Skip Ribbon Commands
Skip to main content

Migrate to Cloud Services without Jeopardizing Security and Compliance

​​​By ​Morten Dichmann Hansen, Security Architect at NNIT (Cloud & Production IT)

Cloud computing will provide many companies with new opportunities and strengthen their competitiveness, but don’t forget due diligence before jumping to the cloud. Jeopardizing security and compliance will hurt your business in the longer run.

Companies want to achieve all the great benefits of cloud computing, but are they aware of the risks related to ignoring the security and compliance aspects of the decision? Many companies are lacking a cloud policy and the decision about buying cloud services is often insufficiently evaluated in regards to security and compliance.

The Cloud Hangover

In line with the past couple of years’ trend within IT business, your company is likely to already have started on or soon will be considering migration to cloud services due to a positive business case. The decision is typically driven by a wish to focus internal resources on business support rather than implementing and operating IT systems. Awareness about the benefits of cloud computing benefits is rising continuously.

Cloud technology can revolutionize your business operations, if you act wisely. Don’t forget to take into concern tomorrow’s issues, however. By doing so, you can avoid imposing a “cloud hangover” to the organization. As a decision maker, you must keep in mind that your company is accountable for adequate protection of company data and compliance with law and regulations. This goes in particular to companies with a need for storage of Personally Identifiable Information (PII).

The “cloud hangover” starts to kick in when the migration results in governance and compliance issues, loss of control, data loss and privacy risk, and risk of intellectual property theft. Furthermore, the cloud providers’ security and compliance controls are often not transparent and adjustable. These are all potential elements in a “cloud hangover” which can hurt your business – but which can also be prevented if you act wisely beforehand.

Are Cloud Services Less Secure?

It would be misleading to conclude that cloud services are less secure than in-house services. There is no ‘the cloud’; many different cloud providers offer different types of services. In fact, there are numerous examples of cloud vendors who perceive security and compliance as a foundation for their service and who provide a more extensive level of security than the typical company can afford.

The level of security controls must correspond to the business criticality and data classifications. For instance when requiring confidentiality, companies must demand security controls like data encryption and private key management, which can turn out to be irrelevant for storage of public classified information. The cloud delivery models (public, private, and hybrid) also impact the required security controls, as the delivery models have different characteristics and associated risks.

Maintain Control

When companies embark on traditional outsourcing, they typically have much more control which makes the risk of organizational “hangovers” smaller. They negotiate contract terms and obligations to ensure that the contract supports their business demands. Conversely, the cloud providers are often less flexible and agile in regards to contract terms because they want to stick to standard terms. It is crucial to choose a viable provider (also in regards to financial stability) to ensure business continuity and maintain control.

It is also important to have a plan in place for terminating a cloud service if the need arises in the future. The plan must support migration to another cloud provider or even to an in-house solution. There might be a lack of standards between cloud providers making it difficult to integrate different cloud solutions or ultimately migrate from one cloud provider to another. We all want to avoid being locked into a provider, or to become hostage in an expensive transition project.

Risk and compliance requirements do not disappear when migrating to cloud services. Keep in mind that it is still about computers – just someone else’s computer. When considering cloud services, there is a tendency to be calmer when specifying the requirements. It is still important to ensure that the required operational, compliance and security controls are applied to the company’s data when migrating to cloud services.

How to Take the First Steps towards Cloud

Begin with a due diligence phase focused on security and compliance. Make sure that you are aligned with the business and understand the business criticality and impact of a confidentiality breach, data integrity issue and prolonged service unavailability.

Then, conduct a data classification assessment of the different data types in regards to confidentiality and compliance with law and regulations. Knowing the confidentiality level and compliance requirements in regards to data is particularly important when specifying the security controls and service requirements.

Having completed these assessments, you can proceed by evaluating the different cloud delivery models and market offerings, including taking a closer look at the cloud provider’s terms and conditions for delivering and terminating the services.

It is all about knowing your business needs and mitigating the inherit risks to the business. Of course, your company could choose to accept a higher risk level, should the value of benefits justify it. The key is to make informed choices.

Have I Overlooked Something Important?

This article is based on my professional experiences and personal view from working with IT for more than 20 years. Please share your thoughts if you find that I overlooked important things. I look forward to hearing about your views and experiences.

You are welcome to contact me at and +45 3079 5368, if you want to know more about how NNIT can help you migrating to cloud services.​​


About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at if you want to know more about how NNIT can help your business increase its information security level.​



John ​​IT Management Consultant and Cybersecurity Specialist Clayton



NNIT Security Insights Security Insights
Risky Business? Business?
​Ransomware 101​Ransomware 101
Cybersecurity Awareness – The First Line of Defense​ Awareness – The First Line of Defense​
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​Privacy – why it is worth fighting for​Privacy – why it is worth fighting for
​The C.I.A. of application security!​The C.I.A. of application security!
Migrate to Cloud Services without Jeopardizing Security and Compliance to Cloud Services without Jeopardizing Security and Compliance
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime? to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?