Cloud - but secure

German SMEs are reluctant to put their valuable ERP data in the cloud. The concerns about unauthorized access, which could lead to competitors gaining access to business-critical data, are too great. This is why many software service providers often offer on-premise solutions in addition to cloud-based solutions.

"The topic of the cloud still has a negative image in Germany in general, although many companies took the first step into the cloud a long time ago by outsourcing"

knows Nikolaj Schmitz, CIO at G.I.B.

Private, public and hybrid cloud

Large companies in particular have been relying on data center services for many years. However, a distinction must be made, because not all clouds are the same.

In the case of a private cloud, each customer is provided with dedicated ERP systems. They alone have exclusive access to their quasi-private system.

"As long as we are talking about the private cloud, I don't see any major difference to classic outsourcing, apart from the additional provisioning options"

says IT expert Schmitz.

The situation is different with the public cloud. Here, a large number of users have access to standardized applications that are used, for example, for travel expense accounting, event or talent management, i.e. all users share one system.

The disadvantage of the public cloud is that it generally cannot be used to map complex, highly customer-specific processes such as those in the logistics sector. If, for example, when posting goods receipts for subcontracting orders, feedback is to be provided on the production order process that caused it, standard applications are usually unable to do this.

Applications in the public cloud are therefore often only used as a supplement to existing IT systems so that such additional applications do not have to be laboriously implemented in the on-premise system. In this case, we speak of a hybrid cloud.

Consequences of the Safe Harbor ruling

Whether public, private or hybrid, the outsourcing of data is associated with certain risks. To minimize these risks, the EU issued a data protection directive in 2000.

The EU concluded the so-called Safe Harbor Agreement with the USA, in which the United States agreed to recognize the provisions of the Directive.

The European Court of Justice (ECJ) has now declared this agreement invalid. Proof that data on US servers does not meet the EU's security standards.

"Currently, US providers are obliged to grant the investigating authorities access to their customers' data"

Schmitz explains.

This is the case even if the servers of American companies are located in other European countries.

The IT expert therefore advises using German providers when outsourcing data. Data centers in the vicinity of Europe also generally offer sufficient protection for outsourced data.

However, this does not exempt companies from the need to carry out a comprehensive review of the security certifications of a cloud provider or data center. These certifications must be checked in regular audits by external bodies.

Security for the data line

However, the risk of unauthorized access to internal company information lies not only in data storage, but also in data management.

"Encryption in data transmission is the be-all and end-all"

says IT manager Schmitz.

This area has developed considerably in recent years. For example, the long-used SSL protocol is currently being replaced by TLS. This is more or less a further development of SSL, but it closes known security gaps.

Another advantage of TLS is that the protocol offers the option of implementing any higher protocol based on TLS. This guarantees the independence of applications and systems.

Companies also use VPN tunnels to ensure the secure transfer of their sensitive data between their own IT infrastructure and external service providers.

However, the option offered by some providers that data should not leave the German part of the Internet goes too far for Schmitz.

"In my view, this partly contradicts the basic idea of the Internet"

says the IT expert. In any case, this territorial thinking is unlikely to be a solution for companies that are expanding internationally in an increasingly global business world.

Risks with web applications

Companies that are expanding their business to other countries are particularly reliant on networking their operating sites abroad and providing their employees with uncomplicated and fast access to important information.

To do this, they rely on web applications that can be used by a large number of users located all over the world on different end devices.

"Many companies can no longer manage without web applications"

Schmitz knows.

They are often used, for example, to provide service and support for customers or to connect suppliers to ERP systems. Security measures are also in place here, from encryption and the use of firewalls to access monitoring, which minimize the risk of a hack.

In addition, various external auditors offer their services to put the security of such systems through their paces, sometimes using hacker methods.

However, the wide variety of end devices used for web applications is particularly tricky.

"But even in this environment, there are solutions that enable centralized and transparent management"

Schmitz explains.

For example, uniform security settings can be rolled out from a central location for all end devices in use.

In addition, companies also rely on VPN tunnels or encrypt end device access to the internal web application. Logging on to internal systems is also usually secured with a multi-level authentication process.

Saving at the wrong end

G.I.B also uses the outsourcing solutions of a partner with proven expertise in IT security issues for its Dispo-Cockpit Forecast and Dispo-Cockpit Vendor Managed Inventory software solutions.

The G.I.B web applications are accessed exclusively via encrypted connections.

"Furthermore, access to the applications is reduced to the required minimum via appropriate firewalls"

explains Schmitz.

All access is also monitored in order to quickly identify attacks and initiate countermeasures.

Of course, there is no such thing as 100 percent protection and a high level of protection such as that provided by G.I.B is associated with some effort and the associated costs.

However, it is not advisable to skimp on security measures, as the loss or misuse of data is likely to be much more expensive - not to mention the trust that business partners quickly lose in a company that does not offer adequate data security.