Haufe Group optimises cloud governance

Focus on data protection

Haufe Group optimises its cloud governance with support from Skaylink

The cloud brings flexibility and speed to software solutions when they are built on infrastructure services such as those from AWS. Haufe Group has recognised this potential, but faced the challenge of ensuring the protection of sensitive data in the cloud for its products and services. The collaboration with Skaylink paved the way for this by clarifying regulatory and technical requirements, answering open questions and developing a sustainable roadmap for the processes of the future.
As a provider of software, consulting and training solutions for the legal, tax and business sectors, the Haufe Group employs 2,000 people worldwide and has an annual turnover of almost 400 million euros. The software provider Lexware has also been part of the group since 1993. With Lexware, the Freiburg-based company also offers software that specialises in small and medium-sized enterprises as well as the self-employed and freelancers. The Haufe Group had already been providing various applications in the Amazon Web Services (AWS) environment for several years. These applications initially processed data without any particular need for protection or personal reference. The Information and Communications Technology (ICT) division created the framework conditions for this and bundled the existing expertise.

Processing sensitive data securely in the cloud

Now, the Haufe Group was not only planning to offer new products in the cloud. It also wanted to process sensitive data promptly through AWS. The DSGVO with its changed framework conditions posed a challenge: The specified governance framework, which allowed employees extensive autonomy in their work, no longer proved to be sufficient to meet the requirements for processing sensitive data. A redesign was therefore necessary in order to meet new and special customer requirements. The Haufe Group sought support from the 360-degree cloud specialists at Skaylink to first lift an application into the AWS cloud as a sample project and set up a guideline for future projects. On the technical side, many AWS requirements and best practices had been implemented, but regulatory and security aspects in particular still represented open points: A comprehensive cloud concept should ensure data protection, data security and customer acceptance.

Validation of application and AWS environment

For this purpose, Skaylink conducted a risk assessment of the application and validated the existing infrastructure, processes, documentation statuses and key operational aspects. This was followed by recommendations and measures for a common roadmap involving technology, operations and regulatory roles. This formed the basis for the new AWS framework. In addition, Skaylink estimated costs and effort as well as the need for internal resources. The risk validation then initially focused on a sample product that would process sensitive personal data. The aim was either to achieve an acceptable risk assumption or to completely eliminate existing risks. Central to the process were the project stakeholder workshops facilitated by Skaylink. Here, mediation took place between product teams, CTO and ICT on the one hand and those responsible for data protection, IT security and compliance on the other. Everyone formulated their needs, perceptions and requirements.

Tandems ensured the transfer of knowledge

For broad acceptance, decisions on technical as well as regulatory issues should be shared by all: The team members developed solutions themselves and jointly interpreted the regulations in order to translate them into specifications for the technology. A combination of waterfall project management and Scrum was used to set up a defined project framework with a fixed end date and responsible parties. Tandems of Haufe Group employees and Skaylink consultants ensured the transfer of knowledge. In the process, Haufe Group wanted to set up a Haufe Group-specific manual for the cloud, on the basis of which they could further develop the AWS framework and cloud governance themselves. There were a few challenges to overcome, especially time pressure due to the need for delivery and the availability of resources – after all, the employees were otherwise involved in parallel to the project. Decisions were made in the form of votes on each topic area of the target state of the AWS framework to ensure general acceptance. The subject of discussion was therefore not only log management, user rights and encryption. “Their concept, implementation and documentation as well as the joint decision on the architecture were also important,” says Adrian Wnek, Principle Cloud Consultant at Skaylink, and adds: “Only the joint evaluation and exchange of arguments led to a technical implementation that was accepted by all participants and completely fulfilled the requirements. It was important that those who are in charge identified with and valued this implementation.” The project team agreed on the necessary technical as well as organisational changes during the facilitated workshops. Through this validation of the environment, open questions regarding the framework were answered.

Implementation on the basis of the AWS Landing Zone

The AWS framework was implemented on the technical basis of an AWS Landing Zone using Infrastructure as Code. New AWS accounts can now be created in a fully automated way, which ensures scalability, growth and security, as it eliminates manual errors. In addition, the interaction of the cloud environment (AWS framework) and service management platforms (incident, change and problem processes) was orchestrated. Risks are further minimised through technical measures such as dashboards, monitoring, detection and reaction to deviations. This includes having deliberate limits already in place when starting new application development, depending on region, service and data. Haufe Group now has a consolidated level of knowledge and shared understanding on the wider use of the cloud. Internally, development teams, regulatory roles, architects and operations managers can work closely together towards the same goal. The jointly agreed roadmap shows the way to using AWS services, building up skills in-house and onboarding colleagues. Specific company requirements and planned scaling are mapped. Product teams can now process sensitive data in the AWS Landing Zone with clear rules and responsibilities. The AWS Shared Responsibility Model was used, in which AWS provides the infrastructure and services used and Haufe Group is responsible for the security and data protection of the applications based on it. In addition, the AWS framework managers at Haufe Group now share the shared responsibility of the “customer” assigned to them with the development teams.

Cloud Competence Centre for future projects

In the Haufe Group Cloud team itself, not only expertise is needed, but also an enterprise understanding to better understand the big picture. Skaylink therefore supports the Haufe Group in the next step in setting up a Cloud Competence Centre. It acts as a technical and methodological support for future cloud projects, such as further simplification of governance. The goal is the continuous further development of the AWS framework: the previously existing accounts will be migrated to the new AWS Landing Zone and thus adapted to the new rules of the game within this structure. With the experience gained from this project on how data can be securely processed in the cloud, the Haufe Group also gains another advantage: in another cloud project, it can now introduce corresponding processes and technical implementations with less time expenditure.
It is precisely the transfer of knowledge from Skaylink to us that enables us to make this further development. We now have clearer answers and are better positioned to manage cloud governance than when we started.
Andreas Plaul
CIO  at Haufe Group
Skaylink will also conduct a health check at Haufe Group to identify and respond to new needs and developments.
Conclusion In cooperation with Skaylink, the Haufe Group has been able to answer its questions about cloud use. For future projects, a framework and individual best practices provide a secure framework. In addition, the Haufe Group now has the expertise and process understanding to bring further products and services – existing ones from the hosting environment or innovations – into the cloud in a standardised way and with reduced time expenditure.

Weitere Case Studies

Let's start the future together.

Unsure where the digital journey should lead you? Our experts will be happy to answer your questions without obligation!

Simply fill out the form on the right and we will get back to you as soon as possible.