-one to the cloud. Cloud migration is always accompanied by a minor or major change process within the company and, as mentioned, can take time. For many customers, the aspects of the cloud dominate to such an extent that they already obtain many services from the cloud and pursue a cloud-first strategy for every new service to be established. At RSA, we see cloud development from two perspectives: On the one hand, we offer security solutions that make cloud and on-premise applications secure at the same time. On the other hand, our own products themselves. We already have many cloud-based SaaS security solutions - and we expect to see much more in this direction in the near future.

Has the use of clouds actually changed in the course of the coronavirus pandemic, and if so, to what extent?

In any case, a change in usage behavior can also be observed due to an increased demand for cloud solutions compared to the pre-corona period. IT infrastructure strategies and investment priorities were adjusted during the crisis phase. In addition, many companies have created opportunities to maintain their regular operations - and have had to switch to digital (cloud) solutions that would not have been implemented so quickly otherwise. There could have been no "business as usual" on the basis of purely stationary solutions, as remote technologies and cloud services were the only way to ensure access to servers and communication between colleagues - from anywhere and at any time. Just think of the explosion in demand for video conferencing solutions and the example of Zoom. A relief for many companies during the crisis: IT service support could be passed on to the cloud provider and thus outsourced. On-site system administrators no longer had to be present in the data center and the "operatorless" operation, together with the flexible computing capacity, has been a central building block for the success of business continuity initiatives worldwide.