Head in the cloud, feet on the ground
For years the German network provider Lancom steered clear of cloud computing, but though it’s now a convert it has not forgotten its security concerns.
• Imagine you are a medium-sized company in Rhineland, western Germany, and you entrust your internet services to a local provider – the second largest in the country – where they shake their heads if you ask about cloud applications, saying, “Too insecure.” And then suddenly in 2017 they become cloud providers themselves – what happened?
Ralf Koenzen and his staff at the network specialists Lancom Systems in Würselen in the Rhineland feel they had no choice. The software they had been using for their client management systems was no longer being developed. For years they had been avoiding cloud-based systems because they did not want to store their data externally. Many of their clients felt the same, uncomfortable about no longer safeguarding all that valuable information themselves. But when no one was any longer offering software that would allow the data to be processed and managed on the firm’s own computers, screened from the outside world, there was no escaping the cloud.
To a private individual who has been storing photos and music files in the cloud since the mid-noughties it might seem a long overdue move, but for a company it has far-reaching implications. Taking the plunge means more than just simply storing data somewhere else. In order to access the powerful computers of the cloud providers from their office or to use the capacity or software installed there while travelling, they must hand over sensitive data.
These days, Koenzen – a former sceptic – knows the advantages: “On the one hand you can make great savings, for example in purchasing the server hardware, electricity for operating and cooling, and maintenance personnel. What is more, you don’t have to worry about updating any programs you are using or about system backups. All that is taken care of by the cloud supplier.” It can pay off for large and small companies. “You can adapt the extent of the services used to the needs of the company and you are only charged on that basis, so that also makes it interesting for small firms and startups.” It helps them create a powerful IT infrastructure very quickly without having to invest in their own staff and equipment – and the capacity can be expanded at any time, or trimmed back if things are not going so well.
But these advantages come at a price: in-house data has to be handed over. Koenzen says that was the main reason why companies in Germany took a sceptical view of cloud computing for so long. However, the mistrust is ebbing away. A study by the IT trade association Bitkom and the auditors KPMG shows that the number of cloud users in Germany has been steadily rising for some years. Whereas in 2011 only 28% of German firms were using cloud services, by 2016 nearly two-thirds were. And another 18% were planning or considering making the switch. The cloud market grew nearly 20% in the past year, according to the analysts Gartner. In 2016 turnover with public cloud computing was about $220bn (£158bn). The software developer Synergy sees Amazon as way ahead of the field with a market share as big as that of its four closest rivals – Microsoft, IBM, Google and Alibaba – put together.
Meanwhile, Lancom has become not just a user but also a supplier of cloud services. Koenzen founded the company in 2002 with a colleague he had been working with in the professional data communications department at Elsa Technology in Aachen. When the firm went bankrupt, they bought the department and founded their own setup for network devices such as routers and switches. (The communications solutions company Devolo also emerged from Elsa.) Today Lancom, with some 330 staff and an annual turnover of about €60m (£53.5m), reckons it is second only to the American provider Cisco Systems in the domestic network market. Its customers include the German software company Datev, the clothing label Marc O’Polo, the Germany bakery chain Kamps and the German Aerospace Centre (DLR). Its appliances are also used in many German police stations and the Federal Chancellery.
In 2015 when Lancom first decided to explore cloud computing, it formed a development team of 25. They worked on the new Lancom “Management Cloud” for about two years and for the last nine months customers have been able to set up and maintain their own networks with it. “We jumped on the bandwagon,” says Koenzen, “but with a different concept, and one that allows our clients maximum freedom of decision.”
Koenzen logs on to the Lancom cloud via a web browser to demonstrate and a map of Germany appears with a list of fictional locations of network devices. That would be a typical scenario for a company such as a chain of supermarkets with thousands of branches. “Here you can see whether each individual device in the stores is working and how well,” he says. “It is relatively easy to alter the configuration of some or of all the devices, to input updates or to add hardware – and that can be done centrally from every computer or smart phone connected to the internet. That could not be done without the cloud.”
