What risks come with the adoption of a cloud by your business?
At Telindus, risk is a recurrent topic when discussing with our customers that are moving to the cloud – the discussion always comes back to the same topics and customers raise very similar fears. Moving to the cloud, like every change of solution and every transformation, always comes with certain risks – those risks can be linked to the transformation, the design or even the technology. Nevertheless, what are those risks exactly and how do we, at Telindus, reduce them to an acceptable level?
“On a technical level, the main risks we must address are the loss of control on data, vendor lock-in, dependency, solution transparency and of course, security!” Amaury Fonteyn, Head of Pre-sales Unit at Telindus
Luxembourg’s risk approach to IT solutions
In Luxembourg, risk is one of the core principles that must be addressed in every project and indeed, local regulators such as the CSSF, have specific circulars which address this matter. At our end of the spectrum, we address risk in a systemic way and base ourselves on multiple frameworks in order to identify, measure, control and respond to any risk that would arise.
Based on this, multiple elements naturally come to mind and the control is done at multiple levels and based on multiple elements. With regulated industries representing a large portion of the local market, most solutions and providers such as support PFSs have made the CSSF risk-linked requirements as their standard. Some, such as Telindus, have also adopted additional risk frameworks such as ISO: 27001 which benefit from a large international adoption and are widely recognized as top-class frameworks.
The most common risks in cloud - and how to address them
As part of their cloud circular (17/654 as amended), the CSSF requires any institution wanting to outsource to the cloud, to do a complete risk analysis of the outsourcing activity. As much as this may seem as a lot of work – it allows companies to shed some light on the main risks which are associated with an outsourcing activity.
The biggest risks that typically arise during a risk analysis of a cloud solution or outsourcing to the cloud are often linked to security – and multiple aspects must be addressed as this risk is often shared between multiple actors. On one hand, the provider shares this risk as he is the one providing the solution and must implement measures on his ends – those are often linked to encryption, tenant segregation, firewalling, etc. On the other hand, the customer and the service provider have their fair share of responsibility in regards to added security layers and usage of the service. Indeed, with IaaS clouds such as Microsoft Azure, Google Cloud and Amazon Web Services, the customer designs its own solution on top of the cloud provider’s services – which may introduce security breaches in a natively secure platform. At Telindus, in order to address those risks, we have created a security policy composed of over 150 rules that we apply for every customer environment and which we enforce at every cloud provider we deploy services to.
When adopting a specific cloud solution, one of the risks is linked to a potential solution lock-in and the associated exit strategy. Indeed, what should you do if this provider ceases its activities or discontinues its solution without prior notice. This can have a real impact on a company’s business and must be addressed prior any adoption. The answer is a well-prepared and tested exit strategy and policy – a plan explaining “how” and “in which case” a company should decide to exit a provider.
With public cloud, the principle of solution transparency and the ‘black box’ concept becomes one of the most underestimated problems. Indeed, when adopting a solution in the cloud, it is often not clear how the solution is built or what are the building blocks that build-up the foundation of the service. Therefore, it is important to understand the solution, request additional information and in some cases, conduct an audit of the provider in order to fully understand and accept how the solution is built. At Telindus, we have acquired the right for our customers, the CSSF and ourselves, to audit Microsoft, Google and Amazon with regards to the cloud solutions used by our customers – in order to shed some light on services that might be used by our customers.
“No change comes without any risk – our goal is to reduce it enough and control it in order to make it acceptable for our customers and ourselves!” Audric Lhoas, Cloud Product Manager at Telindus
When adopting cloud, risk must be accounted for and the best strategy is to account for it at the beginning – in a proactive manner rather than a reactive manner.
You want to know more about Telindus’ cloud solutions and how we manage risks? Visit https://www.telindus.lu/en/solutions/cloud