DIGITAL &TRUST
2020-2021 Edition
TIME FOR RESILIENCE!
URGENT & IMPORTANT JOINT INTERVIEW The pioneers of digital Europe p.04 INNOVATION Kubernetes... managed, on demand p.12 SURVEY On the use of the Cloud in Luxembourg p.14 STRATEGY Strategy based on secure Data Centers and information availability p.17
02
2020-2021 EDITION
CONTENTS 04 /
J OINT INTERVIEW
20 /
— The pioneers of digital Europe P.04 / 06 /
PARTNERS PROGRAMME
— EBRC and the University of Strasbourg: a winning partnership P.20 / — Limonetik, a reference in the world of digital payments P.22 /
TRENDS
— Resilience: how to bounce back from crisis P.06 /
— Open banking with LuxHub: from PSD2 to the financial services marketplace P.24 /
— COVID-19: business facing the resilience test P.09 / 10 / C YBERRESILIENCE — Cyber-Resilience in your organisation P.10 / 12 / I NNOVATION — Kubernetes... managed, on demand P.12 /
— Bankable relies on EBRC for its international development P.26 / — The advantages of DevOps within a trusted cloud P.28 / — i-Hub strengthens its service continuity with EBRC and becomes ISO 22301 certified P.30 /
14 / S URVEY — On the use of the Cloud in Luxembourg P.14 / 17 / S TRATEGY — EBRC’s strategy revolves around secure Data Centers and available information P.17 /
Publisher: EBRC, 5 Rue Eugène Ruppert, 2453 Luxembourg / Phone: +352 26 06 1 / marketing.support@ebrc.com / Printed in November 2020 with 1,500 printed copies issued — Graphic realisation: Nicolas Bœuf / Farvest Group — Cover: Mikado — Editorial management: Jean-François Hugon, EBRC
03
EDITORIAL 2000 - 2020: TWENTY YEARS ALREADY! EBRC (European Business Reliance Centre) is celebrating its twentieth anniversary this year. eBRC was started from scratch in 2000, and operated in start-up mode at the peak of the dotcom euphoria. This was when we were being told that the new e-economy was about to wipe away the old economic assumptions. Following this hubris came disappointment. In many ways, the dotcom crash and the 9/11 attacks were to 2001 what the COVID-19 crisis is to 2020: a violent socio-economic shock followed by major uncertainties. eBRC started work at the height of the storm. At the time, we stuck to our motto “Together, trusting, in the information age.” This motto has not changed for twenty years. The start-up eBRC became EBRC: a centre with 340 experts providing trusted services to some 900 clients from Europe (Luxembourg and France) and Morocco via our subsidiary Digora. The same passion has driven us for 20 years: working with our clients on this digital revolution, in an atmosphere of mutual confidence. We do this via our “Trusted Services”, an integrated, certified end-to-end value proposition using the highest standards. It features a range of services including Data Centers, Resilience, Cloud, Managed Services, Advisory and more. Our clients all have one thing in common: they manage sensitive information which must be kept safe. Our clients need a long-standing partner who can offer both agility and the ability to manage IT systems. This enables them to focus increased efforts on their core business, while all the time being protected from new cyber-risks. Over these twenty years, EBRC has grown thanks to you, our clients and users, to whom I would like to express our deepest gratitude for the trust you put in us over this period. Whether you work in finance, are a FinTech, a health service provider, a pharma company, a bio-bank, an e-commerce company, a critical industry, an international institution or work in the space sector, for the defence industry, in the public sector, in a law firm or a start-up, we are there for you 365/24/7, whatever the business climate. Every crisis has unique features with new opportunities, and this is what we mean by resilience: the ability to anticipate, manage, withstand, and rebound to return stronger. The COVID-19 crisis will accelerate the on-going trend of digitalisation. This will add to business agility and open new opportunities, but will also generate substantial new digital risks. This crisis is a wake-up call. It will lead to a major paradigm change. Europe has, at last, taken substantial steps toward a strong digital future, based on the concept of real digital sovereignty and creating a widespread Cyber-Resilience zone, including the “GAIA-X” project. More than ever, we must come together in our continent to build a digital Europe based on Trust and Cyber-Resilience. This will set the tone for our information age. I hope you find this magazine interesting and useful. Yves Reding, CEO - EBRC
2020-2021 EDITION
04
J OINT
INTE RV IE W
Jean-Noël de Galzain President - Hexatrust
Photo credit: Erez Lichtfeld
Interview by Stéphane Etienne, Hypallages
THE PIONEERS
OF DIGITAL EUROPE In June 2019, EBRC joined the Hexatrust association which brings together companies from France and Europe with excellent expertise in cybersecurity and Cyber-Resilience, and supports the project to create an efficient and secure European trusted cloud. But what is its strategy and how do its proposals match those of EBRC? A discussion between Jean-Noël de Galzain, CEO of Hexatrust, and Yves Reding, CEO of EBRC.
