The right cloud strategy
How much agility does your company need? And how much control over your own data? It's not easy to balance digital sovereignty and cin. Zero Trust and a hybrid, risk-based cloud strategy help.
The cloud is seen as an important driver of digitization. Companies need it to bring new products and services to market faster, scale flexibly and save IT costs. But there is also a downside: By moving workloads to the cloud, you lose some control. That can be dangerous. After all, data and technology form the basis for business success today. Controlling them is crucial for your own digital sovereignty. In the public cloud, this becomes difficult, as IT infrastructures operated by third parties are used. Companies know neither which components are used nor where they were developed and made resilient. In addition, there is a legal conflict when it comes to data protection, especially with the large American hyperscalers: In the event of a criminal investigation, the U.S. Cloud Act overrides the GDPR - even if there is an additional agreement and the data center is located in the EU.
Determine the need for sovereignty
Nevertheless, companies do not have to do without the public cloud altogether. After all, digital sovereignty is not an either-or decision. Rather, the best way is a hybrid approach that combines different cloud variants. As much agility as possible and as much control as necessary is the motto. It's about finding the environment that offers the right level of sovereignty for each data type and application. To do that, you first need to analyze needs and assess risks. What data types and digital assets are there in the company? How sensitive and valuable are they? What damage would a loss or failure cause? Who accesses which data and how is it transferred? This then determines the need for protection as well as the appropriate cloud model and the associated security measures.
Choose the right cloud
The vast majority of all data in a company is generally non-critical and can be moved to the unrestricted public cloud without hesitation. For the remaining data, it is important to check whether it can be adequately protected with the cloud provider's native security features and additional external controls. This is known as a controlled cloud. If this is not sufficient, the next stage would be the trusted cloud: This refers to cloud services that are certified according to country or EU security standards, for example SecNumCloud (France), C5 (Germany) or EUCS (EU). Such a trusted cloud is particularly suitable for scenarios in which companies have to meet certain regulatory requirements.
Finally, disconnected private cloud services offer the highest level of control. They are completely under their own control, but are the least agile. In addition, companies have to do without features such as PaaS services and serverless functions.
Establish Zero Trust
Particularly in environments that cannot be controlled or can only be partially controlled, it is also advisable to implement a zero-trust model. Nothing and no one must be given the benefit of the doubt. Instead, all access and network requests must be authenticated, regardless of whether they are internal or external. Identity and Access Management (IAM) based on the least privilege access principle is crucial for this: each user and asset should only be granted the rights that are absolutely necessary. In addition, data and data transmission should be encrypted. Awareness training for employees is also important. After all, even the best security technology is useless if people allow themselves to be tricked by cybercriminals.
Conclusion
With a hybrid, risk-based cloud strategy and zero trust, companies can reap cloud benefits and still remain digitally sovereign. The best way to implement both is in collaboration with a specialized service provider. They help to identify risks, select suitable cloud services and take appropriate security measures. Last but not least, digital sovereignty itself is also becoming an important competitive factor. After all, customers today attach great importance to data protection and cybersecurity.
This technical article appeared in the printed issue SicherheitsForum 4-2022. You want to read the articles of this issue? Then close right away here a subscription.