Experts highlight cloud compliance

Klaus Manhart, Computerwoche

Thursday 13 April 2017

Cloud providers are appealing to companies with innovative services, agile IT solutions and dynamically expandable resources. However, when processing data, companies are required to observe legal guidelines and regulations. This is made easier if the supplier also supplies cloud compliance.

Cloud computing has transitioned from being a hyped technology to a reliable tool for companies. This is particularly true for private and hybrid cloud infrastructures that have benefited in recent years from advances in the processing of sensitive information.

Organisations responded to new data legislation and regulations, and suppliers followed suit with corresponding services. These allow business-critical and extremely sensitive data to be securely processed in a private or hybrid cloud environment, which is a good thing because cloud-based infrastructures offer companies new options such as the ability to respond flexibly to specific tasks.

“I think for issues of compliance and the adoption of cloud-based technologies, the size of the company plays an important role. Corporations, as well as larger medium-sized companies, can master both issues because they have the right partner from information and communications technology on their side,” says Thomas Barsch, founder of Pionierfabrik GmbH. “For smaller and mid-sized companies, it’s another story. Many suppliers are still asleep on this issue and keep putting off the decision. And their customers are just as bad.”

Companies have to do their homework

Karsten Leclerque, principle consultant for outsourcing & cloud at Pierre Audoin Consultants (PAC), looks at it practically: “Before companies migrate to the cloud, they have to do their homework and define their own compliance regulations. The central point is categorising the data according to their relevance for the company.”

“Due to the increasing significance of cloud computing in Europe, CIOs are also going to have to gradually implement changes in their IT departments. This is the only way they can meet the changing requirements in the expertise of IT employees,” says Chris Ingle, associate vice president of research and consulting, SIS Group.

The respective departments in companies should not let themselves get left behind. “Company departments seldom have the necessary IT expertise and it is difficult for them to assess what’s available on the market,” says Frank Beckereit, department head at Data Center Solutions.

He adds: “The bandwidth for cloud services is growing every day. Selecting the right supplier requires profound knowledge regarding performance capabilities, legal aspects, compliance as well as integration and security. Many departments are not completely aware of these problems and often directly hire external suppliers, practically bypassing IT.”

At the same time, the cloud does not automatically mean there is no security, says Khaled Chaar, CEO of Pironet: “In the debate regarding data security in the cloud, companies also have to consider that cloud data centres usually have considerably better security measures in place than company data centres. For most companies, the construction of secure data computing structures is not part of the core business, and is simply too time-consuming, especially due to the constantly-growing security requirements.”

Cloud compliance is feasible

Cloud compliance refers to the verifiable adherence to cloud computing regulations, whether they are legislated or individual company ones,” explains Heiko Schmidt, managing consultant at PA Consulting. “Cloud compliance aims for transparency and security for all target groups.”

“Implementing compliance rules for the cloud is not more difficult than for conventional business models with external partners,” says Stefan Lenz, vice president of IT infrastructure at the Adidas Group. “In practice, migrating on-site services provided by external partners to a cloud alternative is seldom a problem. In both cases, a contractual regulation for data processing on order is necessary. Sometimes what is problematic is that major cloud hosters use their own model clauses and do not go into the special needs of the customer.”

Arno van Züren, compliance expert at Trend Micro, adds: “Companies should request security reports on a monthly basis. This is the only way to determine the security level and maturity of cloud services.”

The cloud is not going away

“If you demystify the term ‘cloud computing’, down to the essential issue of the secure operation of server platforms, the regulatory influence is obvious. How professionally a cloud supplier works can be clearly ascertained,” explains Dr. Ralf Cordes, partner of NextDBI in Nürtingen and managing director of the company for IT management in Dresden.

“Important information is provided by Tier1 through Tier4 quality classes for data centres, by the IT security requirements of ISO 27001, and by data protection requirements for corresponding laws.” This regulatory influence on cloud suppliers releases end-user organisations to a large degree, adds Cordes. They no longer have to worry about these three factors of IT operation themselves and, instead, can concentrate on how to adapt the company’s applications for use in the cloud.

Ewald Glöckl believes that to successfully introduce cloud services in a company, a “detailed description of all relevant and agreed services must be part of the basic contract with the suppliers.” As soon as critical business processes are supported by cloud computing, user dependence will follow, and companies should be aware of this.

But it is less of an either-or situation: “In practice, we mostly deal with hybrid models and unevenly distributed job assignments. In principle, the more important the data, the stronger the protective measures have to be,” explains Karsten Leclerque.

“Companies should therefore stipulate in their SLAs that their data may not leave Germany. This is how they can prevent their information from migrating to another region with less-stringent data protection laws.” And that can be a challenge. “At the moment, the situation is a legally murky one. Companies should, therefore, identify the relevant data and fundamentally consider whether they trust a cloud provider in the US.”

Lenovo’s perspective

Lenovo views the cloud as an important tool for companies. The cloud does not have to be provided by a third party, rather it can be operated as a private cloud within one’s own company. Private or hybrid cloud infrastructures are perfectly suited for meeting today’s challenges, such as making company IT systems more flexible and breaking open historically compartmentalised fields.

“The biggest challenge facing IT decision-makers is to break down hardware silos,” explains Tikiri Wanduragala, EMEA x86 Server Systems senior consultant at Lenovo. “That’s why they expect one supplier to deliver networks, storage, servers and services as one block of tasks. Customers want one solution that focuses on their needs without having to deal with individual components such as computer, storage or networks.”

Above all, IT decision-makers want a forward-looking and open cloud solution that is not limited to certain manufacturers, operating systems or applications. As a hardware supplier, Lenovo scores high here because its solutions are not defined by certain hardware configurations or specific operating systems or software suppliers.

Lenovo server systems are open for virtualisation technologies and cloud software from the most diverse manufacturers. That’s how Lenovo servers can support all conventional operating systems on the market, including Windows, Red Hat, Nutanix, Vmware and Openstack, and are also certified for all popular business applications.

The issue of security is a high priority in Lenovo servers. Security functions like the trusted platform module (TPM) are standard for Lenovo and not optional as with other manufacturers. The chip expands the hardware by adding fundamental-security functions so that it cannot be used – like in illegal hacking – against manufacturer specifications.

Traditional IT suppliers can barely stem the onslaught of new jobs and responsibilities. For them to continue to exist, partnerships are critical. As a reliable supplier of IT infrastructures, with many programs and initiatives, Lenovo guarantees a high level of security and is therefore a good choice for every cloud provider.


Building the next-gen data centre

Where traditional and web-scale apps co-exist