Secure and sustainable cloud transformation

"Cloud services are a booster for digitalization."

Cloud expert Tim Gravemann from IT service provider pco explains why a cloud is more secure than an on-premise solution in some areas, what constitutes a secure and sustainable cloud transformation and how companies benefit from the cloud.

Tim, many companies are already using cloud services, while others are still hesitant. Why should companies take the plunge into the cloud?

I am of the opinion that medium-sized companies in particular will have to continue to digitally transform and modernize themselves in the future. In our view, the path to the cloud is unavoidable. SMEs are currently operating more and more in dynamic and unpredictable markets. In order to remain fit for the future, companies today need to deal with digital business models more quickly and be more adaptable in their processes.

What is different from, say, five years ago?

Examples of companies such as Uber or AirBnB, which have made long-established competitors look old with their concept, show how quickly new and digital business models can change industries. These are extreme examples. But we have seen what environmental influences can have an impact on companies during corona, for example. Without the use of cloud services, many companies would not have been able to continue working at the same speed.

SMEs seem to be under particular pressure when it comes to digitalization compared to large companies.

Yes, medium-sized companies in particular are quickly exposed to completely new competitive pressures due to various influences, which can disrupt industries. Companies therefore need to think more flexibly without having to compromise on security.

We can even go one step further. In my opinion, the use of cloud technologies also shows how innovative a company is. Particularly in times of a widespread shortage of skilled workers - especially in IT - modern services and infrastructures are a big plus when it comes to recruiting "young professionals" who have completely different expectations of their workplace.

The cloud is also far ahead in the area of sustainability. Companies currently have to meet numerous political requirements. All cloud providers will be using 100% renewable energy by 2025. In addition, cloud computing is to become CO2-neutral by 2030 according to EU regulations.

You see the cloud transformation as an important step towards the future for your customers. How do you assess the current situation on the market?  

Our current experience is that customer discussions are not about the question of "whether cloud is an option" but "when and with which services". We often find that our customers lack an overview of all relevant IT services and the underlying IT architecture. This is because we can only develop a needs-based sourcing or cloud strategy if we know which IT services are involved.

Nevertheless, the cloud transformation is still progressing very slowly overall.

There are indeed a number of obstacles to this development that are making the use of new technologies more difficult. These include, above all, the shortage of skilled workers, an inadequate technological basis and compliance and governance requirements. To counteract these challenges, it is all the more important to relieve the burden on IT and to have the right partner or managed service provider at your side to support you in these projects.

Security concerns are also slowing down the transformation process. How secure is the cloud?

This is a major issue and our customers also have concerns from time to time. In discussions with customers, the main issue is trust, including with regard to entrusting data to an American company, for example. It is particularly important that companies themselves also approach the issue of data security responsibly. This is because a significant factor for the security of company data is how employees handle it. In addition to appropriate employee training and a clear security policy, a solution-oriented data protection officer is also very important.

Many people therefore find it difficult to choose the right cloud. Do you have any tips?

Choosing the right cloud is a very important aspect of data security. The Microsoft cloud solution Azure is one of the leading solutions on the market and is also very popular with our customers. Microsoft's commitment and investment in data security speaks for itself and clearly demonstrates how Microsoft is making the cloud secure. I've brought a few figures with me, should I throw them into the room or is this beyond the scope of the interview?

"Choosing the right cloud is a very important aspect of data security."

We are curious. Go ahead!

Microsoft has invested a total of 20 billion US dollars in data security over five years and employs around 8,500 experts from 77 countries in the area of cyber security alone. In an age of skills shortages, many experts are being drawn to the big manufacturers and service providers. As a result, companies are reliant on outsourcing topics and purchasing security services.

