The Where Makes the Difference: Local Managed Services Providers Score with Data Security and Data Protection in the Cloud

Thomas Ross: Most companies are rightly very sensitive about data protection and data security in the cloud. Some attach importance to their IT being operated exclusively in Germany – or at least within the EU. In this respect, the figures in the survey match our perception. There is a justified desire to protect one’s own data against all eventualities, for example in terms of personal rights and against industrial espionage.

How this goal is best achieved, however, must be evaluated on a case-by-case basis. For example, legal and regulatory requirements are often open to interpretation: Company A concludes that it may work with one of the major hyperscalers. After all, Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) have data centers in the EU – with certifications that prove they meet the required compliance specifications. So Company A outsources significant parts of its IT to the Azure cloud in Ireland. Company B has the same requirements, but rejects the Azure cloud because their own data protection requirements are not clearly applicable. In such cases, we are happy to advise and, if desired, can deliver our managed services exclusively from Germany. And if we work from abroad, we are still EU-DSGVO compliant.

Thomas Ross: Hyperscaler means public cloud. For more protection, there is a private or provider cloud. As a provider, NTT DATA controls the entire stack: its own building, its own employees and servers. So we can take responsibility for everything. This security is provable. We have experience with critical infrastructure, for example, for automotive suppliers, pharmaceutical companies and other manufacturing companies, banks and insurance companies that want to protect valuable data from intrusion.

In principle, we also operate customer systems on the basis of hyperscalers, but secured in accordance with our high standards. As a partner and advisor to the customer, we ensure this security and have demonstrably high quality standards – even when we draw on global employee resources.

Thomas Ross: The applications and their requirements determine how we can combine the capabilities of the public cloud and classic, specialized environments. For example, our private cloud is optimized for SAP workloads. A frequently used hybrid scenario: Web applications and office applications run on the hyperscaler and the SAP systems in a private cloud or SAP public cloud. Ideally, a hybrid landscape combines the advantages of the different worlds. However, it can also complicate the overall structure: The more heterogeneous the landscape, the more important it becomes to secure it.

Thomas Ross: First, we talk to the company about its legal and regulatory requirements, and also about the personal preferences of the managing directors and owners. What level of security is needed? What safety-critical information is stored in the systems, for example patents, recipes, design plans? Then the short- and long-term goals are determined: What should the company’s own IT be able to do, what should be outsourced, what is the overarching strategy? Consulting also includes creating a common understanding: What do we define private, public and hybrid cloud? How can we achieve compliance with the GDPR in Europe, Asia or globally? And finally, there is the comparison with the budget – because secure cloud computing is also a commercial and business decision. My experience here is that there is a growing awareness at decision-maker level that security can cost money.

Thomas Ross: Companies have to look closely here, because some cloud providers have complicated pricing models. It is worthwhile to precisely track the total price per month or per year. We have observed that many a customer is ”blindsided” here. So don’t enter the public cloud naively, but examine and compare the price models.