The regulated cloud

Cloud providers are appealing to companies with innovative services, agile IT solutions and dynamically expandable resources. However, when processing data, companies are required to observe legal guidelines and regulations. This is made easier if the supplier also supplies cloud compliance.


Cloud computing has transitioned from being a hyped technology to a reliable tool for companies. This is particularly true for private and hybrid cloud infrastructures that have benefited in recent years from advances in the processing of sensitive information.

Organisations responded to new data legislation and regulations, and suppliers followed suit with corresponding services. These allow business-critical and extremely sensitive data to be securely processed in a private or hybrid cloud environment, which is a good thing because cloud-based infrastructures offer companies new options such as the ability to respond flexibly to specific tasks.

istock 155445312 Sponsored

“I think for issues of compliance and the adoption of cloud-based technologies, the size of the company plays an important role. Corporations, as well as larger medium-sized companies, can master both issues because they have the right partner from information and communications technology on their side,” says Thomas Barsch, founder of Pionierfabrik GmbH. “For smaller and mid-sized companies, it’s another story. Many suppliers are still asleep on this issue and keep putting off the decision. And their customers are just as bad.”

Companies have to do their homework

Karsten Leclerque, principle consultant for outsourcing & cloud at Pierre Audoin Consultants (PAC), looks at it practically: “Before companies migrate to the cloud, they have to do their homework and define their own compliance regulations. The central point is categorising the data according to their relevance for the company.”

“Due to the increasing significance of cloud computing in Europe, CIOs are also going to have to gradually implement changes in their IT departments. This is the only way they can meet the changing requirements in the expertise of IT employees,” says Chris Ingle, associate vice president of research and consulting, SIS Group.

The respective departments in companies should not let themselves get left behind. “Company departments seldom have the necessary IT expertise and it is difficult for them to assess what’s available on the market,” says Frank Beckereit, department head at Data Center Solutions.

He adds:“The bandwidth for cloud services is growing every day. Selecting the right supplier requires profound knowledge regarding performance capabilities, legal aspects, compliance as well as integration and security. Many departments are not completely aware of these problems and often directly hire external suppliers, practically bypassing IT.”

At the same time, the cloud does not automatically mean there is no security, says Khaled Chaar, CEO of Pironet: “In the debate regarding data security in the cloud, companies also have to consider that cloud data centres usually have considerably better security measures in place than company data centres. For most companies, the construction of secure data computing structures is not part of the core business, and is simply too time-consuming, especially due to the constantly-growing security requirements.”

Cloud compliance is feasible

Cloud compliance refers to the verifiable adherence to cloud computing regulations, whether they are legislated or individual company ones,” explains Heiko Schmidt, managing consultant at PA Consulting. “Cloud compliance aims for transparency and security for all target groups.”

“Implementing compliance rules for the cloud is not more difficult than for conventional business models with external partners,” says Stefan Lenz, vice president of IT infrastructure at the Adidas Group. “In practice, migrating on-site services provided by external partners to a cloud alternative is seldom a problem. In both cases, a contractual regulation for data processing on order is necessary. Sometimes what is problematic is that major cloud hosters use their own model clauses and do not go into the special needs of the customer.”

Arno van Züren, compliance expert at Trend Micro, adds: “Companies should request security reports on a monthly basis. This is the only way to determine the security level and maturity of cloud services.”

The cloud is not going away

“If you demystify the term ‘cloud computing’, down to the essential issue of the secure operation of server platforms, the regulatory influence is obvious. How professionally a cloud supplier works can be clearly ascertained,” explains Dr. Ralf Cordes, partner of NextDBI in Nürtingen and managing director of the company for IT management in Dresden.

“Important information is provided by Tier1 through Tier4 quality classes for data centres, by the IT security requirements of ISO 27001,and by data protection requirements for corresponding laws.”This regulatory influence on cloud suppliers releases end-user organisations to a large degree, adds Cordes. They no longer have to worry about these three factors of IT operation themselves and, instead, can concentrate on how to adapt the company’s applications for use in the cloud.

Ewald Glöckl believes that to successfully introduce cloud services in a company, a “detailed description of all relevant and agreed services must be part of the basic contract with the suppliers.” As soon as critical business processes are supported by cloud computing, user dependence will follow, and companies should be aware of this.

But it is less of an either-or situation: “In practice, we mostly deal with hybrid models and unevenly distributed job assignments. In principle, the more important the data, the stronger the protective measures have to be,” explains Karsten Leclerque.

“Companies should therefore stipulate in their SLAs that their data may not leave Germany. This is how they can prevent their information from migrating to another region with less-stringent data protection laws.” And that can be a challenge. “At the moment, the situation is a legally murky one. Companies should, therefore, identify the relevant data and fundamentally consider whether they trust a cloud provider in the US.

"Recommended For You"

AWS security and compliance tools embrace enterprise clouds Unisys promises secure cloud computing