Every day, around 24 trillion security signals are processed by a team of analysts who make predictions based on artificial intelligence, with impressive results: 9 billion endpoint threads, 31 billion identity threads and 32 billion email threads have been blocked - the Microsoft platform is used to collect telemetry data worldwide and detect anomalies, among other things. This is not just about cloud security. The tools are also used to monitor many on-premises and other cloud infrastructures. Signals that Microsoft uses to make the IT world a little more secure include IoT, Defender, but also AWS and other clouds.

Impressive figures, but how do I translate that now? What specific mechanisms work in the cloud?

Should security problems actually occur, there are numerous security systems from manufacturers to react quickly and restore protection. In addition, many mechanisms secure access to company data: protection by default, integrated two-factor solutions or conditional access solutions. This allows granular control of which users have access to the relevant data in the cloud and on-premises.

And what about Microsoft technologies in particular?

In the Microsoft Cloud, for example, there are various mechanisms for encrypting data such as credit card information, passwords and other sensitive data. This data is automatically encrypted as soon as it leaves the company. There are also various warnings that the relevant users receive. Such mechanisms are sometimes included as standard in Microsoft plans and do not require any complex configuration.

There are also quick and easy solutions for service resilience: SQL services, virtual machines that are provided in the cloud and secure failures. This is significantly more expensive in the on-prem area. In the cloud, a failure scenario can easily be built via a data center and the resources from the data center can be mirrored and duplicated in the cloud.

If we add these technical possibilities to the growing progress of cloud-based AI technologies, it only seems to make sense for companies to address the issue of cloud and cloud security in order to free up resources for their core business.

In addition to the technical possibilities, regulatory challenges will also often play a role. Is there any news here that might simplify the path towards the cloud?

A significant innovation is the EU-US Data Privacy Framework (DPF for short), which has allowed data to be exported to the USA since July 10, 2020. This new data protection agreement with the USA enables the unproblematic use of M365. Companies and cloud providers should note the following: The DPF must be used as the basis for the export, companies whose cloud services are used must be certified accordingly and it must be checked with the service that its data protection notices and commissioned data processing are also based on the DPF.  

Of course, the principle of data economy should still be observed and, if possible, everything that is not needed should be switched off and appropriate security measures established. In order to get an overview of which data flows where, you also need a data classification, which can be implemented very well with the on-board tools of Microsoft 365 Business Premium, E3 and E5 as well as the corresponding Education and Frontlineworker licenses.

"The responsibility for data security cannot lie solely with the cloud provider."

You just mentioned that your own employees can also pose a potential security risk. What do you mean by that?

Responsibility for data security cannot lie solely with the cloud provider, as it is often users who store data incorrectly or disregard security guidelines. In this respect, there is the shared responsibility model, which clearly regulates the responsibilities for the data and information to be stored.

You need to explain that in more detail.

In short: the cloud provider makes a secure location, i.e. the cloud, available - the users, or customers, are responsible for keeping the data and applications secure and organized. It is therefore essential that customers are made aware of and instructed on how to handle their data. At the same time, IT ensures that no data can be stored unencrypted and, if necessary, adds procedures such as "bring your own key" or "hold your own key". The customer's IT department can decide where the "key" for the data is located: On-premise or in the cloud. This minimizes the risk, or better still, increases cloud security.

Companies are therefore facing a concrete transition to digital business models. Markets are becoming more complex and IT staff are becoming fewer and fewer. Will there be no way around cloud services in the future in order to be able to digitize securely? 

In my opinion, the solution of the future is clearly the cloud! Cloud services are a booster for digitalization and create a secure basis in many areas. However, this does not necessarily mean migrating everything to the cloud, but rather finding the right balance or the right sourcing mix based on the IT and corporate strategy. Managed service providers such as pco can support companies in operating these infrastructures with their experience and expertise in this area. Because the most important thing now is to digitize securely and create trust. One of the slogans of our business unit is: If you don't move with the times, you move with the times. That pretty much sums it up.

Thank you very much, Tim.

The interview first appeared in issue 02/23 of our magazine data! You can find all issues and articles here:

data! Magazine: Cloud Services, Data Analytics & AI | taod