H
— UNIQUE KNOW-HOW IN EUROPE “All these technological mar vels promote the same values: innovation, unity, action, excellence,” commented Jean-Noël de Galzain. “Our goal is to bring together the best cybersecurity and cloud computing solutions. The political and economic world must be
exatrust is a grouping of
their profits in innovation. The solutions
aware that Europe has unique know-
about sixty small, medium
offered include encryption, connected
how, that it is ready for development
and large companies
objects, governance, traceability and
if given the means to do so. From the
offering innovative solutions
auditing issues, identity and access
very beginning of the coronavirus
for every aspect of risk management
management, industrial systems
pandemic, our members immediately
and personal data protection. Active
security, messaging security, mobile and
made every effort to enable companies
throughout the world, the members
web traffic security, transaction security,
to organise themselves in line with
bring together more than 2,500 experts,
trusted cloud services (including EBRC
the lockdown measures, in order to
have a total turnover of more than 400
Trusted Cloud Europe) and Cyber-
continue operating under the best
million Euros, are experiencing 19%
Resilience (EBRC Cyber-Resilience
possible conditions. In this way, we
growth and reinvest nearly 30% of
Portal).
want to demonstrate that our digital
05
Yves Reding CEO - EBRC
industry is essential to supporting all European economic activity, particularly in the event of a crisis. Our group, with its European partners such as Teletrust in Germany and other associations in Europe, is ready to participate in post-Coronavirus reconstruction and to contribute to the creation of genuine digital infrastructures capable of preparing the European Union for the massive use of digital technology.” In line with this desire to work towards cooperation, and to create synergies to better defend the sector’s interests, Hexatrust has set up a one-stopshop with added value: Hexatrust Distribution. “Its role is to pool the catalogue of services of our various members in order to provide it to public and private organizations wishing to equip themselves with sovereign
Photo credit: EBRC
and trusted solutions in the field of cybersecurity and cloud computing”, Jean-Noël de Galzain continued. “This
to EBRC, as its CEO, Yves Reding,
EBRC and WALLIX, we realised that
organisation enables us to meet three
explained. “We have been promoting
we had common values and a common
requirements: centralising, optimising
European values for a long time. The “E”
strategy, and it was quite natural for
and purchasing. A single point of contact
in “EBRC” stands for “European”! Our
EBRC to join Hexatrust. Together, we
enables customers to take advantage of
strategy has always been to promote
are reflecting on what can be done to
a privileged communication channel, and
a digital Europe, Cyber-Resilience
ensure market confidence in European
also offers each publisher personalised
and trust in the cloud. We also have
digital services.”
and centralised support with regard
a strong presence in France through
“Our role within the group is also to
to all commercial and technical
our subsidiary Digora, which has some
liaise with other similar associations in
information. They are supported by
140 employees, including around 20
other European countries. At EBRC,
a team of experts offering an optimal
in Morocco, and has a presence in
we believe that it is by building bridges
combination of solutions to meet a
all major French cities. We also have
between the different associations,
wide variety of needs. They ease their
our own clients and strategic partners
both local and European, that a digital
purchasing procedures via a single
under the aegis of EBRC, in particular
Europe can be built. The European
point of contact.”
IT security software publisher WALLIX,
Union may, in some ways, seem like a
of which Jean-Noël is the CEO. We
Tower of Babel, but we have a long,
also have a strategic partnership
shared history and a common view of
BETWEEN THE VARIOUS
with EGERIE, a software publisher
the world; it is our different cultures,
ASSOCIATIONS
specialised in the analysis and integrated
languages and countries that make it so
Hexatrust’s policy of openness and
management of cyber-risks, and also
open to the world and so enriching. In
its willingness to work with others to
a member of Hexatrust. Beyond the
Europe, real discussions are possible
build a strong and credible European
relationship of trust that has gradually
and such discussions can only help
digital industry immediately appealed
been established over the years between
us grow”.
— BUILDING BRIDGES
2020-2021 EDITION
06
TRE NDS
Yves Reding CEO - EBRC
Interview by Alexandre Keilmann, Farvest
RESILIENCE:
HOW TO BOUNCE BACK FROM CRISIS Yves Reding, CEO of EBRC, discusses the crucial importance for companies of developing a deep culture of resilience, and the need to protect against threats that can – and cannot – be anticipated. Following the COVID-19 crisis, the concepts of risk management and (Cyber-) Resilience have become more important than ever. As an expert, Yves tells us more about his vision and philosophy, and also shares his thoughts on the launch of the Gaia-X initiative.
