As a business providing IT consulting services to local government, IT-Additional-Services has very high standards when it comes to protecting communication and data. One key component in the company’s security strategy is a gateway that encrypts all Office 365 content before transfer into the cloud.

When it launched its portfolio of services on the public sector market in 2015, IT-Additional-Services was faced with the necessity of being able to act independently of its parent company, the Federal and State Government Employee Retirement Fund (VBL). Accordingly, the company’s IT unit was looking for an innovative and stable platform for day-to-day work – which had to be cloud-based, to avoid the cost, time and effort of setting up an internal data center. Microsoft Office 365 was the solution chosen.

The company was also looking to increase data protection. Peter Janze, CIO & CDO at IT-Additional-Services: “There are two key reasons for this requirement: first, our public administration clients have well-defined duties of care for their citizens; second, their work is also subject to specific compliance regulations.” This is also the reason why the designated Data Protection and IT Security Officers working at parent company VBL also work with IT-Additional-Services.

All of these provisions have been further tightened by the EU General Data Protection Regulation (GDPR), which stipulates a series of security precautions applicable to cloud services, including the designation of responsibilities, privacy-by-design models, centralization, and data pseudonymization.

To ensure it would be able to meet both its internal standards as well as legal and regulatory data protection requirements, the company decided to deploy an encryption gateway from provider eperi. Janze emphasizes the importance of this strategy: “Adopting Office 365 as a cloud platform in conjunction with the eperi encryption gateway means we can master a balancing act that would otherwise be simply impossible when merely deploying an on-premise solution or cloud-only platform. In this way, we offer our employees a modern platform for their day-to-day work that is available whatever their location. At the same time, we fully comply with our own internal standards as well as the legal and regulatory requirements for compliance and data protection.”

State Office for Data and Information

Before IT-Additional-Services began the rollout of the eperi solution in early 2017, an encryption policy needed to be drawn up and a suitable data center partner had to be found, since the gateway itself obviously had to be operated outside the cloud. Here, IT-Additional-Services picked the Mainz-based State Office for Data and Information (LDI) as its business partner.

Following a test phase, the gateway is now in production use. IT-Additional-Services also plans to use the eperi gateway as a strategic encryption platform for other cloud applications. In 2017, an HR digitalization project was launched, which has the aim of rolling out the cloud-based SAP SuccessFactors HCM Suite. To provide effective protection for personal data in the cloud, the encryption gateway will also be utilized for the SAP solution.

This article was originally published in German on egovernment-computing.de