As one of the driving forces of digitalisation, cloud computing brings many opportunities for society and the business world - whether lower costs, the latest security standards and regular updates, elastic and scalable resources or resulting competitive advantages. Many companies are already taking advantage of these opportunities, while others are still shying away from them. Now it is time to look at and clarify risks and concerns.
Since cloud computing systems are basically complex distributed systems, on the one hand, the general risks to which a classic IT system is also exposed can be assumed. These include, among other things, inadvertent or deliberate wrongdoing - for example, through unauthorised copies of data, changes to configuration settings or deletion of data by employees or subcontractors of the cloud service provider - or misuse of the provider's platform through brute force attacks on passwords or malware. The use of security gaps on the transmission paths, for example by eavesdropping on data traffic, is also a general risk of classic IT systems and thus also of cloud computing.
On the other hand, cloud-specific risks resulting from the circumstances of cloud computing must be considered. This is where most of the concerns lie.
According to Statista, 64 per cent of respondents in a 2021 survey said that data loss or data leakage was their biggest concern about cloud security. Data protection was the concern of 62 percent of respondents. So it is obvious that many (potential) users of cloud computing are worried and concerned about data security and data protection.
And indeed, a lack of transparency with regard to data storage as well as inadequate control options and duplication and distribution of data represent cloud-specific risks. Since the physical data storage is in the hands of the provider, it is usually not verifiable for the user. Successful complete storage or proper deletion of data by the provider, for example, is difficult to check. Likewise, it is usually not apparent to the user where the data is processed - there is also the possibility that this is done in a distributed manner if a cloud provider obtains parts of its resources externally itself. Corresponding protocols and documentation are in the territory of the provider, yet an explicit possibility of control by the user may be provided for. To minimise these risks, it is advisable to find out and ask whether the cloud service provider has secure identity authentication, management and access controls in place, and what security is provided against which factors.
There is also an increased risk for the availability of services. Numerous services interlock in cloud computing, so that changes to an interface can impair the functionality of the services based on it. This risk also exists in the event of the failure or discontinuation of services. Therefore, if a service is discontinued or terminated, it is necessary to quickly find an equivalent replacement. The often very short notice periods should always be taken into account.
Another risk is the complexity of the IT landscape, which increases with the use of cloud computing. As a result, a far more complex IT security management is necessary and indispensable for secure use. Aspects that have been neglected so far should be uncovered and considered.
The dependency on the cloud provider and the loss of knowledge, which inevitably occur with outsourcing, are also to be considered risks. Users are dependent on the expertise and reliability of the provider. Although the provider is responsible for agreed services that are not provided or inadequate data handling, this always has an impact on the user. The risk of a so-called "vendor lock-in" should also not be neglected. This refers to a relationship in which customers are so dependent on the products or services of a provider that switching to a competitor would be associated with a great deal of effort and high costs and is therefore not usually done.
Furthermore, in the Statista survey, 44 percent of respondents stated that compliance risks were another concern regarding cloud computing security. It is important to note that compliance regulations are becoming more stringent due to increasing cyberattacks and data protection issues. Regulatory bodies such as HIPAA and DSGVO ensure that companies comply with applicable state or federal rules and regulations. It is advisable to choose cloud computing providers that comply with the standards applicable in the relevant state or country. Many providers can even offer certified compliance.
Despite the risks listed, cloud computing is not just a passing IT trend, but will shape the future as one of the driving forces of digitalisation. In order to make the most of this technology and its opportunities, possible risks and resulting challenges should be considered and minimised.
Sources: www.pwc.ch, www.agile-unternehmen.de, www.compliance-net.de, www.statista.de