—
R ESILIENCE:
HOW
TO
BO UNCE
BACK
FRO M
CRISIS
—
07
and some players might even disappear
impacted the targeted companies.
EMERGENCE OF RESILIENCE:
because of their lack of awareness”.
Therefore, the next step to achieve
A WAKE-UP CALL
In such a context, companies are now
an overall resilient business model is
“We are currently learning lessons from
transforming their business model into
to invest in Cyber-Resilience”.
the COVID-19 crisis. The world we knew
a resilient one, which can adapt and
A couple of years ago, the European
before and the one we are now navigating
bounce back, getting rid of short-term
Commission enforced the NIS Directive,
in are not the same. This pandemic
and purely financial objectives. Rather
which provides legal measures to boost
changed the way things are perceived,
they are investing more into Corporate
the overall level of cybersecurity in the
and even challenged the priorities of
Social Responsibility, sustainability,
EU and identifies “Operators of Essential
entire ecosystems, governments,
people, etc. The CEO highlights: “a
Services”. The name says it all: such
companies, etc. on political, social and
resilient business model will allow
services are essential for governments,
economic levels,” starts Yves Reding.
companies to analyse future trends
health institutions, financial flows,
The digital expert notably shares the
– demographic changes and health
energy, transport, water supply and
example of business models that now
issues, global warming, digitalisation,
distribution, digital infrastructure, etc., to
need to fully integrate the concept of
etc. – and therefore anticipate, predict,
keep on running. “Digital then becomes
resilience, advocated by EBRC for the
protect, absorb, manage, recover and
systemic! And the COVID-19 crisis made
last 20 years. “The Coronavirus crisis
even accelerate”.
it clear in the minds of organisations
is not a black swan: it could/should
And when it comes to digital, Yves
and individuals: our activities were only
have been predicted. Over the last two
Reding notices that more progress
able to continue thanks to digital. But
decades, companies have had to face
was made in the last three months
tomorrow, digital could be harmed
several health crisis: back in 2003 with
compared to the last three years, with
and threatened by cyber attackers. As
the SARS outbreak and later in 2009
the emergence of the digital pendant of
digital becomes the backbone of our
when the World Health Organization
resilience: Cyber-Resilience.
society, it must become resilient, and,
— COVID-19 AND THE
declared the H1N1 pandemic. Moreover,
by definition, cyber-resilient,” underlines Yves Reding.
pandemics and health crisis have
— BEYOND TRADITIONAL
become part of the popular culture
RESILIENCE: THE WAY
with many books and movies dealing
TOWARDS CYBER-RESILIENCE
with such issues. The risk was here and
In this respect, digital has proved – if
we should all have been aware of it,”
it were even needed – its tremendous
declares the CEO of EBRC.
use and undeniable advantages.
Resilient – and cyber-resilient – strategies
Within EBRC, the concept of resilience
For instance, the entire country of
rely on dedicated and specific resources.
is well-known and part of the global
Luxembourg, thanks to its flexibility
“Several programmes already exist, but
strategy of the company. As explained
and its robust IT infrastructure, was able
we are still noticing a major gap between
by Yves Reding, the term resilience
to turn rapidly to homeworking, without
what is available for companies, and how
is mostly used in psychology – when
having to slow down its activity. “The
they actually use these tools,” underlines
an individual goes through a traumatic
notions of risk management, resilience
Yves Reding, who notably names
event and later recovers – and in the
and of course, Cyber-Resilience have
multiple ISO certifications – 22301,
metal industry when for instance rails
become the new standards,” says
which concerns business continuity
and bridges need to absorb important
the CEO, whose teams embraced
and 27001, which deals with information
thermal shocks. He adds: “it is also
homeworking from the very first day
security management. EBRC has also
commonly used when describing a
of the lockdown period. He asks: “but
been participating in exercises created
forest that needs to regenerate. That
what would happen if the network or
by the European Union Agency for
is what Humans and Nature do: the
IT systems were to crash? What about
Cybersecurity (ENISA) for years, on
concept should already be integrated by
the increasing number of cyberattacks
how potential cyber attackers could
all individuals and companies. Yet, many
during the last three months? When
impact Cloud Service Providers (CSP)
were not aware of it prior to COVID-19,
perpetrated the right way, they clearly
and Internet Service Providers (ISP),
— ASSISTING COMPANIES IN THEIR FIGHT AGAINST CYBER THREATS
2020-2021 EDITION
08
which might very well happen in the near future. In addition to such standards and regular exercises, EBRC teams worked on an assessment tool with a mission to facilitate the life of decision-makers. “We developed a solution based on the analysis of the client’s processes and the production of a report highlighting the gap between their processes and
Microscopic examination of Coronavirus COVID-19. 3D illustration.
the industry’s best practices in terms of resilience and Cyber-Resilience. It takes about 45 minutes to provide them with their level of maturity and then
change,” highlights the CEO who has
industries to analyse risks and anticipate,
guide them towards the best levels of
been in contact with the German and
by actually using sensitive personal data
protection,” explains the CEO of the
French ecosystems for many years. He
that would have been anonymised, under
20-year-old digital company.
continues: “just like with GDPR and NIS,
the governance of Europe.
