In all different areas, digitization is in full swing. Quite frequently, this is intertwined with the cloud. Cloud solutions are being offered more, and they are being used more. Not only individual consumers, but also companies are relying on cloud solutions — in particular, for processes that can be standardized, as they are easy to move. Outsourcing reduces costs for infrastructure and configuration and enables agile response to changing market requirements. Popular software-as-a-service (SaaS) solutions allow companies and users to access services right on the internet. The cloud covers a diversity of applications, ranging from CRM systems to personnel management solutions and document management systems (DMS) for digital archiving, automated invoice processing, etc.
In cooperation with Bitkom Research, KPMG has been investigating the development of cloud use in German companies since 2011. Findings were published in its 2019 Cloud Monitor*. This is how things have looked so far: in 2018, around 73 percent of all respondent companies used cloud solutions, an increase from 66 percent in 2017. Only 8 percent of the companies surveyed did not consider the cloud to be relevant. But the idea of a future cloud deployment is at least in the planning or being discussed by 19 percent of respondents. This indicates that most German companies no longer want to do without the latest solutions from the cloud, or are planning for potential deployment at their business.
But what hinders these 19 percent from actually entering the cloud? Could it be that the growth of the cloud is held back by security concerns? This article is the first in our three-part blog series "Security in the Cloud," in which we will highlight what priorities German companies have regarding security and data protection when selecting a cloud solution. In these articles, we offer recommendations on which steps to take towards installing cloud solutions. Also, we discuss which types of certification are valuable, as well as the significance of "Made in Germany" for user companies in Germany.
The foremost selection criteria: data protection and GDPR conformity
Companies that use — or are discussing using — cloud solutions place particular emphasis on data protection and compliance with the General Data Protection Regulation (GDPR), which has been in force since May 2018. Thanks to their high security standards, German cloud providers are particularly attractive for German companies.
But how secure is the German cloud really, and what else do German companies look for when selecting a cloud provider? In the Cloud Monitor, Bitkom and KPMG evaluate and summarize the main criteria for German companies that are using, planning or discussing cloud solutions.
Compliance with GDPR has, since May 2018, been by far the most important selection criterion for 90 percent of the companies surveyed; this factor is, in fact, simply a must. Second to data protection compliance is the factor of security in the cloud. The third criterion is a transparent security architecture and security controls (a "must-have" for 79 percent of respondents, a "nice-to-have" for 21 percent).
Another 74 percent of respondents cited data encryption by cloud users as a must-have. And 72 percent of those surveyed said that it is indispensable to have their data center located in Germany. Almost two thirds of companies (62 percent) stated that direct access to security log information must be guaranteed.
Security aspects are just one side of the picture, though. Ease of integration was also rated as a must-have, at 76 percent. In other words, these processes, often standardized, must be flexible enough to integrate easily into existing on-premises installations.
Eighty-three percent of respondents stated that fulfilling customer-specific requirements are also a "must" factor when selecting a cloud provider. Another 16 percent agreed — to a degree: fulfilling their requirements was considered a "nice-to-have." What is meant with "customer-specific requirements" is that standardized cloud services need to offer enough tweaking leverage to allow for user-defined workflows. This tweaking leverage is what makes cloud services suitable for integration into existing ERP core processes; and when this is the case, they can be tailored to the individual needs of a company. One thing this signifies is high availability, which is a provider's guarantee of reliability, functional robustness and operational security. Technical problems at the provider leading to downtimes are not acceptable for the user.
Corresponding to reservations concerning downtimes, 75 percent of respondents call an exit strategy that can be defined in the contract a "must-have," while 21 per cent see this as merely a "nice-to-have." As many as 78 percent still want support in the implementation of hybrid cloud concepts (sum of must-have and nice-to-have). This is indication of a willingness to use the cloud, but also a need for specialist expertise in conceptual design and implementation.
With fading concerns around security, the cloud is on the rise
The primary concern of companies that have not yet begun using a cloud solution but plan to do so in the future is that of how secure data is when it is processed and stored. Many companies fear unauthorized access to sensitive company data, or the loss of their data. They generally suspect that the legalities surrounding the cloud are unclear.
The fears and ambiguities regarding the use of cloud applications are discussed repeatedly among German companies. However, ultimately it is clear that the cloud has become increasingly established in German companies over the last 5 years. The bottom line is that more and more companies are interested in benefiting from the advantages that the cloud offers. To enter new markets and remain competitive, companies are under pressure, not only to reduce costs and become more digital, but also to continually simplify their operating models. It should be noted that cloud providers have many requirements to meet. The basic requirement for companies is compliance with the General Data Protection Regulation, which has been in force since May 2018.
If you would like to find out what value "Made in Germany" has for German companies when choosing a cloud solution, which certifications are important and what companies should look out for on their way to the cloud, then follow the next articles in the series "Security in the Cloud" in the coming weeks.
*The Cloud Monitor of KPMG in cooperation with Bitkom Research is accessible via this link: https://www.bitkom.org/sites/default/files/2019-06/bitkom_kpmg_pk_charts_cloud_monitor_18_06_2019.pdf