The Haufe Group optimizes cloud governance
The Haufe Group, a provider of software, consulting, and training solutions, recognized the potential of cloud services like AWS for flexibility and speed in delivering its products. However, the need to protect sensitive data in the cloud posed a challenge, especially in light of GDPR regulations. Collaborating with Skaylink, the Haufe Group embarked on a journey to optimize its cloud governance. Skaylink conducted risk assessments, validated infrastructure, and facilitated stakeholder workshops to address technical and regulatory concerns. The result was the implementation of an AWS framework based on an AWS landing zone, ensuring scalability, security, and compliance. With a consolidated level of knowledge and a common understanding of cloud usage, the Haufe Group now has clear rules and responsibilities for processing sensitive data in the cloud. Looking ahead, the establishment of a Cloud Competence Center aims to guide future cloud projects and continuously improve cloud governance within the organization.
The Haufe Group optimizes its cloud governance with support from Skaylink
The cloud provides flexibility and speed for software solutions if it is based on infrastructure services such as those from AWS. The Haufe Group recognized this potential, but was faced with the challenge of ensuring that sensitive data on their products and services is protected in the cloud. In its collaboration with Skaylink, the path was forged by identifying regulatory and technical requirements, answering open questions and developing a sustainable roadmap for the cloud processes of the future.
As a provider of software, consulting and training solutions for the legal, tax and business sectors, the Haufe Group has 2,000 employees worldwide and generates annual sales of almost 400 million euros. Since 1993, the software provider Lexware has also been part of the corporate group. With Lexware, the company based in Freiburg, Germany, also offers software that specializes in small- and medium-sized companies as well as self-employed people and freelancers.
The Haufe Group had already been providing various applications in the Amazon Web Services (AWS) environment for several years. These initially processed data without any special requirements on protection or reference to individuals. The Information and Communications Technology (ICT) division created the framework to do this and pooled the available expertise.
Sensitive data processed securely in the cloud
Today, the Haufe Group is planning not only to offer new products in the cloud. It also plans to process sensitive data quickly through AWS. In the process, the EU General Data Protection Regulation (GDPR) presents a challenge with the changed framework conditions: The existing governance framework, which gave employees a great deal of autonomy in their work, proved to be no longer sufficient to meet the requirements for processing sensitive data. A redesign was therefore necessary to meet both new and special customer requirements.
The Haufe Group sought support from Skaylink’s 360-degree cloud specialists to first move an application into the AWS cloud as a sample project and also to draft a guideline for future projects. On the technical side, many AWS requirements and best practices had been implemented, yet regulatory and security aspects in particular still presented open issues: A comprehensive cloud concept needed to have data protection, data security and customer acceptance.
“It is precisely this transfer of knowledge from Skaylink to us that gives us the ability to make this further development. We have clearer answers now and are better positioned than we were when we started managing cloud governance.”
Validation of application and the AWS environment
To this end, Skaylink conducted a risk assessment of the application and validated the existing infrastructure, processes, documentation statuses and key operational aspects. This led to recommendations and actions for a common roadmap involving technology, operations and regulatory roles. This was the basis of the new AWS framework. In addition, Skaylink estimated costs and effort as well as internal resource requirements.
Risk validation then focused initially on an example product that was intended to process sensitive personal data. The aim was to either achieve an acceptable risk assumption or to completely eliminate existing risks.
Project stakeholder workshops moderated by Skaylink were a central component of the process. Here, there was mediation between product teams, CTO and ICT on the one hand and the parties responsible for data protection, IT security and compliance on the other. All of them formulated their desires, perceptions and requirements.
Solutions implemented
- AWS Cloud Services
- AWS Landing Zone
- Infrastructure as Code (IaC)
- Incident, Change, and Problem Management Processes
- Dashboards and Monitoring
- Cloud Governance Framework
- Risk Assessment and Validation Processes
- Collaboration Workshops
- Cloud Competence Center
Tandems ensure the transfer of knowledge
To ensure broad acceptance, decisions regarding both technical and regulatory issues should be made by all. Team members developed their own solutions and collaboratively interpreted regulatory requirements to translate them into specifications for the technology. This involved using a combination of waterfall project management and Scrum to set up a defined project framework with a fixed end date and responsible parties. Tandems made up of employees from the Haufe Group and consultants from Skaylink ensured the transfer of knowledge.
In the process, the Haufe Group wanted to draft a Haufe Group-specific manual for the cloud, based on which it could further develop the AWS framework and the cloud governance itself. There were a number of challenges to overcome, particularly time pressure due to the need for delivery and the availability of resources – after all, the employees had other responsibilities elsewhere in addition to the project.
Decisions were made by voting on each topic area of the AWS framework target state to ensure general acceptance. The topics of discussion were therefore not limited to log management, user rights and encryption. “Their concept, implementation and documentation, as well as the collaborative decision on architecture, were also important,” says Adrian Wnek, Principle Cloud Consultant at Skaylink, who adds: “Only the joint evaluation and exchange of arguments led to a technical implementation that was accepted by all parties and that fully met the requirements. It was important that the responsible parties identify with and appreciate this implementation.”
The project team reached an agreement on the necessary technical and organizational changes in the moderated workshops. This validation of the environment answered open questions regarding the framework.
Implementation based on AWS landing zone
The AWS framework was implemented on the technical basis of an AWS landing zone and was carried out using infrastructure as code. New AWS accounts can now be created fully automatically, ensuring scalability, growth and security by eliminating manual errors.
In addition, the interaction between the cloud environment (AWS framework) and service management platforms (incident, change and problem processes) was orchestrated. Risks are further minimized through technical measures such as dashboards, monitoring, detecting and responding to deviations. This also means that, depending on the region, service and data, there are already deliberate limits on the start of new application development.
The Haufe Group now has a consolidated level of knowledge and a common understanding of the broader use of the cloud. Internally, development teams, regulatory roles, architects and operations managers can work closely together toward a common goal. The jointly agreed roadmap points the way towards using AWS services, building up skills in-house and onboarding colleagues. Specific business requirements and planned scaling are mapped.
Product teams can now process sensitive data in the AWS landing zone with clear rules and responsibilities. AWS’s shared responsibility model was applied here. It involves AWS providing the infrastructure and services used, while the Haufe Group is responsible for the security and data protection of the applications that are based on it. Furthermore, the parties responsible for AWS framework at the Haufe Group now also share the “customer’s” shared responsibility delegated to them with the development teams.
Cloud Competence Center for future projects
Within the Haufe Group Cloud team itself, more than just expertise is needed. There is also a need for enterprise understanding to see the big picture better. Therefore, Skaylink is supporting the Haufe Group in its next step while setting up a Cloud Competence Center. It acts as a technical and methodological guide for future cloud projects such as further simplification of governance.
The goal is the continuous further development of AWS framework: namely, the previously existing accounts are migrated into the new AWS landing zone, and thus the new rules of the game are adapted within this structure. The experience gained from this project on how to process data securely in the cloud also provides the Haufe Group with yet another advantage: It can now introduce corresponding processes and technical implementations faster in another cloud project.
Skaylink will also conduct a health check at the Haufe Group to identify and react to new needs and further developments.
Summary
Through its collaboration with Skaylink, the Haufe Group was able to get answers to its questions about cloud usage. A framework and customized best practices provide a secure framework for future projects. Moreover, the Haufe Group now has the expertise and process understanding to bring further products and services – existing ones from the hosting environment or innovations – to the cloud in a standardized manner and in less time.
Henkel’s DevOps triumph – a boost of agility, clear focus and team engagement
Digital transformation of the BMW Group