Moreover, in February 2020, just
Europe needs to regain possession of
As a conclusion, Yves Reding highlights
before the lockdown, EBRC surveyed
its digital ecosystem, by transmitting
the tremendous digital silent acceleration
decision-makers and IT professionals
and using its main values: transparency,
that took place in the last three months,
in Luxembourg and in France on the
openness, interoperability, trust and
while also acknowledging the change
topic of Cloud Services and “digital
sovereignty. Europe will then be in
of mindset when it comes to risk and
sovereignty”: 55% of respondents
the driver’s seat and able to impose
resilience. Companies now know that
labeled it as “a necessity for Europe”,
transparent rules, known by all the
they need to be able to deal with all types
when only less than 10% of companies
players”. Over the years, numerous
of crisis, especially with cyber threats,
and individuals see it as not necessary or
theoretical projects have been led, but
in a world that is more digital than ever.
impossible to achieve. And lately, a key
according to the CEO, Gaia-X is a key
An advocate of an extended approach
project was just launched at the EU level
political statement. He adds: “The EU
towards risk through Cyber-Resilience
to boost Europe’s “digital sovereignty”
member states now speak as one, with
and towards data management and
and aiming at EU cloud independence.
the appropriate means and energy.
sovereignty, the CEO of EBRC, along
EBRC falls within this ambitious project
with his team, spent much of 2020
and so do many European associations”.
working on innovative projects to mitigate
FOR EUROPE TO CONTROL
With data often described as the
and anticipate such risks, and he also
AND MASTER DATA
“oil of the 21st century”, one of the
welcomes the launch of Gaia-X.
Yves Reding welcomes the Gaia-X
main objectives of Gaia-X is to keep
“We went through a violent COVID-19
initiative powered by the Ministries of the
control of data and services through
pandemic but we must learn from this
Economy of both Germany and France,
technological independence. “In the
crisis: we will change our world and
backed by talented researchers and key
current environment, mastering data is
will become stronger. We have to build
players of the digital industry: “EBRC
key. For instance, how could a hospital
a more resilient and cyber-resilient
has been advocating European digital
survive without data knowledge and
world for the next generations, able
sovereignty for years. We are excited
control? How can the car industry
to face future crisis”, concludes the
to see that things are now moving
build autonomous vehicles if it does
CEO, “moreover, we have to take back
at the political level. The European
not understand and master data?” then
control over our strategic resources,
Commission, led by Ursula von der
asks Yves Reding. Gaia-X revolves
digital and data. Time has come to take
Leyen, has communicated its ambitions
around building on data with specific
decisive steps, at all levels, to build our
and we are in the middle of a paradigm
use cases, which will allow the different
Trusted Digital Europe”.
— GAIA-X AND THE NEED
09
TRE NDS
Interview by Isabelle Couset, Entreprises Magazine
COVID-19: BUSINESS FACING THE TEST OF RESILIENCE Christophe Ruppert - EBRC
During the health crisis, lacking a BCP (Business Continuity Plan) has put many companies in a - very - uncomfortable situation. Key principles and benefits of a BCP are explained in an interview with Christophe Ruppert, Business Continuity Management Practice Lead at EBRC.
The ISO 22301 standard was updated
Plan (managing priorities according to
initiative to set up a BCP?
at the end of 2019. In simple terms it
the crisis), Risk Mitigation Plan (mapping
— Who should take the It is above all a matter of anticipating
addresses the ability of an organisation
risks in order to avoid or minimise them),
and preparing the company to preserve
to continue to deliver its goods/services
and Restoration Plan (returning to normal
its operations in the event of a crisis
with a predefined acceptable level
activities at the company’s primary site).
with the aim of protecting its corporate
based on listening to weak signals.
and economic assets. It is therefore a
The BCP therefore includes risk
strategic approach, under the direct
analysis to deal with various scenarii:
would you make to
responsibility of the CEO. The stakes
IT problems, employee absence,
companies further to the
in some cases are high, which makes
building unavailability, disruption of
COVID-19 crisis?
