On-premises or Public Cloud?
Your SaaS solution 360inControl® went live a little over a year ago. A big step, particularly for a start-up, and one that you put a lot of thought into. Amongst other things, you had to decide on a hosting solution. What made you choose Amazon Web Services (AWS) for 360inControl®?
Heike Klaus: The advantage of the AWS cloud is that we can offer the solution to our customers at lower cost. As opposed to an on-premises solution, where we’d have to run our solution directly on the customers’ servers or on a rented server, AWS hosting allows us to save costs and to minimize risks.
Andreas von Grebmer: Also, by the time we decided on AWS cloud computing, the “fear of the cloud” had passed. Even FINMA-registered companies were actively thinking about moving some of their own IT infrastructure to the cloud. There was a kind of momentum, if you will.
A momentum that made you join the migration to the cloud?
Andreas von Grebmer: For us, this was a strategic decision. The idea behind it was that a well-managed cloud is better than poorly managed corporate IT. We offer a quality product, and that requires the right hosting solution.
What are the advantages of cloud computing compared to other hosting options for an SaaS solution such as 360inControl®?
Andreas von Grebmer: The scalability is one of the main benefits. If necessary, we can easily engineer infrastructure upgrades. Technically, thanks to cloud hosting, we could grow to Netflix size in no time, because we could set up several instances in every AWS data center around the globe.
Is scalability paramount for your business?
Heike Klaus: Scalability is one of the main pillars of our business. If we want to be successful with our product and want to grow fast, then we have to be scalable. That would have been much more difficult with an on-premises solution, for instance. We already have requests from Singapore and Abu Dhabi which, thanks to the AWS cloud, we’d be able to handle very swiftly, without ever having to set foot in the United Arab Emirates or the Asian continent. If we had decided to go with an on-premises solution, we would have had to look for a suitable hosting and sales partner locally.
Security: Every Company’s Achilles Heel
As an SaaS solution for digitalization and centralization of governance, risk and compliance processes, 360inControl® manages sensitive company data. How do you ensure data security in the cloud?
Andreas von Grebmer: We placed a special focus on securing the transfer of data to the cloud, including transmission security, storage security, access authorization, and so on. In addition to code reviews, pen tests etc. we also offer our customers proxy encryption. This gives them total control over encryption and makes us a zero-knowledge provider.
In addition, we require two-factor authentication from all developers and operators for their logins on AWS, Github and Confluence. The developers work in line with certain golden rules. The second rule is: “Security comes first. Security beats availability.” This means that, if in doubt, we would shut down our systems before anything can happen. Risks and vulnerabilities are the Achilles heel of every company, which is why we take this topic very seriously.
Unic provided valuable advice regarding IT security in the initial phase. Now, the Unic team still approaches us proactively and points out new security issues. We appreciate this very much.
Taking a Detour to Cloud 9
Speaking of Unic: How did Unic support you on your way to the cloud?
Heike Klaus: Before we switched to Unic, we worked with a different hosting provider. We soon realized that they were still in their infancy where AWS hosting was concerned. Unic supplied us with a fantastic team whose expertise in the AWS cloud ranges from architecture to implementation and operation.
What are your experiences with cloud hosting? Any pleasant surprises?
Heike Klaus: We were positively surprised by Unic’s skills and also by the clear-cut implementation structures. And we appreciated Unic granting us start-up status. We were taken seriously but not seen as a cash cow to be milked for maximum profit. Unic provided us with a secure solution that is also affordable and scalable. And we were impressed with the teamwork, within Unic – and with us. We worked on any issues together, as a team.
Were there any challenges that needed to be mastered? If so, what were they and how did you do it?
Heike Klaus: The costs were always a challenge for us. But Unic provided us with excellent advice, and together we implemented a secure “minimum version”. For instance, AWS lets you reserve certain services for one or two years, which significantly cuts the cost. Of course, you save costs in the long run by making long-term reservations, but in some areas, it doesn’t make sense. That is why it is important to have good consultants.
Andreas von Grebmer: User registration via LDAP – a relic from the initial phase of 360inControl® – also led to some difficulties. We decided to part with LDAP to solve the related problems. For that, we had to shelve the development of the product itself for a month. That was quite a challenge, because we already had users on the production system. However, Unic helped us set up development in a way that ensured there were no disruptions for those users. They didn’t notice the rebuild at all.
Navigating the Cloud With an Experienced Partner
More and more companies – both young and long-established – are relying on the cloud nowadays. What should companies consider when migrating to the cloud?
Andreas von Grebmer: Companies have to make a conscious decision: On-premises, public cloud, or even both. They have to know their market and know what that market accepts and allows. There are certain limitations for FINMA companies or companies that are otherwise regulated. Market rules prescribe what is permitted and what is not. If there are no regulations you have to comply with as a company, it will depend on your expectations and, of course, on your target customers. I personally think that these days, you can move everything to the cloud. Customers do accept it if the pricing is right, if it works and they trust the security features.
Heike Klaus: And of course, you need a partner like the one we have in Unic, someone who can advise and support you once you’re in the cloud. We wouldn’t be able to do all of that ourselves in AWS. You can picture AWS like a gigantic department store. As non-techies, we’d struggle to find the right products and the right quantities. How to identify a suitable partner – well, that’s not always easy. As a basic rule, I’d say that as a customer, you have to ask good questions and ask for references. But in the end, despite all the virtualization and cloudization, you also have to get along on a personal level.
To provide flexible, secure and scalable cloud computing in Europe we're partnering with Amazon Web Services and Microsoft Azure.
Speed up your organization’s audit processes with the 360inControl® internal control system (ICS) by CISS. Together, we guide you through the audit process.