The cloud offers many opportunities for growth. But the choice of suppliers and the selection of data to be migrated should not be taken lightly and in haste. A number of points need to be carefully considered.
#1-All my apps and data in the same cloud.
It's a well-known fact that you shouldn't put all your eggs in one basket. This common-sense rule also applies to the cloud. Depending on your needs, the specifics of your organization and your requirements, it's best to divide your data and solutions between different suppliers.
Start by defining the value of the data and the level of security required.
If you need to host highly sensitive information, opt for a trusted platform (see our fifth commandment).
If availability is crucial for one of your activities (e.g. e-commerce site), choose a provider offering the best guarantees in terms of redundancy and availability. You should also consider the benefits of using a CDN.
#2-I will reinforce access to my data
According to a report published by RedLock, a US company specializing in cloud security, 51% of companies using the Amazon Web Services (AWS) S3 cloud storage service suffered at least one data leak in 2017. For its part, Proofpoint reports that 24% of "suspicious" login attempts succeeded on the "hundreds of thousands" of SaaS accounts examined.
The study also revealed that some 60% of users had neither a password policy nor a strong authentication procedure. As a result, they share files with their personal accounts, some of which are publicly accessible.
A security policy is therefore essential. In particular, it must include tracking devices, dual authentication solutions, more precise management of profiles by profession, and training to raise staff awareness of digital threats.
Data must also be protected by regular, off-site backups to prevent any risk (fire, water damage, human error or malicious acts, failure of the cloud provider...).
#3 - My subcontractors, I will check their compliance with the RGPD
The General Regulation on the Protection of Personal Data, which came into force on May 25, establishes co-responsibility between companies and their service providers. In the present case (IT in general and file hosting in particular), this text obliges each of the contracting parties to comply.
They must ensure the security of the personal information they process by putting in place various organizational (register of processing, DPO...) and legal processes (specific RGPD clauses in all contracts...).
They also have to deploy technical solutions (data flow and data encryption, access control, IS mapping, etc.).
As a general rule, all subcontractors must provide sufficient guarantees to ensure that processing complies with the requirements of this text.
#4 -All cloud costs, I'll analyze
Forgotten resources and services are the main cause of inaccurate cloud computing cost estimates. Lack of visibility on resource utilization makes it more difficult to control spending. This is the conclusion of a survey of 300 IT managers carried out by SoftwareONE, a cloud management and software company.
It's easy enough to estimate the monthly cost of an AWS or Azure instance. But workload requirements usually extend far beyond a single static instance.
Companies also need to take into account other costs, such as those associated with data migration, APIs... the so-called "hidden costs".
#5 - I'll surround myself with trusted suppliers
Data localization in datacenters has always been a major issue for CIOs and business leaders. It takes on an extra dimension with the RGPD.
How can you be sure that the hosting company on the other side of the world has put in place all the necessary measures to ensure the security of your personal data?
And even if some web giants have decided to set up their own datacenters in France, this issue is still topical, thanks to the Cloud Act ("Clarifying Lawful Overseas Use of Data Act").
In particular, it aims to force US tech companies to disclose personal information about their users in the context of investigations, even when the data is not stored on US territory.
Location and availability are two decisive criteria in the selection of suppliers. Legal risks vary from country to country, and data protection guarantees differ inside and outside the European Union.
Geographical proximity also minimizes latency due to distance in the network. Last but not least, it's worth checking the certifications and standards obtained by these partners.
