How smart is a Cloud first strategy?
A Cloud first strategy is increasingly becoming the first option for organisations, institutions, and companies to make ICT more effective, secure, and cost-effective. However, practice shows that a too narrow scope when assessing different applications for the cloud leads to a suboptimal ICT infrastructure. In this blog, I will explain how to make the right choices and how to effectively implement a Cloud first strategy.
What is a Cloud first strategy, actually?
A Cloud first strategy means that you assess all ICT applications within your organisation to determine whether they are suitable for the cloud. If a functionally and technically appropriate solution is available in the market as a cloud service, it is preferred.
In the following – somewhat exaggerated – example, I will show what happens in practice.
A new ICT solution is needed. According to the letter of the Cloud first strategy, the first step is to see if the desired solution is available as a cloud service. The cloud solution turns out to be easy to order and is delivered quickly. The tick box for Cloud first can be checked. Everyone is happy. The problem: alternatives, such as non-cloud solutions, have not been considered at all. The result: the best solution has not necessarily been chosen.
New challenges in the cloud
The low-threshold purchase allows for quick ordering, resulting in a fragmentation of platforms, consumption, data, and security. This is a problem that the market is responding to, with special solutions for security, encryption, privacy, data retention, integration, consultancy, and pricing. In fact, solutions are being offered for a problem you don't even need to have.
Most cloud solutions are offered in a so-called public cloud. A characteristic of such a public cloud is that it is built with services, of which you do not know how they influence each other or how they function. The consequence of this is that extra costs quickly arise due to necessary services that are required afterwards and unforeseen usage. Hidden costs that make budgeting difficult. You do not know where your data is, who can access it, or how it is secured. And when you discover that it is arranged differently than you thought, or that a limit is being reached, you have to take on an extra service again. Figuring out how it all works takes a lot of time, and an assumption is quickly made. Moreover, is the cloud service you have chosen really cloud? Or is it just a server in a data centre?
What strategy for IT is best in the current time?
The question is why you have a strategy? What is the goal? You want to make IT simpler, more functional, safer, more transparent, and more cost-effective. While a cloud solution can be part of a strategy, it should not be the goal. Ignoring a good solution because the bad variant is indeed cloud can be costly. If not through data breaches, then through inefficiency. But a good strategy is, of course, important. Therefore, consider a Privacy first strategy.
Privacy first strategy
A Privacy first strategy is a real strategy, not a solution like Cloud first. The Privacy first strategy forces you to go through many more checks when selecting solutions, with the cloud not being excluded, of course. With the GDPR and the necessary ethics, you have a clear guideline when assessing a cloud service. After all, you will be handing over third-party data or your company's data to a third party, or you will be granting access to foreign governments. It is a good idea to pause and think about this with common sense for the following reasons.
1. Data does not necessarily become outdated
Two characteristics of data are that it can be duplicated and that not all data becomes outdated. Suppose you have software in which you store employee data. That is neatly stored in a database. Name, date of birth, National Insurance number, copy of passport, salary, address, holiday days, and so on. Some of this data never changes. Therefore, it remains relevant information at all times, even if it leaks after 10 years. Storing data encrypted in a less secure location is therefore not a good solution. The encryption will not be secure in a few years, but the data is still valuable. You must absolutely prevent any issues with the security of the data; secure storage, in a secure location.
2. The small print can be deceptive
The small print is common practice. Everyone uses it, no one reads it. Below are some small print items that I did not make up; they come from practice and are in the privacy statement of several large suppliers. Once you have read them, I ask you the question; would you trust your National Insurance number to those companies?
We provide personal data to our partners and other trusted companies and individuals to process it on our behalf.
Trusted companies and individuals… So that is everyone they trust! But what is that trust based on?
We have servers all over the world and your information may be processed on servers that are not in your country of origin.
So even if your data is currently in the Netherlands, tomorrow it could be somewhere else without your knowledge.
When you upload, add, store, send, or receive content in or through our Services, you grant us (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works of, communicate, publish, publicly perform, publicly display, and distribute such content.
