Jamestown US-Immobilien GmbH has been one of our customers since 2018. In the interview we spoke with Jamestown IT manager, Frank Mördel, about the introduction of Cloud-Service O365 and the associated requirements for data protection, GDPR and BaFin. Learn how Jamestown Immobilien meets the requirements and how they control its data and encryption process at all times.

Please introduce yourself.

My name is Frank Mördel. I’m the IT manager at Jamestown US-Immobilien GmbH. In this role, I am responsible for the complete IT infrastructure and organization as well as the interface to our partner company based in Atlanta (USA). I've been working at Jamestown for 17 years. Before that I worked for banks and financial service providers as well as for a system house. I have been working in the IT industry as a Business Information Systems Specialist since 1992. Personally, I am very interested in IT security and regularly attend training courses in this area. Especially the topics "vulnerability scans" and "ethical hacking" inspire me.

What challenges did the use of O365 and the associated use of the cloud services present you with? What were the concerns regarding data security? Were there, for example, regulatory requirements that had to be met? 

The migration to O365 was both a challenge and a necessity for us. Up to now, we have been working on a proven solid Lotus Notes domain for over 15 years. The goal was to migrate this system to the exchange platform used by Jamestown USA without building up our own exchange resources. Within this scope, we put the strategic focus on Exchange Online, O365 and thus towards the cloud.

Several areas were challenging for us in this context:

1. Data protection: It was important for us to know at all times who has access to the Jamestown data.
2. GDPR: Concerns regarding the storage of personal data in the cloud came from the GDPR and the German Federal Data Protection Act. The central question for us was how secure the data is with a cloud provider.
3. BaFin: Since October 2019, the BaFin has been regulating the outlines of data protection and data security in the financial services sector. The KAIT (requirements for IT of capital management companies) has since also been applied to Jamestown. Although these regulatory requirements only became active after our migration to O365, it was already known in advance that there would be a corresponding regulation.

How could you rectify these concerns with the help of the eperi Gateway?

After a phase of basic information gathering about possibilities and providers in the field of data encryption, the decision was made in favor of eperi. Our most important requirement has led to this decision: The solution should run in-house (on-premises) and be self-managed. It must ensure that the data is encrypted at all times. Decryption should only be possible with the Jamestown key. Under no circumstances should the encryption be moved to the cloud; it must remain local. Accordingly, the control over the key management and the entire enryption process at all times must remain with us - Jamestown.

Microsoft Online offers to encrypt data and to distribute the encrypted data over several hard disks. However, we were not completely satisfied with this technology. The reason for this is simple: From the customer's point of view, there is great uncertainty about the Bring Your Own Key solutions: Whoever encrypts the data must also have access to the unencrypted data, too. Theoretically - and here we do not assume any malicious ulterior motives - it is technically possible that e.g. service staff at Microsoft or administrators of the cloud data center can access the data. We exclude this theoretical access possibility by using the eperi Gateway. We secure our data sovereignty at all times.

What success could you achieve by using the eperi Gateway?

The big success of using the eperi Gateway is that we now ensure that our emails and calendar entries are encrypted before they leave the company and remain encrypted both "in transit" and "at rest".

Would the use of O365 have been possible without the introduction of the eperi Gateway?

Technically the use of O365 would have been possible without the eperi Gateway. However, annual IT audits are carried out by the BaFin. In this context the use of our eperi solution has already been noticed, tested and approved. Without using the eperi Gateway we would only have passed the audit with considerable additional effort. As the solution fits us perfectly from a technical and regulatory point of view, I believe that the use of O365 without the eperi Gateway would not have been possible for us.

What was the main reason for Jamestown to choose the eperi Gateway?

There are several reasons, like for example the already mentioned concerns around regulatory requirements, data protection, and GDPR compliance. These certainly tipped the scales for the decision. Another important aspect was our goal to maintain control over our data and the encryption process at all times. And finally, we were convinced by the innovative product of a growing, medium-sized company from Germany.

What is the greatest advantage/benefit of the eperi Gateway for you personally?

As IT Manager, having the certainty that data is encrypted with your own key, knowing that data security is in your own hands and that audits are not at risk lets me sleep much better.

What are your current use cases for the eperi Gateway?

Currently we have two fields of application:

1. For O365 we use the eperi Gateway to encrypt e-mails and calendar entries when using Exchange Online.
2. Jamestown offers interested parties the opportunity to use an online subscription form. Personal data entered within this database-supported web application is encrypted or tokenized with the help of the eperi Gateway

Can you imagine using the eperi Gateway in other areas at Jamestown as well? What areas might those be?

Yes, I can absolutely imagine that. In fact, there are concrete plans in place already. OneDrive has been on our minds for some time now, for example. Also, due to the current COVID-19 situation and the associated shift to home office, Microsoft has put a new focus on Teams. We will certainly focus on this soon as well. Surely more Microsoft applications will follow. Furthermore, we can imagine introducing a field-based encryption of our CRM system in the future.

What is your experience of working with eperi?

I am very satisfied with the cooperation. Admittedly, we had a somewhat bumpy start, but that’s something I know from other projects as well. I have full confidence in the product as well as in the people at eperi. The relationship with all our eperi contacts - from management to support - is very good, almost amicable. Customer service has improved from average to excellent performance since the beginning of the project. The support is outstanding.

Are you satisfied with the decision for the eperi Gateway?

Yes, of course. I am very satisfied. Personally, I prefer to consider data security as a broader vision, and especially with regards to the regulation of financial service providers it seems like I’ve had the right nose here. I am convinced that I have made the right decision.

Are you facing a similar project to Jamestown and need support? Or do you have any other requests about data security and protection? 

Image sources: Jamestown US Immobilien GmbH