Engaging a cloud hosting provider: Why a clear risk assessment policy is crucial

The Norwegian National Security Authority (NSM) has released its annual report “Comprehensive digital risk picture” (in Norwegian), which highlights the importance of solidifying information security management in companies and organizations. 

This year, NSM issues a stark warning about overseas cloud hosting providers, expressing concern about more and more Norwegian organizations having grown dependent on foreign cloud services. 

The NSM report recognizes that cloud services bring a host of operational and strategic benefits to companies. A key point being addressed, however, is the importance of understanding and considering exactly how and where data will be hosted when engaging a cloud storage provider. According to NSM, too many organizations fall short in this regard.

At Xait, we have seen this red flag for a long time. Norwegian companies and organizations need to better understand – and plan for – the potential risks and legal ramifications involved in choosing a provider to host their cloud.

Data security management has taken a back seat

Cloud computing has been around for approximately two decades. Despite the data pointing to the business efficiencies, cost-benefits, and competitive advantages it holds, a large portion of the business community has been reluctant to adopt the cloud, mainly due to security concerns. 

At the same time, cloud computing has become a natural part of everyday life. Activities such as banking, email, media streaming, and e-commerce all use the cloud. This trend has caused the pendulum to shift too far. 

– Organizations have gone from being on the fence about cloud services, says Xait CEO, Eirik Gudmundsen, – to adopting them at an ever-increasing rate, without setting a clear data privacy and security strategy first. 

He continues: 

– To us at Xait, cloud services are synonymous with reliability and security. But as companies’ stance on the cloud and security has softened over the past few years, they haven’t always made the proper security risk assessment before choosing cloud providers. This is one of the issues raised by the new report from The Norwegian National Security Authority, and with which we fully agree.

Norwegian companies must wise up on cloud risk management

Xait’s concerns about the general lack of understanding and proper security risk management before engaging cloud providers are shared by the cloud infrastructure provider that we use – the European public cloud hosting provider Klikk. 

Bjørn Knudsen, CEO at Klikk, praises Norwegian companies for embracing innovation. Yet at the same time, he says, they tend to neglect obvious security aspects:

– Norwegian IT service providers focus on efficiency improvement and maximum value-creation on the high end of the value chain, but this often comes at the expense of everything that doesn’t meet the cost-benefit criteria. As long as anyone can assure us that everything is safe, we have got our backs covered, right?

Wrong. The reality looks very different, Knudsen warns.

– We have exposed our business-critical assets to a wide range of foreign actors pursuing commercial as well as intelligence interests. Even though confidential and sensitive user data might be stored in Norwegian data centers, foreign cloud hosting providers like Microsoft or Amazon can be forced to hand over this data. 

Cloud hosting providers being forced to share their clients’ data is not an uncommon occurrence, according to Eirik Gudmundsen:

– When your data is in a cloud that is hosted overseas, it is susceptible to that country’s legislation and privacy and confidentiality laws, which may differ significantly from Norway and Europe. Because of this, your company’s data, and any of your clients’ data that you store, can be potentially jeopardized by unauthorized access.

The risk of having confidential and sensitive data breached is compelling more and more Norwegian IT companies to focus on homesourcing the very core of their services. However, as the Klikk CEO points out, we must not go all the way back to the ‘Stone Age’, and establishing a national, government-led cloud hosting service is not the way forward:

– We have sufficient cloud competency in Norway as it is. We just need to join forces. 

Implications of the EU court ruling

On July 16, 2020, the Court of Justice of the European Union (CJEU) held that the Privacy Shield Adequacy Decision of the European Commission on personal data transfer from the European Union to the United States is invalid. According to the EU, the level of data protection in the U.S. is not essentially equivalent to that required under EU law.

In Bjørn Knudsen’ view, this serves as a warning to Norwegian companies.

– The ruling by the EU's top court makes it abundantly clear that Europe no longer trusts U.S. companies to comply with the level of privacy required by the GDPR. Boards need to level up their understanding of GDPR and data risk management, and they must dare to ask the right questions!

Why choose a specialized cloud service provider? 

What puts a cloud service provider like Xait in a unique position to have full control over data governance, is the fact that we deliver highly specialized enterprise services with security built from the ground up. Plus, we host our solution on our own specialized cloud with proven security features. 

In contrast, generic cloud service platforms that offer multiple solutions in one single solution pose real security and privacy risk:

– Organizations need to be more aware of the inherent risks involved in choosing “off-the-shelf” cloud services, says Xait CEO, Eirik Gudmundsen.

– Going for a specialized solution and keeping your cloud hosting dedicated to the specialized solution gives you all the advantages of cloud computing and helps guarantee your data privacy and protection.

Conclusion: Understand and plan for the risks

An increasing number of Norwegian businesses and industry leaders recognize how enterprise cloud services can be leveraged to run their organizations more efficiently, better serve their customers, and dramatically increase their overall profit margins. 

However, as the cloud becomes essential for business operations and an increasingly remote workforce, organizations must address risk factors such as data governance and privacy vulnerabilities.

Many cloud hosting providers have a significant presence outside of Europe. Such providers might not only be forced to hand over hosted data to the government but also to do so secretly.

Companies and organizations need to designate clear policies and responsibilities for the acquisition of cloud hosting providers. In an ever-more turbulent geopolitical climate, data security and governance are critical. 

To ensure national control over vital functions in society, the Norwegian National Security Authority (NSM) recommends establing a “central government cloud”, i.e. a state-controlled infrastructure for cloud services. Xait and Klikk do not see the necessity for such a cloud platform. 

There are rock-solid cloud competencies in Norway. We just need to consolidate and leverage them.