Cloud develop and successfully implement strategies

Cloud develop and successfully implement strategiesPaths in the cloudWith services from the cloud, companies can save resources and costs. Privacy and other legal aspects, however, require careful planning, which will conclude with contractual stipulations.
 Cloud computing offers the possibility to handle business processes more efficient, flexible and cost effective. Therefore, companies are increasingly using SaaS solutions (software as a service) for a single task, such as CRM applications for sales or mail and collaboration software. Some are planning to implement large SaaS applications, including all ERP packages. Companies that are expanding or have to cope with peak loads, have the choice to forgo the purchase of new servers and instead to use virtual machines from the cloud (Infrastructure as a Service, IaaS).In the planning phase of the company examines the benefits of cloud services, such as flexibility, energy and cost savings, improved access for mobile employees and determined the same risks as the security restrictions or loss of control. Planning to include legal considerations. Many software applications and process personal data such as customer data in CRM applications and employee data in HR management modules of ERP packages.The company must therefore observe the requirements of data protection law. Even if no personal data are processed, there are a whole range of other data, such as financial data, which must be kept absolutely secret. Here's the company line, that board or management, under a legal obligation to loan loss provisions. This includes an appropriate approach to data security.Ownership of private cloudLegal issues should be observed even if the company decides which applications are run in a private cloud, and what services it wants to obtain from a public cloud. Private clouds are networked IT systems, which are under the legal responsibility of the person that uses the cloud. For public clouds is the operator of a third party that represents the various cloud IT services available to users.Public Clouds offer greater flexibility and cost savings. The legal requirements of a proper design, however, are far higher. An analysis of the vulnerability of the data can for example mean that the company uses certain anonymous data only or encrypted in a public cloud or choose a hybrid form of the cloud. Data protection requirements are processed with little in the public cloud, data protection with high contrast, private demand in a cloud.The planning phase ends with the definition of a cloud strategy. Herein lays down the company, whether organized part of enterprise IT as a private cloud, what services will benefit from a public cloud, which are functional and security requirements and what the legal requirements are observed.Arrangements for confidential dataIt follows the second phase, the selection of a provider. The company must also consider legal aspects here. Use of a public cloud always means that data is transmitted by the enterprise to the cloud provider. Therefore, say some critics, is legally not allowed cloud computing, because the data protection requirements were not met. This view is not correct. It is legally possible to also process personal information in a public cloud. These must comply with the company and the cloud provider, but certain conditions. In practice this is done by the provider is acting as a data processing for the company.Requirements for data processing testOrder data processing is in accordance with § 11 Federal Data Protection Act (Act) requires that the company carefully selects the cloud provider. It has the responsibility to check whether the provider has taken appropriate technical and organizational security measures to process the data. For this purpose, the company must verify the concept of protection of the provider. This needs to fully implement in the box above on this page are eight principles of safe computing. Indispensable are certifications submitted by the provider and confirm compliance with the conservation plan.Principles of data security in the processing of personal data (Appendix to § 9 BDSG)Access control: measures to prevent the unauthorized access to the data processing systems, which applies to outsiders as well as staff from other divisions or employees outside their working hours, and about building monitoring, setting up security zones, authorization cards, alarm systems.Access control: measures that prevent unauthorized persons from using data processing systems, such as through password assignment, and protective measures such as firewalls against intrusion.Access control: Protection measures to ensure that employees can view and use the data only within their rights and access, as well as the protection and use of data to store, for example, unambiguous assignment of access privileges, effective test methods, encryption.Deployment control: protecting data in storage or transmission, including a documentary that is provided to which bodies disclosure; by accurate documentation of the participating centers, logging the locations of data, rules for encryption, reliable deletion method.Input Control: Logging, when and by whom entered what data, have been altered or removed.Job control: data may be processed in order data processing only after the contractor's instructions; including through clear rules on purpose limitation, restrictions on access, for storage, loss of data carriers, to fighting procedures and complete surrender after job completion.Availability control: protection against accidental destruction or loss of data, for example by regular backup, UPS, disaster plan.Separation control: systems, data collected for different purposes, can process separately, for example, by separation of access control.Order data processing also requires that the data only in data centers within the European Economic Area (EEA), ie the EU plus Norway, Iceland and Liechtenstein, are processed. Therefore offer many cloud providers also pure EU / EEA Clouds. Some even offer a purely German in the Clouds. That is about important if a company wants to outsource its accounts in the cloud.The company has decided to open negotiations with a particular supplier, so we come to the negotiation phase. In it, the company will often give the vendors more information so he knows the exact needs of the company and may make it a tailored offer. Before the company announced internals, it should complete a confidentiality agreement with the service in-waiting.When the negotiations are about the services provided by the supplier. It is important to describe these benefits in the contract and precision, flexibility and scalability to regulate the services, to avoid later disputes.Negotiate contractsAn important part of the contract, the service level agreement (SLA). SLA to the regulations include the availability of services, so the uptime, availability, rate and maintenance time. System response times also belong here. A second area of ​​the arrangements for support and troubleshooting. This error classes are defined and define response and problem resolution times. Since system failures can have serious consequences, it is important to settle these points carefully.What if something goes wrong?SLA to include the provisions on the legal consequences of any violations. The statutory requirements for service disruptions will not fit on IT contracts. Therefore, it has become established to replace the law by contractual arrangements in the Service Level Agreement. Known is the penalty system for non-achievement of availability. Also, lump-sum compensation rules and the determination of the conditions for termination include this.Cloud providers often offer standardized service levels. There is a reason that the provider can offer the reasonable prices only if it standardizes its services. Often it is possible for a surcharge to negotiate individually tailored to the business service level requirements.Will the business process in the public cloud of personal data, it must conclude with the cloud provider a contract to data processing. In these, a large number of schemes to be taken, especially on the nature of the data and its use, the circle of stakeholders in support of this agreement or ratios, for the rectification, erasure or blocking of data and the control rights of the Company and its referral powers.Principles must be clarifiedIndispensable part of this agreement for order data processing is also the concept of protection of the cloud provider for data security, which implements the box in these eight principles of safe computing. Enterprises and cloud providers must agree on this concept of protection binding. In many contracts, there is only a bare list of eight principles and a commitment for the cloud providers to meet them. That is not enough, but the contract must regulate the details. These schemes are among the centers, in which processed the provider data, the protection measures against unauthorized access to the data center, the type of encryption when transferring data between data centers, the procedures used to protect against intrusion into virtual systems and the deletion method prior to the release of storage areas for other users in multiple client systems.The negotiation phase ends with the conclusion of the contract. After signing the contract, the company can begin to use the cloud services and swap data in the public cloud. Even if the data is then stored in the cloud provider, the company remains legally responsible for data processing. It must therefore constantly check whether the cloud provider of the technical and organizational measures to protect data security compliance. Spot checks in the data center are not required to, the company must rely on test reports and certification by trustworthy third parties.ConclusionFor companies today is no longer the question of whether they use cloud computing, but just how and to what extent. If a company takes into account from the outset the legal requirements for privacy and security, it can properly decide which applications in a private cloud will be operated and which are suitable for outsourcing to a public cloud. The company is then able to select a suitable cloud providers and to negotiate appropriate contracts.