Customer-driven digital transformation is the new normal

A Cloud-first strategy is increasingly the first option for organizations, institutions and companies to make ICT more effective, safer and more affordable. However, practice shows that too narrow a scope when assessing various cloud applications leads to a sub-optimal ICT infrastructure. In this blog I explain how you can make the right choices and how you can use a Cloud-first strategy effectively.

What exactly is a Cloud first strategy?

A Cloud-first strategy means that you assess whether all ICT applications within your organization are suitable for the cloud. If a functionally and technically suitable cloud service solution is available in the market, it will be preferred.

In the following – somewhat exaggerated – example I show what then happens in practice.

A new IT solution is needed. According to the letter of the Cloud first strategy, it is first examined whether the desired solution is available as a cloud service. The cloud solution turns out to be easy to order and delivered quickly. The checkmark at Cloud first can be put. Everyone happy. The problem: Alternatives, such as non-cloud solutions, have not been factored in at all. The result: the best solution has not been chosen by definition.

Get more - data analytics service

Which strategy for ICT is the best at the moment?

The question is why do you have a strategy? What is the goal? You want to make ICT simpler, more functional, safer, more transparent and more affordable. In that case, a cloud solution can be part of a strategy, but not the goal. Ignoring a good solution because the bad variant is cloud can cost you dearly. Is it not because of data leaks, or because of inefficiency. But a good strategy is of course important. So consider a Privacy First strategy.

New challenges in the cloud

The low-threshold purchase means that orders can be placed quickly, resulting in fragmentation of platforms, consumption, data and security. And that's a problem that the market is responding to, with special solutions for security, encryption, privacy, data retention, integration, consultancy and tariffs. In fact, solutions are offered to a problem that you don't need to have at all.

Most cloud solutions are offered in a so-called public cloud. A property of such a public cloud is that it is built up with services of which you do not know how they influence each other or how they function. The consequence of this is that extra costs quickly arise, due to services required afterwards and unforeseen use. Stealth costs that make budgeting difficult. You don't know where your data is, who can access it or how it is secured. And when you have discovered that things are arranged differently than you thought, or that a limit is being tapped, you can purchase an extra service again. Finding out how it all works takes a lot of time and an assumption is quickly made. And in addition; is the cloud service you have chosen really cloud? Or is it just a server in a data center?

Privacy first strategy

A Privacy first strategy is a real strategy, not a solution, like Cloud first. The Privacy First strategy forces you to go through many more checks when selecting solutions, whereby the cloud is of course not excluded. With the AVG/GDPR and the necessary ethics, you have a clear guideline when assessing a cloud service. After all, you will soon be handing over data from third parties or from your company to a third party, or you will give foreign governments access. Thinking about it with common sense is a good idea for the following reasons.

1. Data doesn't necessarily get old 

Two characteristics of data are that it can be duplicated and that not all data becomes obsolete. Suppose you have software in which your personnel data is stored. That is neatly stored in a database. Name, date of birth, citizen service number (BSN), copy of passport, salary, address, holidays, and so on. Some of this data never changes. This therefore remains relevant information at all times, even if it leaks after 10 years. Storing data encrypted in a less secure location is therefore not a good solution. The encryption will no longer be secure in a few years, but the data is still valuable. You must therefore absolutely prevent that the security of the data can go wrong; secure storage, in a secure location.

2. Fine print can be insidious 

The fine print is commonplace. Everyone applies them, no one reads them. Below are some fine print that I didn't make up; they come from practice and are included in the privacy statement of a number of major suppliers. If you have read them I ask you the question; would you entrust your citizen service number to those companies?

We provide personal data to our partners and other trusted companies and individuals to process it for us

Trusted companies and people… That's everyone they trust! But what is that trust based on?  

We have servers all over the world and your information may be processed on servers that are not located in your country of origin.

So even if your data is now in the Netherlands, tomorrow it could be somewhere else without your knowledge.

When you upload, add to, store in, transmit or receive content on or through our Services, you grant us (and those we work with) a worldwide license to use, host, store, reproduce, adapt, create derivative works thereof, communicate, publish, publicly perform, publicly display and distribute.

So anything you keep with this provider can be made public. Also by companies they work with.  

We also share personal data with affiliates and subsidiaries controlled by us; with suppliers who work on our behalf; when required by law or to respond to legal process; to protect our customers; to protect lives; to ensure the safety of our products; and to protect the rights and property of us and our customers.

This one seems to be reasonable. Except that there are 73 companies around the world that fall into that category with this supplier.

Personal information we collect may be stored and processed in your region, in the United States, and in any other country/region in which we or our affiliates, subsidiaries, or service providers maintain facilities .

So that's just the whole world and countless, different companies.

We transfer personal data from the European Economic Area, the United Kingdom and Switzerland to other countries, for which in some cases the level of data protection provided has not yet been determined by the European Commission.

Fair enough, but this supplier stores data in countries that the European Commission has yet to look at. You can think for yourself which countries that could be!

Also check out digital business transformation

A good privacy statement says it all in a few words

It is best to look for the fine print. Often hidden behind titles such as “We care about your privacy” and “We know how to protect your data”. But why choose a supplier where you are unsure of what they will do with your data, given the 'space' in their terms? I ask myself in all honesty: why is a privacy statement so long, what do you want to hide? “ We do not share with third parties”  says enough as far as I am concerned and is only a few words!

How do you choose the right supplier for a Privacy first strategy?

You are responsible for the data you store. The supplier for your data storage should make it easy for you to be GDPR compliant. They cannot guarantee you that with lengthy conditions or with all kinds of certificates. How to choose a good supplier, I explain below in a few steps.

Step 1:  Start by eliminating those suppliers where the privacy statement speaks volumes.

Step 2:  To be able to choose a product with which you can store and use data GDPR-compliant, you need to know its applicability. Is the product suitable for the data you want to keep and why? A sensible use policy must be available for this. An example can be found here: https://tuxis.nl/sensible-use-policy 

Step 3:  Use the right data storage techniques. Storing and sending special personal data in an e-mail is a bad idea anyway, even if your e-mail supplier is certified down to the last detail. A product must therefore also be carefully examined from a technical point of view.

Step 4:  Throw away the advertising brochure and ask the supplier about the technical side of things. Use the questionnaire below.

Questionnaire for data storage suppliers

1. Suppliers in the chain may have access to your data:

• Who are those suppliers in the chain? (sub-processors)
• Is the entire chain of suppliers European?
• Will I receive a processing agreement?

2. Data loss is also a data breach. Backups are important:

• How often are they made?
• What is kept?
• How many versions?
• Can I access those backups?
• Where is that data?
• Is that data geographically separated?

3. Rights to the data:

• Who owns the data after it's posted? (If it's not on your own equipment, that remains a tricky point, which can be different from what you think due to a single sentence in an agreement.)
• What is the fixed location of storage and what is the country where the supplier is established (this determines which government can access it).

4. Security:

• What do you do to keep my data safe?
• Is that security tested? How often?

And although these are technical questions, they must be easy to answer from ready knowledge. If the supplier finds it too complicated to explain, that is not a good signal.

Self-responsible, so do everything yourself?

When choosing a data storage supplier, good information is necessary so that you can comply with the GDPR. Just read the guideline. It contains, among other things, the following important instructions.

• You must not lose any data.
• Data must be accessible.
• You must not leak data.
• Do you receive a processing agreement?
• Does the supplier process or collect the data?
• Do you retain the rights to posted data?
• Is there data storage, or a supplier in the chain, outside the EU?
• Can the supplier get capacity outside the EU?
• Is there any legislation that would allow access to a non-EU government (such as US suppliers)?