Our interviews with Trivadis co-CEO Gerry have so far focused on the confidence that we can have in the Cloud and the possible threats. Today, we want to interview Gerry and the two Trivadis experts Christian Golz and Stefan Lengacher, both Program Managers, about cloud computing. They are responsible for the Portfolio Management Cloud Computing at Trivadis.
Sabine: First of all, would we be interested in how you can safely move to the Cloud and what to look out for?
Gerry: At this point, it is very important to not only look at the path to the Cloud technically, but holistically, which means the organisation of the relevant company, its strategy, the long-term goals and processes. Of course, business requirements are particularly important in order to be able to plan properly for the individual case.
Stefan: On the way to the Cloud, the first question to be clarified is what form of migration makes sense: a complete move to the Cloud or just a partial one? The simplest but most expensive variant is the so-called lift & shift: Data and infrastructure are transferred 1:1 to the Cloud. Adaptation of the various applications only begins after the migration. This variant only makes sense if the move has to be quick and all applications are needed immediately.
With the far better variants of replatforming & refactoring, your applications will be adapted to the new platform. There are no fundamental changes to the code. We recommend this variant, because this development creates knowledge that you can continue to use. If the software is developed in-house, it will be modernised in this way. With these variants, you make sensible use of resources and costs are also optimised.
Christian: Until now, it was standard practice to move everything, and really everything, to the Cloud using the cloud-first strategy. The cloud smart strategy takes a closer look at whether a business case is even suitable for the Cloud, e.g. using the criteria FEVER (Faster, Easier, Valuable, Efficient and Repeat). This approach also takes into account that certain IT systems should not be in the Cloud due to compliance requirements or do not justify operating in the Cloud due to higher costs.
Whether a complete migration to the Cloud is worthwhile for your company also depends on the following aspects:
- Scalability: Book as much computing power and storage space as you need, so you can handle larger order peaks without having to upgrade your own servers.
- Cost optimisation: By outsourcing your data and applications to a Cloud, you no longer need expensive hardware. By abolishing the data centre, facility and data centre management are no longer needed or at least to a lesser extent.
- Time saving: Your company saves time on hardware and software updates and employees can focus on other important topics.
- Automation: Once all data and applications have been migrated to the Cloud, you can automate many processes, even automating and versioning entire solutions or IT infrastructures.
- Mobility: All applications and data can also be used when away from the office (at the customer's premises, when working from home, at the hotel, etc.). I used to have to dial in via VPN. Now I go to a portal and have all the applications I need and only have to authenticate myself once, including multi-factor authentication (MFA).
How can Trivadis help address the topic of cloud computing in a structured way?
Gerry: Careful advance planning of cloud migration is mandatory. At the start, the priorities and goals of the entire process should be defined and the actual status recorded. It is important to consider possible risks within the cloud strategy in advance (e.g.: downtime, bad customer experiences, security gaps). For this purpose, we have developed our free offer, the Cloud Readiness Assessment, which we are currently pre-testing on the market. It does not matter whether you have reached the end of the life cycle of individual hardware or software components or are already using the first cloud services.
The topic of data protection in cloud computing is very important. What can you advise our readers on this?
Christian: Of course, additional risks arise from the use of external service providers and data centres, including those of the cloud provider. The storage of data on external systems makes it necessary to comply with data protection requirements. The systems can in principle be accessed from anywhere via the Internet, provided that the access code is known. We have already dealt with the threats to the Cloud in detail in the blog.
Cloud services are used by several parties. This affects the aspects of data protection. Relationships arise between the cloud provider, its subcontractors and the cloud user (the company that uses the Cloud) as well as the company's user/customer whose data protection rights are affected as third parties.
In principle, data protection requirements can only be met if, in addition to data security compliance, data protection is also provided by the cloud provider; many cloud providers can therefore present a GDPR certificate. Please note, however, that this is a shared responsibility. This is because the cloud user remains responsible for ensuring that the personal data has been collected correctly, i.e. that the requirements for information obligation, transparency, expediency, etc. have been met.
