Assess the implications of using cloud services

First, it is important to choose a service provider. Choosing a provider is a strategic decision that affects the security of your company’s data – careful planning and an informed choice can help to ensure that your business fully benefits from cloud services while minimising potential risks. Key considerations when choosing a cloud service provider:

1. Ensure that the service provider complies with relevant security standards and regulations.
2. It is important to know where the data is stored and how it is managed. This is important for data protection as well as regulatory compliance.
3. The reliability and availability of the service provider – information on past incidents and how the provider has resolved problems can be useful.
4. Good customer support is critical. It is worth making sure that the cloud platform provides timely and expert support.
5. What does the service cost and what are the terms of the agreement? It is important to ensure that the service does not involve any hidden fees or contractual obligations, especially regarding the return of data at the end of the service period.

Before making a decision, it is worth researching a number of service providers, comparing their offers, and reading customer feedback.

Once you have found a suitable service provider, you should pay attention to the secure use of the cloud platform. Security settings – such as access control, network security, and logging – should be carefully reviewed during service setup. Many cloud providers offer built-in security features to help protect against cyber threats – such as filtering spam or malicious content. Regularly review these protections and, if necessary, enable additional safeguards on the management interface, making them mandatory for all users. A well-configured platform lays the foundation for success, but security requires ongoing attention, not just a one-time setup. Cloud systems need to be regularly maintained and updated to protect systems and prevent the exploitation of known vulnerabilities. In addition, logging and continuous monitoring of
activities are essential to quickly identify any unusual behaviour. To achieve this, you must configure system logs and regularly monitor cloud activity to swiftly detect and respond to potential incidents.

Lastly, data backup must not be overlooked. The cloud does not eliminate the need for regular data backups – in fact, it makes them even more crucial. You should regularly back up your data and make sure it is stored securely. For certain services, the cloud provider may offer backups, but at least one backup should always be stored separately from the environment, either on a storage medium controlled by the organisation or in another cloud service. This ensures that data can be restored in the event of unexpected problems. You can read more about secure backup in chapter 7.3 ‘Ensure backup operation and verification’.

Within the organisation, you must carefully define access to resources. Each employee should have only the access needed to complete their tasks.

With cloud services, a personal account is created for each user that is managed by the organisation. However, each account must be protected by a strong and unique password and multi-factor authentication. When using cloud services, ensure that the accounts of departing employees are closed by their last working day to prevent access to the organisation’s data. This can prevent situations where sensitive data is accessed by unauthorised persons. For more information on access rights and how to protect your accounts, see chapter 4.1 ‘Give access rights reasonably’ and chapter 5 ‘Protect your employees’.

An administrator account has more privileges than a standard user account. Therefore, those responsible for managing cloud services should use a dedicated administrator account, distinct from their regular work account. When using cloud environments, it is essential that the organisation always retains administrative access to its own dedicated and isolated environment in the cloud. To ensure this, you should determine during setup how to restore administrative access with the specific cloud service provider if needed, and apply the necessary settings accordingly. For example, you may need to enter the administrator’s contact
details (such as an alternate email address) and securely store recovery codes outside the cloud environment, such as in a physical safe. Administrator accounts also need to be protected with a strong password and multi-factor authentication. Some cloud services allow you to restrict access to your organisation’s user environment or management interface based on specific IP addresses or devices. It is also worth considering the use of conditional access policies, which allow you to control who can access services and under what conditions – such as location, device security level, time of day, or the application used. It allows for stronger, more flexible safeguards than static rules alone.

It is important to give clear instructions to employees on how to use cloud services and to make them aware of the risks associated with the platform. Informed and prepared employees can avoid many common security risks that may arise from carelessness or ignorance.