And what about the danger of data theft or loss? Is information safe in the cloud? “There is no such thing as absolute security in IT,” says Linda Strick, deputy director of the innovation management department at the Fraunhofer Institute for Open Communication Systems (Fokus) in Berlin. Even if you operate a computer in complete isolation, it can be hacked, stolen or destroyed by fire. “But if a cloud provider is certified in line with the international standard ISO 27001 or has a so-called C5 certificate with criteria developed by the [German] Federal Office for Information Security, if I were an entrepreneur I would put my trust in that firm.”
According to Strick, seeking refuge in the “private cloud”, which has only one user and is operated by that person or a professional provider, does not necessarily offer greater protection. “The big cloud firms can afford many more security experts and much better ones than the IT department of an ordinary firm,” she says. “That’s why data is usually much better stored there.”
Koenzen is backing a mixed solution for Lancom’s operations. Client management is outsourced, but the email servers and the computers used to develop the software for the network devices are at the firm’s headquarters. And that does not seem likely to change in a hurry.
Of course, when a company is thinking of outsourcing data and services, there are geographical considerations. “The location of the provider is decisive for whether and in what cases third parties can gain access to the information stored,” says Johannes Caspar, Hamburg’s commissioner for data protection and freedom of information. “With providers based in the US or China, the legal environment means that authorities like the secret service or law enforcement agencies can be expected to take a look at the data. In contrast, users can expect a good level of protection from German or other European cloud firms.” US investigators should not be legally able to access the data; however, German and other European public institutions can, by means of a court order.
In Caspar’s view, the security issue is also unclear if the data is stored in Europe but the cloud provider has a connection with the US. He points to an ongoing legal dispute in which the US supreme court has to decide whether the FBI can make Microsoft hand over data stored in a computer centre in Ireland and processed by the Microsoft office in that country. That makes the trustee approach, which the American firm is pursuing in Germany with the Telekom subsidiary T-Systems, interesting. It involves Microsoft not using any computer centres of its own but storing the data on its partners’ servers, with no access to it except when accompanied by the partner, it says. “In my view, it is still an open question whether that means access by US authorities can actually be prevented,” says Caspar.
Koenzen has noticed that many firms, including some big ones, still have a very carefree attitude to the whole issue. “Once you make them aware that their data is stored in the USA, a lot of them are astounded,” he says. There is still a lot of educating to do.
Lancom has decided to operate its cloud services for network control via a German partner firm, to ensure as great a degree of security as possible. “It is a medium-sized firm in Aachen which is subject to German law,” says Koenzen. “The servers are five kilometres from here.” All the Lancom technology is similarly local. “We develop the appliances and the programs in-house here and we know exactly what they contain. That is why we can guarantee our customers that there are no back doors that would allow the secret services to gain access to the networks unobserved.”
But to what degree a company’s information is safeguarded depends not only on selecting the right operator but also on the behaviour of the company’s own employees. If they access the data from insecure private devices then hackers can seize the opportunity. That is why it is important to keep such processes of so-called shadow IT under surveillance by evaluating firewall log files or using protection programs to control the cloud services in use. Astonishingly, according to a Bitkom study, many companies only apply one or two such surveillance measures, and a third of companies do without them completely.
The exit clause
To find the right cloud you need to ask providers some key questions. In its guide on opportunities for medium-sized enterprises through cloud computing, the German Federal Ministry for Economic Affairs and Energy suggests asking: how does the provider safeguard the data on its servers? Is encryption possible? How does the provider react to security-related incidents? Does it inform clients? What measures does it offer for safeguarding and restoring data?
Koenzen also advises clients to think about how to get out before going in. “First, I have to find out whether I can safely exit the cloud in an emergency,” he says. That’s why it is important to know whether the data can be imported and processed by other programs outside the cloud. Or, for example, whether it would be possible for a user to transfer the services to a private cloud.
“In certain circumstances the exit strategy involves not only the data and programs but also the equipment, and you might find yourself lumbered with a heap of electronic scrap,” says Koenzen. That is why he allows his clients the freedom to decide whether and how they wish to use the Lancom cloud services. Users can administer their network by means of either a public or a private cloud – and if they are not satisfied they can at any time revert to the traditional way without central control. Koenzen says: “We believe in the new technology, but we understand when somebody is still sceptical. That’s why our customers must be able to try out our offer without taking any risks. But so far, no one has decided to step backwards again.” -