8 minute read
The cloud
Many companies plan to outsource all or parts of their IT infrastructure, and especially data, to the cloud. A cloud solution for data and IT infrastructure is a simple and economical solution. But there are a few things to consider to ensure that there are no breakdowns during data migration. Particularly important aspects are described in this article. By Hartmut Fischer
USING THE ADVANTAGES OF THE CLOUD SOLUTION
Advertisement
Companies are increasingly storing their IT, at least in part, in a cloud. There are some arguments in favor of using this solution. For example, it is no longer necessary to invest in your own hardware and software for repeated new purchases. In addition, the cloud solution – if used correctly – can be made more flexible, which accelerates internal and external processes and contributes to cost reduction – at least in the long term. However, a number of conditions must be met to ensure that the benefits are not cancelled out by disadvantages or even put the company in a bad position. These include, above all, the clustering of data. All data must be processed and archived according to the cluster defined for it. It is clear from the structure that not all data should be stored in a cloud. Particularly sensitive and secret data should, for example, be saved on an external manual data carrier (hard drive, USB memory stick) and e.g. be kept in the safe. Remember to make backup copies of this data, which are also backed up – but stored in a different location than the original data.
TAKE ONLY ACTIVE DATA INTO THE CLOUD
As a principle, only data that is currently in use should be stored in the cloud. The cloud solution is too expensive for archiving. This information should then be archived costeffectively on your own server as a backup. BE CAREFUL WITH PERSONAL DATA
Depending on the country, you have to observe special regulations. For instance in Germany: whenever it comes to personal data, the General Data Protection Regulation (DSGVO) has an important say. According to this regulation, data may only be stored on servers within the EU. For servers outside the EU, it must be ensured that they are operated in accordance with EU data protection law. However, it is often difficult to prove this in case of doubt. For example, the server could be in a country from which German privacy advocates cannot get any information. You should therefore make sure that the cloud provider guarantees that its servers are located within the EU.
SAFETY FIRST
Encryption of the data is also important when choosing a cloud provider. These must be encrypted before they are transferred and only stored in encrypted form in the cloud. In this way, the information is protected from unauthorized access right from the start, because the data can only be decrypted again with the corresponding access data.
IT ALL DEPENDS ON THE PASSWORD
Unfortunately, passwords are still handled very carelessly in many companies. In order to achieve the highest level of security, you should observe the following rules:
• A password should consist of at least twelve characters that are not in any logical order. • Do not use any words or sequences of letters on the keyboard. • Integrate special characters. • Never give passwords to unauthorized persons. • Do not make any “cheat sheets”.
Many people find it difficult to do without a cheat sheet. But there is a trick that can be used to remember passwords that are still difficult to crack. Take a sentence and use the first few letters of each word as a password. The sentence should also contain numbers, which are replaced in the password by the special characters above the number. For example: “I married my wife Alice on May 16, 1966” would result in the password “ImmwAoM!&!)&&”. The great advantage of the cloud solution is that data can be accessed from all locations. However, there is also a danger here: people who should not actually be able to access the information gain access to the data. This is why we should take a very close look at the access structure of the data stored in the cloud. Employees should be granted access rights according to the following scheme:
• Data with the right to change them. • Data that the employee can only read. • Data that the employee can only read and download. • Data to which the employee only has access with the consent of the supervisor. • Data that he/she cannot access. ACCESS STRUCTURE
In principle, the cloud should also run a program that logs and stores the respective accesses. This is helpful, for example, if data has been changed or evidence of the storage of personal data is required (DSGVO or the European regulation GDPR). When data is stored in a cloud, it must be ensured that taxrelevant documents, for example, are kept in accordance with the statutory regulations. The cloud you are using should generate automatic backups of your data. The backup data should be stored on a different server than the one on which the original data is stored. However, if your company is located in the EU, not least for data protection reasons, both servers should be located within the EU or verifiably operated according to EU data protection regulations. If technical breakdowns occur, which cannot be ruled out even with a cloud, the backup is automatically loaded so that no interruptions can paralyze operations. Ask the provider how many backups are created.
THIS SHOULD BE REGULATED BY CONTRACT
If you decide to use a cloud, you should make sure that the contract with the provider includes the following points in addition to specifying the contractual partners. The central point of the contract is the description of the subject matter of the contract. Basically, this is the provision of software by the cloud operator and your access authorization to the data center. It should be agreed that the cloud operator must always provide you with the current version of the agreed software. In addition, it should be clearly regulated when updates are created and that you are informed when updates are installed. When updates are applied, you should also be informed of the reasons for this.
The cloud operator should be liable for ensuring that the usability of the stored data is guaranteed at all times. In addition, a hotline should be available to you. In most cases, a precise definition of the hotline tasks is necessary. Depending on the extent to which the hotline can be used, you may have to expect additional costs.
Additional services can also be booked. Clear cost agreements should be made for this. Possible options are for example:
• Transfer or synchronization of your application programs with the programs of the cloud provider. • Consideration of your wishes on the side of the cloud provider's software. • Handling of data migration upon termination of the contractual relationship (change management). • Employee training.
In addition, the scope of use must be defined. The scope of use also includes the question of whether you implement your own client software on your employees' computers or whether you can access the cloud software online. Also clarify contractually how many simultaneous accesses will be allowed. It is possible that the rental price increases the higher you set the number of simultaneous accesses. Nevertheless, the number of accesses should be selected so that operational disruptions are excluded. Also define how data protection is guaranteed. In particular, it must be clearly regulated how the provisions of protection regulations are taken into account and observed. In this context, it should also be bindingly agreed that the servers of the cloud operator are located in an area that abides by the applicable laws and regulations or are operated in accordance with them. Of course, the remuneration and payment methods must also be determined. Which payment model is right for you must be decided on an individual basis. In general, the following models are possible: • User-related: a fee is charged per user, regardless of how often they access the cloud. • Fixed price per period (quarter, month, year). • Consumption-related: only services called up are charged (pay per use). • Mixed models from the above options.
It also has to be specified when the payments are to be made (advance payment, partial payment, subsequent settlement). The contract period also has to be regulated. For example, an initially unlimited term can be agreed upon, which is ended by termination. Here it must be specified when a term ends if it is terminated (for example at the end of the year if it is terminated at least three months in advance). A limited time can also be agreed upon, which is automatically extended if it is not canceled at a certain point in time. In any case, the written form should be agreed upon for a termination. In addition, it should be regulated in which cases there is a special right of termination. Moreover, the following has to be clarified in the contract:
• Confidential treatment of the data stored in the cloud. • Guaranteed data security (especially backup regulation). • Warranty for material and legal defects.
Furthermore, the general contractual clauses (place of jurisdiction, severability clause, etc.) have to be taken into account.
Hartmut Fischer has been a freelance journalist for the past 13 years, specializing in SMEs and retail issues. As a coach, he also advises companies on communication issues.
app.global-cl.com
READ FOR FREE
