Nowadays, as we rely on the uninterrupted operation of digital services, it's important to ask a few questions: What happens if the fundamental pillars of our online existence fail? How prepared are we for potential outages of cloud services?
The search for answers to these and other questions—more or less closely related to cybersecurity—is the focus of an article in Hospodářské noviny, in which our Security Director, Michaela Stonová, also had the opportunity to share her insights on the topic.
We present the full text below:
The cost of prevention in IT services may seem high, but it's better to be prepared than to regret it later. What happens if... the power goes out, the internet goes down, the cloud fails, or company systems stop responding? Are we truly prepared for such situations—whether as businesses, government institutions, or operators of critical infrastructure?
Common outages, such as power supply interruptions, damaged fiber-optic cables, fires, or hardware malfunctions, are typically accounted for by large companies. This holds true whether their systems run on their own servers (on-premise) or in the cloud. But what if something unexpected—or seemingly unimaginable—happens? Could ensuring the security and continuous operation of strategic services become a challenge, especially when these services are hosted in the cloud?
The Cloud has its pros and cons
Many strategic companies operating critical infrastructure, essential services, and even public administration bodies typically use a combination of both approaches. “We combine on-premise and cloud operations. We run the key system components on-premise, while less critical or supporting applications are hosted in the cloud,” says David Olszyński, Head of the Architecture and Security Department at AirBank. ČEZ also runs business-critical applications and systems of critical information infrastructure in an on-premise environment within its internal data center. The cloud is used for less critical applications, development of new solutions, time-limited tasks, or proof-of-concept projects. A similar path—of adopting a hybrid IT environment—is followed by the State Agricultural Intervention Fund (SZIF).
The cloud brings flexibility, efficiency, reliability, security, and often lower costs compared to developing, deploying, and managing in-house tools. However, those who use it also take on certain risks. A significant loss of control over one’s own data occurs, and a dependency develops on the provider, their services, performance, and availability. It can also pose security risks related to data leaks or cyberattacks. The dependency on a stable internet connection and the cloud service itself is another factor that cannot be overlooked. When it comes to the cloud, concerns about data privacy are also legitimate, as different countries have different regulations, laws, and standards for data protection.
The rule of thumb is: the more global the provider, the greater the legal and geopolitical risks. This is one of the reasons why interest in local data centers is growing in the Czech Republic. For example, the data centers of České Radiokomunikace—one of the country’s largest providers—are used by a number of state-owned enterprises and public administration organizations. The main reasons often include the requirement for physical data presence within the Czech Republic, as well as high levels of security and reliability. These centers also benefit from their knowledge of the local market and the specific needs of Czech organizations, familiarity with legislation, and the reduced risk associated with international jurisdictions.
Be prepared, not caught off guard
The world around us is turbulent, and given the current political climate, it's not out of the question that Europe could be affected by an armed conflict, a trade war, or massive cyberattacks. All of these scenarios could impact service availability, access to data, or significantly increase operational costs. Those who are prepared for such events gain a clear advantage.
“Our company also uses a combination of cloud services and on-premise solutions. All key components are kept in our internal data center. In the event of a prolonged cloud service outage, our operations are not at risk and we are still able to provide services to our customers,” emphasizes Michaela Stonová, Security Director at OKsystem. For many companies and institutions, building their own secure data center—including proper backup systems—is prohibitively expensive. Despite the risks mentioned, using the cloud remains their only viable option. That’s why end customers should always ask their providers where their data is stored and backed up, how continuous availability is ensured, and whether "a contingency plan" exists.
It’s always better to be a little paranoid and have a backup plan—for internet access, local databases, and an exit strategy in case of provider failure, excessive price hikes, or the realization of any of the other mentioned risks. “In the cloud domain, we don’t rely on a single, static exit plan. Instead, we regularly assess our readiness to exit a specific environment—technically, contractually, and operationally. We don’t pretend to have an answer for every possible scenario, but we do have a clearly defined and tested way to respond when conditions change,” explains Miroslav Štolpa, Director of the ICT Operations Department at SZIF.
The Public sector cloud has clear rules
For the state and its services, an even stricter framework applies. Since 2023, public administration is allowed to use only so-called state cloud services—referred to as the eGovernment Cloud—for strategic systems. These services are provided by the State Treasury Shared Services Center (SPCSS). The management of the eGovernment Cloud falls under the Digital and Information Agency (DIA), which also operates the Cloud Computing Catalogue. This catalogue includes only providers and services that have undergone rigorous vetting and meet strict legal and security standards.
Currently, SPCSS services are the only ones to reach the highest, fourth level of security certification. Five other providers meet level three, including Microsoft. Microsoft, for instance, provides infrastructure for the State Agricultural Intervention Fund (SZIF) and the Ministry of Finance for operating the Monitor information system.
Another possible defense mechanism against unexpected attacks is the use of an "island mode"—operation within closed, non-public networks. This option is offered by companies like České Radiokomunikace for organizations with the highest security demands. Technically, even standard systems—normally not restricted—can be temporarily switched to island mode without connection to the public internet during emergency situations.
“An important question, however, is whether such a mode is always practical, as shown by the ongoing conflict in Ukraine,” says Dalibor Kačmář, Director of Technology and Security at Microsoft. “Thanks to relocating government systems and data outside its borders and operating them securely—such as in Microsoft data centers—the Ukrainian government has been able to continue providing full services to its citizens even during destructive military operations by Russian forces.”
Michaela Stonová from OKsystem also points out another, more subtle risk: “Outsourcing services can be an effective cost-saving measure, but at the same time, we create a dependency on these services. We become mere consumers; the ability to maintain and, more importantly, further develop these services gradually disappears. This could come back to haunt us in the future—loss of know-how may ultimately be far more dangerous than a temporary system outage.”
You can also read the full article directly on Hospodářské noviny website in Czech.