it a critical component of company
critical suppliers, a pandemic, and so
The BCP acts as a shock absorber,
management.
on. The goal of the BCP is to plan so that
enabling the company to take resist
company activities can be maintained
without breaking, with better security
— What are the benefits?
in a downgraded mode before returning
and more peace-of-mind for the CEO,
Our experience enables us to identify a
to normal.
and above all it should foster quicker
dozen or so areas of intervention that will
— What recommendations
exit from the crisis. This being said,
have a direct impact on the company’s
— Can you give us a few tips
we also have the capacity for rapid
performance. More generally, they fall
to initiate this resilience
intervention. Over the last few weeks
approach?
our consultants have supported
into three main categories: establishing an appropriate response in the event of
Overall, the approach is based on
several companies in the definition
a crisis, optimising vital processes, and
six steps defined by the ISO 22301
and adaptation of their plans, and we
ensuring compliance with the company’s
standard, all of which enable us to
are already working on the scenarii for
business regulations. Ultimately, the
define the BCMS (Business Continuity
making it possible to emerge from the
exercise makes it possible to optimise
Management System) adapted to the
crisis. My recommendation will be to
costs by adapting the responses
company. We optimise the approach by
draw on the lessons learned from the
appropriately. Even better, clients can
customising it based on the company’s
crisis and use them to create a “BCP
verify the resilience of their service
level of maturity and its activity. To do
2.0”. Our diagnosis is free.
providers by demanding ISO 22301
so, we designed a quick assessment
certification, making it a competitive
tool. There are 6 levels of good practice
advantage and a qualitative criterion
related to the standard: Emergency
of choice.
Responsibility (ensuring personal safety), Disruption Recovery Plan (retreating to
— How would you define
NEED TO LEARN MORE? Download our whitepaper “Cyber-Resilience towards Cyber-Reliance”
a secondary site), Business Recovery
the ISO 22301 standard,
Plan (ensuring the continuity of critical
the central element of
activities and internal and external
resilience?
communication), Crisis Management
2020-2021 EDITION
10
CYBE R-RE SIL IE NCE
CYBER-RESILIENCE
IN YOUR ORGANISATION Ensuring the continuity of your business
— KEY POINTS OF CYBER-RESILIENCE : 01
04 Designing or transforming existing infrastructures by adopting an approach based on ensuring “Security and privacy by design”: Proxy, Firewall, Anti-Virus, Anti-DDoS, Mail Security, Sandboxing, IPS/IDS, WAF
Knowledge and compliance with the regulatory framework: GDPR, NIS, supervisory authorities (finance, insurance, transport, health, etc.) 05 02 Adopting international standards for risk management and business resilience: ISO 31000, ISO 27001, ISO 27018, ISO 27032, ISO 22301, ISO 22316
Raising awareness, continuously training and informing all employees and stakeholders about Cyber-Resilience
06 03 Adopting and/or requiring service providers to use appropriate security and continuity levels based on certifications such as: Data Centers, PCI DSS, HDS (Health Data Host), ISO 27001, ISO 22301
Deciding on the company’s ability to deploy such resources, or opting for a partner to provide support in the implementation of Cyber-Resilience: audit, consulting, risk management, business continuity, certified Data Center, operational and integrated security management (SOC/CERT), IT infrastructure management, certification programmes, etc.
—
CYB ER - R ESIL IE NCE
L IFE CYCL E
11
—
Continuous improvement
PREPARE KEY PEOPLE CEO, CISO, BCM, CRO, DPO ACTIVITIES •B usiness impact analysis •R isk assessment •C yber-Resilience audit •C ompliance & standards •C yber-Resilience strategy •G overnance & policies • Awareness & exercise
RECOVER ADV CERT MS SOC
ADV
KEY PEOPLE CIO, CISO, BCM, CRO ACTIVITIES • Back to normal operations • Forensics • Continuous improvement • Legal • Communication
IDENTIFY KEY PEOPLE CIO, CISO, BCM
ADV CERT
ACTIVITIES • Gap analysis Business/IT • Vulnerability assessment • Penetration test • Technology watch • Vulnerability watch
01
ADV CERT MS SOC
02
07
RESPOND
PROTECT
KEY PEOPLE CEO, CISO, BCM, CRO, DPO ACTIVITIES • Decisional crisis management • Crisis communication • Containment • Remediation • Business continuity
KEY PEOPLE CIO, CISO, BCM
05
A N A LY S E ADV CERT MS SOC
ACTIVITIES • Risk mitigation • Continuity management • Security management • High availability architecture • Data centre availability • Change management
03
06
04
DETECT
KEY PEOPLE CIO, CISO, BCM
KEY PEOPLE CIO, CISO, BCM
ACTIVITIES • Threat analysis • Prioritisation • Operational crisis management
ACTIVITIES • Log correlation • Real-time alert • Incident management
ADV CERT MS SOC
EBRC expertise: ADV
: ADVISORY / CERT : COMPUTER EMERGENCY RESPONSE TEAM / MS
: MANAGED SERVICES / SOC
: SECURITY OPERATION CENTER
2020-2021 EDITION
ADV CERT MS
12
INNO VATION
Interview by Alain de Fooz, Solutions Numériques
KUBERNETES...
