Critical infrastructures

When transforming a productive SAP system into the public cloud of a hyperscaler like Microsoft, there are also challenges in the compliance area. What distinguishes cloud computing in regulated industries from other industry scenarios?

Jochen Fuchs: For regulated sectors, it is often the case that there are further, sector-specific legal regulations in addition to the generally applicable legal framework.

Specific requirements for the path to the cloud can be derived from this. On the one hand, these are rather generic requirements from the areas of IT security and data protection.

On the other hand, the requirements are also very specific, for example regarding the handling of personal data when processed by third parties.

Can you give an example or regulations on this?

Fox: Examples can be found, among others, in the regulations for companies that are to be classified as critical. These include, for example, EBA guidelines for financial services, the SGB for the healthcare sector, and the EEG for the energy sector.

(Editor's note: Critical infrastructures, kritis, are organizations or facilities of vital importance to the state community, the failure or impairment of which would result in sustained supply bottlenecks, significant disruptions to public safety, or other dramatic consequences).

Rayk Zimmermann: Particularly among companies in the energy sector, which is, after all, part of Kritis, the critical infrastructure, we observe that concerns about the public cloud are greater than in non-regulated sectors.

Fox: However, this is usually unfounded. In principle, the use of a public cloud infrastructure is not prohibited across the board for any area. However, the respective general and specific requirements must be taken into account for the concrete use case.

These are often very complex infrastructures, systems and data. It is not a trivial task to gain the necessary clarity to ensure the highest possible compliance in implementation. All the disciplines involved are called upon to develop solutions together.

Cloud computing such as "SAP and Azure" within Embrace has sustainable added value. How high is the additional effort for regulated industries?

Carpenter: Here, too, the specific application is the deciding factor. In the energy sector, there are a large number of legal and regulatory requirements, from meters to market communication and billing. In my opinion, there is no additional expense for cloud projects, because the regulations also apply to on-premises projects.

Fox: In addition, cloud providers offer very good tools, dashboards and self-services to manage complex landscapes in a compliant manner. Proof of compliance with these specific requirements is thus very well supported and any necessary adjustments can be made quickly.

The high degree of standardization is an advantage that also creates trust due to the high level of transparency and is helpful in reporting to a supervisory authority.

With Microsoft Azure, for example, the applicable compliance regulations per region can be viewed in the Trust Center in order to work C5-compliant.

What are the specific challenges for public cloud computing in the energy sector?

Carpenter: With the energy transition and the liberalization of the market, companies in the energy sector are facing major challenges. IT is particularly in demand here:

On the one hand, stability must be ensured in ongoing operations. On the other hand, it is necessary to digitize business processes, react quickly to market changes and create a framework for technological innovations.

Fox: Many utilities are still very cautious about public cloud solutions. Studies such as those by Capgemini cite a variety of reasons for this: On the one hand, there is a lack of employees with expertise in cloud technologies.

In addition, there are concerns about data security and compliance. Non-transparent costs and the complexity behind transition projects are also a deterrent.

What solutions can be found and how can Arvato Systems, as an SAP and Microsoft partner, support here as part of Embrace?

Fox: In the first step, it helps to understand the cloud basics in order to overcome prejudices. But even with educational work, the transition of an SAP landscape to the public cloud remains a complex undertaking.

An experienced partner like Arvato Systems can help where companies cannot go it alone. In addition to SAP Business Suite architectures, we have now also implemented complex Hybris installations, high-availability production systems in the manufacturing sector, and Bafin-compliant operations for a financial services provider on Azure.

Carpenter: For such transitions, we rely on a tried-and-tested standard procedure that takes account of specific customer requirements. In this way, we always have an ear to the market in our core industry of utilities:

SAP has just extended standard support for I-SU and R/3. Nevertheless, utilities cannot avoid new operating scenarios. Here we offer our help with industry-specific compliance and governance structures on Azure.

SAP and Azure is an important topic for many existing customers. Is this a generic challenge or are there also industry variations?

Carpenter: Microsoft and SAP have additionally announced a joint industry roadmap as part of Embrace. As a partner of both ecosystems, we support our customers in the energy sector in realizing their individual Embrace roadmap with tools, processes, and experts.

Fox: That's right, companies only realize the full potential of the cloud after a successful migration, among other things when implementing extensive integration and data management scenarios.

Our goal is to work with our customers to lay the foundation for exciting innovations with artificial intelligence, IoT or Robotic Process Automation through SAP operation on Azure.

The classic transformation to "SAP and Azure" knows the existing SAP customer, SAP software, the Microsoft cloud and a partner like Arvato Systems: Who bears what responsibility in regulated industries? Who does what?

Fox: In principle, the client is responsible for compliance with the regulator's specifications. The cloud providers' offerings provide a very high level of security overall.

Certificates such as ISO 27001 or cloud-specific ISO standards such as 27018 ensure a high level of transparency and verifiability of compliance. Achieving and maintaining this level of protection for a self-hosted environment is very costly and, in heterogeneous landscapes with a lot of IT legacy, also very complex.

We also see our task as making the complexity of public cloud offerings understandable and supporting our customers in the selection, deployment and transfer to a suitable environment.

In some use cases, Microsoft also thinks that a hybrid solution might be appropriate: What is the current situation in regulated industries and specifically in the energy sector? On-prem, cloud only, hybrid?

Carpenter: As in many regulated industries, the future of the energy sector lies in the cloud. The only question is how to get there. We are observing that customers in the energy industry are already moving to the cloud with their entire SAP landscape.

And are there alternatives?

Carpenter: Other customers choose a hybrid entry via disaster recovery, sandboxes and project systems. At the latest with the introduction of S/4 Hana, this hybrid share is decreasing towards multicloud scenarios.

Industry-specific processes such as market communication are then only available in the cloud. Intelligent charging station management, smart meters and load forecasts are also only made possible by the platform services of hyperscalers and perfectly complement the usual on-premises stack.

How do you assess the development at Arvato Systems? What could you recommend to an existing SAP customer from regulated industries regarding cloud computing "SAP and Azure"?

Fox: General reservations about the public cloud should be set aside and a serious evaluation of the specific needs should be considered. IT compliance and data protection levels are very high - all providers on the market have invested heavily in their IT compliance in order to be able to counter any reservations of trust.

Carpenter: The high pressure to innovate, which also affects companies in regulated industries, can only be met sensibly with flexible and agile IT.

Changes such as S/4 Hana implementations, carve-outs or company mergers, for example, are also exerting pressure on the energy sector to take action.

Public cloud solutions generally offer the ideal approach for responding more quickly to market changes and integrating new functionalities more easily.

With Embrace, Microsoft and SAP are providing the community with the right tools: The program supports the migration of SAP ERP to Microsoft Azure and S/4 Hana.

Best practices and reference architectures are also available. The industry roadmaps show how typical challenges faced by energy suppliers will be solved in the future.

What should be the next step? What would be a goal for SAP's existing customers?

Fox: For companies in regulated industries, we would like to see more courage in favor of public cloud solutions such as the operation of SAP on Azure. The freedom this creates helps companies to drive forward digitization projects, become more resilient and safely master crises.

Thank you for the interview.