To cloud or not to cloud, that’s the question

Cloud and Digital Transformation appear to be going hand-in-hand and at times it can even be difficult to clearly distinct between which one is the goal, and which one is the enabler. Cloud solutions offer a range of tools that enable digital transformation which are rather difficult and expensive to replicate by own means. The standardization of these tools and ecosystems, and the globally available knowledge needed to implement them, also offer great advantages over inhouse solution platforms.

The embedded remote work capabilities of most cloud platforms have become essential recently, and the vast options for data security, failover and outage prevention are just some of the many benefits of cloud platforms. And yet, cloud and services are not the biggest element in corporate and enterprise IT, especially not when we look beyond the US market. Why is that?

One significant showstopper in cloud adoption for European companies and organizations, and also for Governments, is to be found in the fact that the major players in the cloud universe are all US based corporations. And that means that they are bound to comply with the Cloud Act and Foreign Intelligence and Surveillance Act (FISA) which give US authorities full and unrestricted access to everything that is stored or processed on their infrastructure.

For most U.S. based corporations this has little impact on their decision-making process because it is something they are used to. But for European corporations the impact and risk evaluation of these legislations and the way the US Government (ab)uses them is entirely different, especially since Edward Snowden made clear how far the US is willing to go and how poorly designed and executed the controls around these processes are.

A significant example of the impact is the decision by one of Germany’s major car manufacturers to not pursue a very successful Cloud ERP Pilot Project because none of the providers were able to warrant that their will be no external access to their data and processes other than the German Authorities. All three selected providers replied that they were nor able to warrant this requirement under their obligations to comply with US legislation.

Some might argue that this should be no issue when European corporations have nothing to hide, and others even argue that the US does this to protect themselves and their allies. So, let us take the example of a European car manufacturing and analyze why the decision to prohibit ERP and other relevant information in US clouds is very common. And why this makes a lot of sense!

The Bill of Materials (BoM) is a key element of every ERP and MRP process, especially in manufacturing. It holds every piece of material, requirements, specifications, time, suppliers, sources, machine capabilities, every single detail of the manufacturing process. It can include quality checks, required sequences, even raw materials and more. Pricing and purchasing contract, stock levels, process routing, all elements without which it would make no sense to run an ERP for manufacturing in the first place. All elements which are essential business information. All elements which expose the entire business model!

In case such information would get into the wrong hands, the entire business model of the organization is exposed, and that risk is not taken lightly in the boardrooms across Europe. In case such information would be corrupted or maliciously manipulated, the impact on business operations is devastating.

Solarwinds has shown us that these risks are real and present! The Kaseya ransomware attacks demonstrated that security tools are a popular target for cybercriminals and that the cloud is not the answer to that challenge. In fact, in both cases it was cloud powered Software-as-a-Service (SaaS) that made it all possible.

Add to this that US based service providers must comply with US legislation, just like other providers must comply with their local laws and regulations, and these legislative powers explicitly enforce access to everything cloud and “as-a-service” related. Edward Snowden stated in one of his interviews that he has not doubt that in case the US authorities would see reason to gain access to for example Siemens, they would not hesitate to do so and have the capabilities to make this happen.

That this is not just an opinion from someone who isn’t seeing eye-to-eye with his former employer is made clear by the fact that the US gained access to for example Huawei’s and ZTE’s infrastructure and tapped into every bit of information they could get their hands on. Analyst also raised questions about how GE got access to confidential internal information from its now former competitor Alstom after US authorities conducted investigations invoking FISA over alleged trade embargo infringements by the French company.

All this continues to cause hesitation about a full adoption of cloud technology at the boardrooms and executive suites of many European corporations. Asian corporations are weighing similar priorities and considerations and appear to prefer regional service providers over those based in the US.

Maybe the European cloud initiative GAIA-X will provide some of the securities European business leaders are looking for, but at the moment the majority prefers a hybrid cloud solution in which the essential business information does not leave the premises.