MANAGED, ON DEMAND Businesses will reap the rewards of KaaS – Kubernetes-as-a-Service – the latest innovation from EBRC. This highly innovative solution gives developers added flexibility, while also being good value and highly secure.
O
rganisations working online now have no
—F OCUS ON BUSINESS NEEDS IN A CHANGING WORLD
— MORE EFFICIENT, COSTEFFECTIVE RESOURCES
option but to adapt
“The only thing that is constant is
Therefore, rather than waiting weeks
and innovate rapidly.
change,” noted the ancient Greek
or even months to get the physical or
Competition to gain and retain
philosopher Heraclitus of Ephesus
cloud infrastructure required for the
customers will continue to grow. To meet
2,500 years ago. This time-honoured
application, developers can benefit from
these business needs, technologies
wisdom underlines the continual need
quick access to these environments on
related to DevOps methodologies
for innovation by online service providers
a self-service basis.
have emerged, notably cloud native
seeking to attract and retain clients. No
The beauty of KaaS is that it is
tools such as Kubernetes. These tools
longer can new applications take 18
“agnostic” about the used cloud
supply the required automation and
months to plan and implement. They
platform. Applications do not need
agility to the development teams so
have to improve continuously in order to
to be modified, regardless of whether
that they can continuously manage,
offer new functionalities, to upgrade the
the KaaS is deployed on-premises or
adapt, test and boost the performance
interface, to fix bugs and patch security
through the cloud. They can quickly
of their applications; and so meet the
flaws. Kubernetes accelerates each
grow without having to be defined again
needs of Sales and Marketing teams,
stage of development and delivery
or having to rebuild the infrastructure
as well as those of the Security teams.
by supplying the configuration tools
for each new project. “Regardless of
Companies are then freed from the
to meet the best practice. Thus
the underlying infrastructure, KaaS
limitations of legacy development
developers can work with shorter, less
offers a management environment
methodologies. There is no longer
restrictive delivery schedules which
focused on the container. It orchestrates
a need to plan months in advance
give the upgrades that clients consider
resources (computing, network, storage)
for relatively rare deployments.
useful. “Businesses which constantly
for user workloads, while maintaining
Upgrades are easy and can be carried
review customer behaviour can thus
the portability between different
out at any stage in order to securely
quickly react and match the offering
infrastructure providers,” Gérard Miceli
support business development. Easy
with the demand,” explained Gérard
added.
deployements at a lower cost: this
Miceli, Innovation Consultant at EBRC.
This also leads to an increase in speed
is the key advantage of Kubernetes-
Freed from various constraints related
which frees resources. Large parts of the
as-a-Service. “We help our clients
to application deployment, testing, and
application portfolio can be upgraded
achieve their development goals more
synchronisation with the production
even more quickly and at a lower cost;
quickly,” explained Yuri Colombi,
teams, efforts can be focused on
thus fostering business innovation by
Head of Solutions & Innovation at
delivering the business functionality
allowing key services to be presented
EBRC.
operational teams need and expect.
in the form of application components.
—
KUB ER NETES...
MANAGE D,
O N
EBRC DEPLOYS, HOSTS AND MAINTAINS EVERY REQUIRED ASSET FOR KAAS TO WORK EFFICIENTLY
DE MAND
13
—
Ku bernetes-as-a- S er vice is a managed DevOps platform. This features hybrid cloud architecture, with on premise capacity and control infrastructure located in Tier IV certified Data Centers in Luxembourg. Data is therefore always stored in Luxembourg, thus setting it apart from public cloud solutions. “The client can choose a service managed fully on the premises, or in
— “AS-A-SERVICE” IS
workload, unless comprehensive external
a private cloud, or on the public cloud.
support is provided,” Yuri Colombi
All options are open to them,” said
Nevertheless, this flexibility comes with
noted. “Hence the advantage of working
Gérard Miceli. “The operation mode
its own challenges. The open-source
in managed mode, which can be seen as
is the same: no CAPEX, only OPEX.
