The global and independent platform for the SAP community.

Cloud first - Compliance second?

More and more public authorities and companies are taking the plunge into the cloud. However, successful and sustainable digitization with the help of cloud computing cannot work without a cloud strategy including GRC management.
Fabian Januchowski, Conet
March 15, 2023
it security header
This text has been automatically translated from German to English.

Diverse and promising offerings on the part of hyperscalers, the availability of more and more "cloud only" applications and services, and the pandemic as a driver of digitization: All these factors mean that sometimes short-term decisions are made in favor of cloud offerings and, unfortunately, already established GRC processes (governance, risk and compliance) are often softened in favor of rapid implementation without really being aware of the subsequent consequences.

But what does a good GRC process include when significant portions of your own IT are outsourced to the cloud? Treat major shifts of your IT landscape to the cloud the same way you would treat an outsourcing of personnel and business processes to a service provider and ask yourself the following questions:

What legal and regulatory hurdles do you have to overcome? Examples such as the DSGVO, the new supply chain due diligence law, or industry-specific regulation such as MaRisk, Bait, and Dora in the area of finance must be taken into account when making a decision - in advance.

Which processes do you actually want to move to the cloud? Even if you pursue a cloud-first strategy in the future, it may not be advisable to transfer critical or sensitive processes from locally hosted systems into the hands of a third party. The issue of legally compliant data migration and data storage in the cloud is often underestimated. Data classification can help here, and remaining risks must be dealt with using technical and organizational measures (TOM) such as proprietary encryption.

What risks do I face? Make a conservative assessment of the possible costs, but also of the actual dependence on the respective service provider. Do performance times and availability fit your needs and your customer contracts? Often, hybrid use or a multi-cloud model proves to be a more sensible and secure alternative.

Are my employees fit for the cloud? Training and education are necessary to ensure that the transition runs smoothly. Internal bodies such as the staff council, IT security officer and data protection officer must also be consulted in advance.

Who bears the responsibility? As a general rule, outsourcing does not relieve you of your obligations with regard to data protection, data security and risk management, for example. The term shared responsibility often comes up here: the cloud provider is responsible for the security of the cloud, but the cloud user is responsible for the security of his processes and data in the cloud. Make sure that your understanding of the responsibilities coincides with that of the cloud provider and is contractually secured accordingly.

What do I do if things go wrong? Mistakes happen, and that also applies to digitization. If cloud services are discontinued, data centers fail, costs increase or the "new world" does not meet your expectations, an exit strategy must be in place: Can you onboard your processes and data locally again at any time or switch to another service provider? Play out these scenarios and document the corresponding steps, similar to your business continuity management (BCM).

The step into the cloud is a step into the digital future. To ensure that this step is taken on a solid foundation, outsourcing to the cloud must be accompanied by an established GRC process and a cloud strategy right from the start. The GRC process must be adapted to the scope of the desired outsourcing in order to act not as an impediment but as an enabler of the digital transformation.

Fabian Januchowski, Conet

Fabian Januchowski is Senior Consultant IT Compliance at Conet

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.