High data protection standards reduce cloud risks

Cloud computing is an attractive alternative to conventional on-premise operation, especially for medium-sized companies, given their generally limited financial and human resources.

The service models available here include Software as a Service (SaaS) and Infrastructure as a Service (IaaS). Software as a Service refers to a native, multi-tenant cloud solution that a provider operates in its data center and is used by many companies simultaneously.

In the Infrastructure-as-a-Service (IaaS) model, the customer runs its own applications, such as ERP powered by Hana or the S/4 suite, including all extensions and customizing settings in the data center of a cloud provider, on a virtual server running on a physical machine. The required computing power is provided dynamically and according to demand.

No fear of the cloud

Regardless of whether a medium-sized company uses cloud software or an IaaS model, it wants to be able to rely absolutely on the protection, security and integrity of its data. Experience shows that the issue of data loss is the least of the concerns of IT managers in SMEs.

The risk of losing critical data by using a cloud solution or operating one's own IT landscape in an IaaS model is considered to be rather low. The reason is that the providers of cloud software and cloud IaaS solutions invest in state-of-the-art technologies in their data centers, which would usually be too expensive for a single medium-sized industry company.

All critical components in the data centers, from application and database servers to storage systems, network, power supply and the productive database, are designed with redundancy.

There is no longer a "single point of failure". In addition, there are usually dual data center concepts which, in conjunction with disaster recovery solutions, offer real protection against catastrophes (K-case) such as fire, earthquake or flood.

100 percent protection does not exist

When it comes to data protection, on the other hand, things look worse. In the wake of the NSA affair, midsize companies - and not only them - are asking themselves whether business-critical information, company secrets and business processes in a SaaS or IaaS environment are really safe from unauthorized access or espionage.

In today's dynamic and sensitive business world, no company can afford for personal data, research results, important key figures or even offers and contracts to fall into the hands of the competition.

Here, the geographical location of the cloud SaaS or cloud IaaS provider and its data centers is highly important. When deciding on a cloud partner, it is therefore essential to ensure that it operates one, ideally several, data centers in Germany and processes and stores its customers' business data and information exclusively in this country.

Only then is it subject to the German Federal Data Protection Act (BDSG), whose regulations are particularly strict with regard to data processing and storage. The hurdles for government authorities to access this data are also extremely high in Germany.

If the cloud partner can then demonstrate strict security standards based on certifications or quality seals such as ISO/IEC 27001, which are regularly audited by independent experts, that's an added bonus.

By contrast, a provider based in the U.S., for example, can be relatively easily required by the U.S. government to hand over its customers' business data and documents, citing the Patriot Act.

For this reason, more than a third of German SMEs do not use cloud computing at all, as a recent Destatis survey shows. However, this raises the question of whether the IT department of a medium-sized company, with its limited resources, is actually better able to protect critical data in its own data center than a highly specialized SaaS or IaaS provider.

Whatever you ultimately decide, one thing is certain: unfortunately, there is no such thing as one hundred percent protection for critical data.