Kubernetes community continues to
an holistic approach to the management
Once Kubernetes-as-a-Service is
develop and refine available tools and
of containerised work requirements.” This
deployed, developers no longer have
systems. Therefore, many DevOps teams
is where EBRC’s expertise in operational
to worry about the infrastructure and
have to be creative in order to get more
management is valuable, where these
underlying configuration. Applications
rationalised, automated processes which
needs can be met through Kubernetes
have multi-cloud portability on public
are able to meet new deployment needs.
as-a-Service. Actually, EBRC installs,
and private clouds.”
That is why, the teams need Kubernetes
runs and manages the solution, while
“as-a-service”.
ensuring an SLA of some 99.9%
— ACCELERATE YOUR GROWTH
EBRC deploys, hosts and maintains
available 24/7. Consulting services -
“Kubernetes-as-a-Service enables
every required asset for KaaS to work
in particular regarding best practices
DevOps teams to offer clients the
efficiently. Thanks to EBRC, companies
around Kubernetes - are also delivered
autonomy they need to manage
can forget about the support-related
by EBRC. All day-to-day tasks can thus
their CI/CD pipelines without any
constraints usually encountered with
be handled without downtime, be they
restriction. The managed mode, based
this kind of platform. This enables
security updates, bug fixes and more.
on the EBRC platform, enables them to
AN ADDED DIMENSION
developers to focus on innovation
focus on the work that is most important — THE DATA ARE HOUSED IN
to them,” said Yuri Colombi. “Clients
“Large-scaled management of these
EUROPE, IN LUXEMBOURG
concentrate on their business and
systems, as well as ensuring timely
Based on the certified CNCF (Cloud
their innovation, while EBRC ensures
updates of modules linked to Docker
Native Computing Foundation)
that the KaaS platform is available and
and Kubernetes can add a substantial
Kubernetes distribution methods,
up-to-date.”
and added value.
2020-2021 EDITION
14
SURVEY
ON THE USE OF THE CLOUD IN LUXEMBOURG — 1. Cloud adoption in Luxembourg 2020 Penetration rate in corporate IT
Cloud market penetration rate
CURRENT
SHORT-TERM
70% are using the cloud 25% are planning to use the cloud
32%
5% are not using the cloud
45-50%
32% of corporate IT is already operated in the Cloud, and that number should rapidly increase to 50%
95% are using or planning to use the cloud
Ranking of private or public platforms most used by companies (3 possible answers per respondent)
A subject that CEOs consider of strategic importance
CEOs are strongly involved in decision relating to the cloud
51%
70%
36%
26% 26%
Microsoft Azure is ahead of VMware, AWS and Google Cloud in the ranking of most-used platforms
— 2. Motivations for implementing a Cloud project Main objectives
Evaluation of the achievement of the objectives of flexibility, mobility and cost reduction
Flexibility
95%
71% 24%
Flexibility
Mobility strategy
Cost reduction
Mobility strategy
86%
64% 22%
71%
77%
51%
65.71%
68.57%
42.86%
8.57%
5.71%
8.57%
Satisfied Cost reduction
80%
Very important
16% 64%
Exceeds expectations
Important
Companies are setting the objectives of flexibility, mobility and cost reduction in their projects
Companies claim to be very satisfied mainly as regards flexibility and mobility strategy however their opinion is more nuanced as regards cost reduction
15
— 3. Feedback A rather high median satisfaction rate at 67.5%
Performance, the easiest criterion to measure
- mobility strategy 77.2%
Nevertheless
85%
60%
- high availability 77% - flexibility 72% - data security 60% - cost reduction 51% ANSWERS satisfied or exceeded their expectations
85% of companies claim that it is difficult or complex to - make the architecture secure - comply with regulatory requirements
60% of companies claim that it is easy to demonstrate performance gains in a cloud project
— 4. CSP (Cloud Service Provider) selection criteria Certifications
Certified and national Data Center
Around 55% of companies
55% of companies believe that the ISO 27001, ISO 22301 and ISO 27018 standards are decisive in the choice of their CSP; this percentage increases between 70 and 90% if the stakeholders who consider them to be “of average importance” are taken into account
consider that the Data Center’s Tier IV certification and its location in Luxembourg are very important criteria when choosing a public cloud
Other criteria
Risk analysis
66% of companies conduct a risk analysis before carrying out a project
60%
of companies consider it decisive to get assurance with regard to: - no contractual (lock-in) - the CSP’s reputation
— 5. Current trends and developments DevOps
Hybrid cloud
40-45% of companies have adopted agile development methods and containerisation, while 20% are considering adopting them
50% of companies use a hybrid cloud architecture
2020-2021 EDITION
16
— 6. Main obstacles to the deployment of the hybrid cloud
— 7. For or against a sovereign cloud?
