Cloud Security
An underestimated challenge?
Do companies sufficiently consider security when launching a cloud project?
A.L. “Cloud projects raise security concerns that are not always adequately addressed. After the health crisis, many cloud initiatives emerged in Luxembourg, but security was often considered too late. Some projects take security seriously, while others—like remote work solutions—almost completely neglect it.”
C.M. “By involving risk, security, and compliance teams from the design stage, we can integrate requirements, including legal ones, avoiding future blockers and reducing costs. This ‘security by design’ approach ensures compliance and builds trust with stakeholders, including partners, investors, and regulators. Neglecting to involve the security department or ignoring its recommendations can have serious business consequences. Often, security is perceived as a hurdle or there is simply a lack of awareness of potential risks.”
What approach to security do you recommend when setting up a cloud project for a client?
A.L. “When implementing a cloud project, we consider two scenarios. In the first, if the client is at the early stage, we prioritize a security-by-design approach, integrating security from the start and following recognized benchmarks such as CIS standards. In the second, if the project is already underway without adequate security, we conduct audits to address gaps.”
C.M. “When taking over a client’s existing cloud project, we first evaluate what has been implemented. Our goal is to identify issues and close gaps in compliance and security. Compliance can be addressed in collaboration with Audric’s team, but security remains paramount: protecting data, ensuring confidentiality, and meeting security requirements throughout the solution’s lifecycle. Trust with stakeholders is essential, which is why it’s always preferable to integrate security from the start to avoid costly and time-consuming corrections later.”
How do your teams collaborate on projects?
A.L. “Our teams work closely together. One team manages the cloud infrastructure and regulatory compliance, while the other handles risk and security. Security is not a one-time setup: we provide periodic security reviews—semiannual or annual—to ensure the environment remains secure and aligned with evolving needs.”
C.M. “It’s essential to continuously monitor security and compliance as business activities and ICT deployments evolve. Even the best evaluation at a given moment doesn’t guarantee long-term security. Assuming that initial security measures remain sufficient throughout the solution’s lifecycle is one of the biggest mistakes.”
What obstacles do you face when implementing security best practices and governance rules?
A.L. “Major cloud providers like Microsoft, Google, and Amazon understand Luxembourg’s regulations and operate within a defined framework. However, non-Luxembourg providers—even within Europe—often find due diligence intrusive and sometimes refuse to respond. This creates trust issues and complicates our security approach.”
C.M. “Trust is crucial in cloud security. Stakeholders must have confidence in third-party providers managing data outside national borders. Security and trust are inseparable: providers must demonstrate proper access control, data traceability, and ongoing reliability. GDPR, NIS2, and DORA regulations are key considerations for operational continuity and resilience.”
A.L. “Another challenge is balancing security costs with company size. Small businesses may struggle to justify significant investments, while larger companies can implement extensive measures. This often results in compromises that may not be ideal.”
Conclusion:
The challenge is to set the “security and compliance gauge” correctly and ensure that risks are understood and managed. Partnering with experts who have a broad perspective and sector-specific benchmarks helps companies implement security effectively and in full compliance with their needs and risk profile.