A missing Cloud Strategy – a risky Security Management
554 people participated in this survey, who represented companies with 20 staff or more. It demonstrated that in the majority, in particular medium sized businesses, a cloud strategy and therefore a targeted management of the legal aspects regarding cloud usage is still lacking. Only in four out of ten businesses with less than 100 employees, cloud usage is based on a strategy. At the same time, security management becomes increasingly the key topic in German organisations. In most cases, the internal IT department is responsible for cloud security, which is becoming more complex by the day. And here too, only a minority of IT departments have a cloud strategy. The observation of the analysts is also interesting, in that in the majority of businesses, the security departments – as long as they existed – were not involved in the selection of the cloud provider. This means that these departments are also not responsible for the topic cloud security.
Fear of Data Loss
Despite security concerns, the use of public cloud increased steadily in the past year. However, more than half (58 percent) of surveyed companies fear unauthorised access to sensitive company data and 45 percent data loss. “Users’ trust in the security of cloud services is the most important factor for increased uptake”, emphasises Peter Heidkamp, partner and head of technology at KPMG. „Cyber attacks are a real danger, which concerns all organisations, independent of cloud usage”, says Mr Heidkamp. Especially for small and medium sized businesses, it is public cloud services that offer a demonstrably higher security level than an in-house solution. Therefore, it is astonishing that, according to Cloud-Monitor 2017, many companies knowingly neglect storing business critical information in the public cloud.
In 2012, following an initiative of the Federal Office for Information Security (BSI) and Bitkom, an alliance for cyber security was formed in Germany to counter this challenge. Its aim is to increase cyber security in Germany and in order to achieve this, IT security competency in German companies is to be further developed. As part of this alliance, BSI works together with many partners. “Our benefit from collaborating with the alliance for cyber security are the daily updates regarding the current position on cyber threats”, explains Mathias Meinke, CTO of oneclick AG, one of the alliance’s more recent cloud service providers.
Increasing Demands on Cloud Compliance
“The biggest concerns of German companies with regards to public cloud services are about compliance. They fear, that cloud computing endangers compliance with requirements., explains Olaf Köppe, partner and head of IT Compliance at KPMG. The compliance concerns in organisations are, amongst other things, also an indication of key changes to the legal framework currently underway. These include the new transatlantic data protection agreement – the EU-US-Privacy Shield – as well as the new General Data Protection Regulation (DSGVO). For the latter, companies need to urgently prepare themselves as this will be in force in May 2018.
A number of things should be considered when selecting a suitable cloud provider. The requirements on cloud providers are becoming increasingly diverse. The location factor plays a more important role, i.e. where exactly is the head office of the provider, but also where are data centres based. The integration ability of cloud solutions also remains a relevant selection criteria, besides many other security aspects.
Image 1: Location factor of the provider as well as integration ability of cloud solutions play a big role when choosing a cloud provider
Source: Cloud-Monitor 2017, KPMG
Cloud Security Services
Specific security services can also provide a considerable contribution to cloud security. The Bitkom survey shows that nine out of ten cloud providers use such services to safeguard their cloud solutions. Attacks on IT systems cannot, of course, be excluded categorically by their use. But they contribute significantly to the successful prevention of most attacks. And another benefit: The regular updates of cloud security services are managed by a professional service provider.
Cloud Monitor 2017 has demonstrated that the biggest concern of organisations is that public cloud use may be to the detriment of data security. The survey was able to refute this argument, as user experience has shown that data security increases, rather than decreases, when public cloud is in use. However, cloud security requires professional management within the organisation, i.e. a clear cloud security strategy and clarification of competencies. As digitalisation progresses, the importance of IT security will continue to gain significance. With regards to the German cloud market, this means that data security can be the most important factor when deciding for or against a specific cloud provider.
Cloud Monitor 2017: https://www.bitkom.org/Presse/Anhaenge-an-PIs/2017/03-Maerz/Bitkom-KPMG-Charts-PK-Cloud-Monitor-14032017.pdf
Survey Cloud Security 2016: http://www.trendmicro.de/media/misc/atp_idg-studie-cloud-security-2016.pdf
The Cyber Security Innovation Cycle: The Changing World of IT Security: https://www.xing.com/news/insiders/articles/der-cybersecurity-innovationszyklus-it-sicherheit-im-wandel-703165?sc_o=da536_bn&xing_share=news
Pressure increases on Security Staff: http://www.crn.de/security/artikel-113607.html