So anything you store with this provider can be made public. Also by companies they work with.
We also share personal data with our controlled affiliates and subsidiaries; with suppliers who work on our behalf; when required by law or to respond to legal processes; to protect our customers; to protect lives; to ensure the safety of our products; and to protect the rights and property of us and our customers.
This one seems to be reasonably okay. However, it should be noted that this provider has 73 companies worldwide within that category.
Personal data collected by us may be stored and processed in your region, in the United States, and in another country/region where we or our affiliated companies, subsidiaries, or service providers have facilities.
So that is basically the whole world and countless different companies.
We transfer personal data from the European Economic Area, the United Kingdom, and Switzerland to other countries, for which in some cases the European Commission has not yet determined whether the level of data protection provided is adequate.
Fair enough, but this supplier stores data in countries that the European Commission still needs to review. You can imagine which countries that might be!
A good privacy statement says it in a few words.
It can take some time to find the small print. Often hidden behind titles like “We value your privacy” and “We know how to protect your data.” But why would you choose a supplier when you are not sure what they do with your data, given the 'leeway' in their terms? I honestly wonder: why is a privacy statement so long, what are you trying to hide? “We do not share with third parties” is, in my opinion, sufficient and is only a few words!
How do you choose the right supplier with a Privacy First strategy?
You are responsible for the data you store. The supplier for your data storage should make it easy for you to be GDPR-compliant. They cannot guarantee this with lengthy terms or various certificates. I will explain below in a few steps how to choose a good supplier.
Step 1:Start by eliminating those suppliers whose privacy statement 'speaks volumes'.
Step 2:To choose a product that allows you to store and use data in compliance with GDPR, you need to know what the applicability is. Is the product suitable for the data you want to store and why is that the case? There should be a sensible use policy available for that.
Step 3:Use the right techniques for data storage. Storing and sending sensitive personal data in an email is always a bad idea, even when your email provider is certified to the highest standards. A product must therefore also be examined thoroughly from a technical perspective.
Step 4:Throw away the promotional brochure and ask the supplier detailed technical questions. Use the questionnaire below.
Questionnaire for data storage suppliers
Suppliers in the chain may have access to your data:
- Who are those suppliers in the chain? (sub-processors)
- Is the entire chain of suppliers European?
- Will I receive a data processing agreement?
Data loss is also a data breach. Back-ups are important:
- How often are they made?
- What is retained?
- How many versions?
- Do I have access to those back-ups?
- Where is that data stored?
- Is that data geographically separated?
Rights to the data:
- Who owns the data after it has been placed? (If it is not on your own equipment, this remains a sensitive issue, which can be different from what you think due to a single sentence in an agreement.)
- What is the fixed location of storage and what is the country where the supplier is established? (This determines which government can be involved).
Security:
- What do you do to secure my data?
- Is that security tested? How often?
And although these are technical questions, they should be easily answerable from existing knowledge. If the supplier finds it too complicated to explain, then that is not a good sign.
Self-responsible, so do everything yourself?
When choosing a data storage provider, good information is necessary to comply with the GDPR guidelines. You should read the guidelines. They contain, among other things, the following important indications.
- You must not lose data.
- Data must be accessible.
- You must not leak data.
- Will you receive a data processing agreement?
- Does the supplier process the data or does he collect it?
- Do you retain the rights to the data you place?
- Is there data storage, or a supplier in the chain, outside the EU?
- Can the supplier source capacity outside the EU?
- Is there legislation that grants a non-EU government access (as with American suppliers)?
When you read this, it seems that doing everything yourself is the safest solution. But I do not want, and will not advise that so quickly. Both doing it yourself and having it done is, after all, human work. What I mean is that you should not assume that it will be well arranged, because often it is not. Therefore, do not just follow the Cloud first crowd, but think for yourself and prioritise your privacy. Follow a smart strategy; Privacy first. And of course, it can just be cloud.helpwe are happy to.