Mr. Ross, local managed services providers usually offer local hosting and managed cloud services. For data security and data protection, 60 percent of the companies surveyed preferred an MSP from Germany or the EU to one of the international hyperscalers. What is the truth of this assessment?
Thomas Ross: Most companies are rightly very sensitive about data protection and data security in the cloud. Some attach importance to their IT being operated exclusively in Germany – or at least within the EU. In this respect, the figures in the survey match our perception. There is a justified desire to protect one’s own data against all eventualities, for example in terms of personal rights and against industrial espionage.
How this goal is best achieved, however, must be evaluated on a case-by-case basis. For example, legal and regulatory requirements are often open to interpretation: Company A concludes that it may work with one of the major hyperscalers. After all, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) have data centers in the EU – with certifications that prove they meet the required compliance specifications. So Company A outsources significant parts of its IT to the Azure cloud in Ireland. Company B has the same requirements, but rejects the Azure cloud because their own data protection requirements are not clearly applicable. In such cases, we are happy to advise and, if desired, can deliver our managed services exclusively from Germany. And if we work from abroad, we are still EU-DSGVO compliant.
What is the extra security benefit that a German provider like NTT DATA Business Solutions offers?
Thomas Ross: Hyperscaler means public cloud. For more protection, there is a private or provider cloud. As a provider, NTT DATA controls the entire stack: its own building, its own employees and servers. So we can take responsibility for everything. This security is provable. We have experience with critical infrastructure, for example, for automotive suppliers, pharmaceutical companies and other manufacturing companies, banks and insurance companies that want to protect valuable data from intrusion.
In principle, we also operate customer systems on the basis of hyperscalers, but secured in accordance with our high standards. As a partner and advisor to the customer, we ensure this security and have demonstrably high quality standards – even when we draw on global employee resources.
There are scenarios in which a hybrid architecture with components from the public and private cloud makes sense. What would be an example of this?
Thomas Ross: The applications and their requirements determine how we can combine the capabilities of the public cloud and classic, specialized environments. For example, our private cloud is optimized for SAP workloads. A frequently used hybrid scenario: Web applications and office applications run on the hyperscaler and the SAP systems in a private cloud or SAP public cloud. Ideally, a hybrid landscape combines the advantages of the different worlds. However, it can also complicate the overall structure: The more heterogeneous the landscape, the more important it becomes to secure it.
How does a managed services provider proceed to design a custom-fit architecture for a company?
Thomas Ross: First, we talk to the company about its legal and regulatory requirements, and also about the personal preferences of the managing directors and owners. What level of security is needed? What safety-critical information is stored in the systems, for example patents, recipes, design plans? Then the short- and long-term goals are determined: What should the company’s own IT be able to do, what should be outsourced, what is the overarching strategy? Consulting also includes creating a common understanding: What do we define private, public and hybrid cloud? How can we achieve compliance with the GDPR in Europe, Asia or globally? And finally, there is the comparison with the budget – because secure cloud computing is also a commercial and business decision. My experience here is that there is a growing awareness at decision-maker level that security can cost money.
When talking about money, there is a view that hyperscalers will always cost less than a private cloud.
Thomas Ross: Companies have to look closely here, because some cloud providers have complicated pricing models. It is worthwhile to precisely track the total price per month or per year. We have observed that many a customer is „blindsided” here. So don’t enter the public cloud naively, but examine and compare the price models.