Cloud Computing: Just empty myths?

Myth 1: Data is more secure on the local network.

Especially the big cloud players on the market like Amazon, Google and Microsoft invest a lot in their IT security. This is not least because cloud providers are existentially dependent on the security of the data hosted by them. Microsoft, for example, has more than 90 compliance certifications. Fifty of these are specific to global regions and countries and 35 compliance offerings are tailored to the needs of key industries. These include GDPR, SOC, ISO 27001 and CSA STAR. Certificates are very cost-intensive. Most companies are therefore unable to acquire certifications in the quantity and quality that large cloud providers do.

This is also reflected in the Cloud Monitor 2019. More than every second public-cloud user confirms an increase in data security. This is partly due to the fact that cloud providers are subject to strict data protection controls and guidelines and are regularly subjected to external independent audits. The provider teams are well trained, have round-the-clock visibility and response to any infrastructure threats. In addition, the technology, size and flexibility of the infrastructure of large vendors bring unique security benefits. For example, the data centers are equipped with specially developed servers. Increased data security also results from distributed storage systems and the assurance of availability and performance through redundant systems. The fact that the data is more secure on one’s own systems is therefore completely unfounded on closer inspection.

Myth 2: Once the data is in the cloud, the company loses its data sovereignty.

In the eyes of many, the log-in effect resembles a spectre: once a company has decided to go to the cloud, it is bound to the provider for all time. What some cloud providers still practice is already a thing of the past for many. Because with many providers the data can be exported again without any problems. Either via API or simply as an export to the desired storage media. The control over the data as well as the data sovereignty is still with the customer.

Order (data) processing plays a further role in clarifying the second myth. Before the DSGVO and the BDSG reformed the legal framework, it was common practice to outsource data processing together with its processes. Furthermore, the data volumes were managed on external storage devices. Article 28 of the DSGVO has turned things around in favour of the clients.

From now on, the cooperation between companies and external service providers must be contractually secured. Among other things, the contract specifies what, how long and to what extent data is stored and which technical and organisational measures, if any, are guaranteed. Possible rights of control of the client and corresponding obligations of tolerance and cooperation of the contractor are noted in it, as well as the obligation of the contractor’s employees to maintain confidentiality. Art. 28 DSGVO includes virtually all aspects that cloud customers would like to see for the security of their data. If the provisions are violated, a fine is imposed and the customer is liable to wash his hands. So: even the second myth can be successfully refuted, as the data sovereignty remains with the customer throughout the entire cooperation.

Myth 3: Documents must not be stored in the cloud.

The principles for the proper management and retention of books, records and documents in electronic form and for data access (GoBD) define the requirements for audit-proof document archiving. This means that documents – whether originally in paper form or digitally – must be stored for at least ten years in a way that is traceable, complete, correct, timely, orderly and unalterable. The GoBD also stipulate that documents that a company has received electronically must also be submitted to the tax office electronically. Otherwise, there is a risk of back taxes. For years, the tax authorities have welcomed documents in electronic form. In some areas, electronic filing is not only recommended but is even required by law. Nevertheless, there are also some special features that must be observed. For example, the GoBD stipulates that incoming electronic commercial or business letters and accounting documents must be stored in the format in which they were received.

Many of the GoBD requirements can be met with modern enterprise content management systems that do more than just archive. They also enable business transactions to be tracked seamlessly in their creation and processing and document changes to be tracked without losing or changing the original version. Depending on the type of document, invoices or accounting documents, for example, can be automatically assigned to appropriate retention periods in order to exactly meet the retention periods of the AO. The larger a cloud provider is, the more certificates it has that guarantee customers legally compliant storage of their data. Documents may therefore very well be stored in the cloud. Myth 3 therefore refutes itself.

Further interesting aspects of the topic can be found in the interview with management consultant Dr. Ulrich Kampffmeyer

Myth 4: The cloud is more expensive then an on-premise solution.

At first glance, the on-premise version often seems to be more cost-effective than its cloud counterpart. But appearances are deceptive. Often important cost factors are forgotten in the comparison. If a company decides in favor of the cloud, its own IT infrastructure is outsourced. This means that responsibility for hardware and software falls into the hands of the chosen cloud provider. From now on, he is responsible 24/7 for the company’s cyber security, server landscape, updates, backups and certificates – all thanks to a large pool of regularly trained specialists who monitor the activity around the clock. Since the cloud has a multitude of positive characteristics, a clear trend towards the fluffy storage medium has been evident for years.

With On Premise, the “Do it yourself” character is in the foreground. Companies employ their own IT staff to look after their server landscapes. The company is also responsible for regular updates, backups and smooth functionality. The company’s own IT also takes care of updating relevant certificates and purchasing the latest hardware and software. Especially here it is noticeable that the on-premise solution involves anything but one-off costs. Because operating systems, databases, certificates as well as security and process documentation are regular and recurring costs. Of course, it is often forgotten that the own IT specialists have far more tasks than just administration. If you look at the comparison from these points of view, it quickly becomes clear that the fourth assumption is also nothing more than a myth.

As many stories there are about cloud computing: many of them are either long outdated, wrongly handed down or thought out too short. The outsourced IT infrastructure not only offers more security through the appropriate manpower and important certificates, but also relieves the burden on your own specialist staff. If you opt for a cloud, IT staff can devote themselves to the really important things again instead of having to worry about the security of server landscapes around the clock.