The cloud user also remains responsible for using the data security techniques provided by the cloud provider correctly and to the required extent. For example, encryption technologies, special authentication methods, continuous monitoring, intrusion detection and intrusion prevention systems, sandboxing technologies and firewall components are all available.
And what about the legal side of data protection?
Christian: Thanks to the GDPR, the legal aspects of data protection can only differ from country to country in the opening clauses. The GDPR therefore stipulates a minimum level of data protection and the individual countries can use the opening clauses to make further specifications for individual articles, but must not fall below the level specified by the GDPR. In Germany, data protection requirements are regulated by the Federal Data Protection Act and EU regulations.
It is important to know that with cloud computing, the cloud user is responsible for data security and data protection compliance in external relationships with third parties. An order data processing agreement regulates the details between the cloud provider and the cloud user. Every cloud user can, for example, be assured of compliance with certain requirements by means of certificates and thereby fulfil their control obligation. The user must be granted the rights to change providers, including porting the data. This includes porting the data. If the contract is terminated, the data is deleted from the cloud provider.
How is data protection organised abroad?
Christian: When processing personal data of persons from the EU there are some special aspects when data is stored and processed outside the EU. Many large cloud providers operate their data centres in the USA, for example. An order data processing agreement for compliance with the data protection requirements between cloud users and cloud providers is not sufficient here. Cloud providers from the USA are now legally obliged by the Cloud Act to supply data to American authorities on request. In this case, our recommendation for action is a risk analysis before I move data to the USA and the use of encryption (BYOK = Bring Your Own Key).
For companies wishing to use the Cloud and ensure compliance with European data protection directives, should choose European cloud providers with a data centre in the EU. We generally recommend leaving the data in the home country if possible.
What else needs to be considered within the company that is migrating to the Cloud?
Gerry: As with many cross-company projects, the following is important: You should make sure that all stakeholders involved support the process to ensure the greatest possible success. Step by step, all other employees who are not directly involved in the project should also be introduced to the new way of working so that everyone can keep up when they work in the systems at a later stage.
Stefan: After the migration, monitoring success during operation is a challenge: To do this, the business and technical key figures must be checked and coordinated with the objectives of the cloud migration. Key figures include user experience, service performance, costs and resource consumption. Analysis of this data (application performance) is important for ensuring satisfactory software and can be used for development forecasts.
The KPIs that can be improved through cloud computing are obvious: Business processes get faster, tools can be integrated more quickly and digital transformation is being driven forward.
Contractual and legal aspects also play an important role in cloud computing (compliance/governance). The company must be able to handle contract processes online – from contract review to final agreements.
Could you give us a forecast of the future of cloud computing?
Stefan: Companies use cloud computing to optimise their costs, be able to scale quickly, and agilely deploy cloud services (AI, voice control, Alexa, etc.). These services can also be used when away from the office via mobile devices as they are not location-dependent. The tremendous speed of innovation of public cloud providers, who are constantly bringing new services to the market, makes the use of the Cloud even more efficient, more targeted and high-performance for the customer.
Christian: Currently, we can see that hybrid cloud systems (on-premise/public) and cloud-only are preferred. In the future, so-called container services even aim to achieve interoperability between cloud providers. This would be very much in line with our recommendation to use two cloud providers if possible to avoid vendor lock-in. According to Gartner, 45% of corporate IT spending will move to the Cloud by 2024.
Gerry: And with our Cloud Readiness Assessment, you know how the path to the Cloud will continue for you. Since we are present in all Clouds and can tap into countless successful cloud projects, we provide comprehensive and pragmatic advice based on proven frameworks!
It would also be very interesting to discuss to what extent the Cloud can serve as a driver of digital transformation?
Gerry: Oh yes, but we'll talk about that in our next blog!
Thank you Gerry, Christian, Stefan: That was an exciting interview!