Skills shortage
44% believe that there is a skills shortage internally 30% have noted a skills shortage in their IT service provider
Complexity
90% of companies desire a sovereign cloud, because they believe that it is
40% of companies believe that the hybrid cloud remains complex to master
- a necessity for Europe (55%) - a desirable alternative to be offered to companies (25%) - an indispensable change to guarantee data protection (10%)
Summary • Strong take-up of the cloud in companies and organisations in Luxembourg, in particular for MS-Azure which is ahead of VMware, AWS and Google Cloud • Cost reduction (80%), flexibility (95%) and the implementation of a mobility strategy (86%) are the real motivations for migration • Improvements in terms of flexibility, performance, high availability and mobility are demonstrable • However, the satisfaction expressed is more nuanced, particularly as regards costs, security and regulatory compliance • The cloud service providers’ contracts and price offers remain difficult to interpret and compare • Private cloud offerings are more reassuring than public cloud offerings • A (temporary?) skills shortage hinders the development and deployment of professional cloud applications • A European public cloud (sovereign and respectful of privacy) and a prior analysis of risks are prerequisites for more widespread adoption
This survey was conducted by EBRC and Farvest IT One, in Luxembourg between April and May 2020 with the involvement of 65 corporate decision-makers.
17
STRATEGY
Interview by Alexandre Keilmann, Farvest
EBRC’S STRATEGY REVOLVES AROUND SECURE DATA CENTERS AND
AVAILABLE INFORMATION
We recently met Bruno Fery (Head of Data Center Services, EBRC). The seasoned expert tells us more about the evolution of Data Centers and describes the uniqueness of EBRC and the services it provides all over the world. He also shares his thoughts on the future of Data Centers, notably discussing CSR and the sustainability best practices advocated by EBRC.
— A STRATEGIC PARTNER,
Certification), and more, the company
security of their environment and of
LOCATED IN THE HEART
located in Luxembourg has become
course, sustainability. As a matter of
OF EUROPE
the strategic partner for the companies
fact, sustainability is one of EBRC’s main
BRC is an historical player
operating critical transactions or sensitive
“EARTH” values: Excellence, Agility,
in the field of Data Centers
information in the health sector, the world
Responsibility, Trust, Human. Our clients
in Europe and was actually
of finance, and in several other industries.
clearly benefit from our commitment to
one of the first IT companies
Through its ISO certifications, EBRC
protect the environment through efficient
in the world to own and run three Data
ensures quality management (ISO 9001),
energy management and to reduce the
Centers that are Tier IV certified by Uptime
it also manages the immediate and
carbon footprint.” underlines the Head of
Institute. “Our three Tier IV Data Centers,
long-term environmental impacts of
Data Center Services. Such certifications
combined with our multiple international
its products, services and processes
add more value to the services provided
certifications and innovative services,
(ISO 14001), and follows management
by EBRC, with a coherent structure and
are what makes EBRC unique in the
processes to deliver more efficient IT
yearly audits conducted by external
ICT landscape,” explains Bruno Fery.
services (ISO 20000). EBRC also
companies. “Combined with our human
Tier IV certification ensures an availability
specialises in Cyber-Resilience, through
capital, these certifications allow us to
of 99.995%, which represents less than
ISO 22301 (business continuity) and
manage sensitive data and information,
26 cumulative minutes of downtime per
has ISO 27001 certification (information
with the highest availability, integrity
year: the Data Centers operated by
security). Moreover, it is the proud
and confidentiality,” adds Bruno Fery.
EBRC have actually never experienced
holder of ISO 50001, dealing with
Over the years, EBRC was able to
an interruption of service since 2000,
energy management and efficiency.
position itself as a strategic partner,
that means 100% availability. Moreover,
“All those certifications allow us to
working hand in hand with international
and thanks to its ISO certifications, HDS
answer the needs of our clients, whether
players with the highest requirements
(Health Data Host), PCI DSS (Payment
it concerns business continuity, the
and needs in terms of availability and
E
2020-2021 EDITION
18
business continuity. “In recent years,
worldwide. He notes, “the Grand-Duchy
(Data Centers Design Professional, Data
clients have been requesting flexible
is strategically located in the heart of
Centers Energy Professional) or TIA 942,
services such as a hybrid cloud and
Europe, with an optical fibre connection
with all team members taking ITIL training
managed services, which are now
linking it with major European cities,
classes to deal with incidents, changes
provided by EBRC and add significant
allowing the development of cross-
and in order be able to communicate
value to our global offering. The
border activities, low latency connectivity,
efficiently with the clients.
combination of these services with our
etc”. The regulatory environment allows
Each year, competencies are measured
Data Center expertise and knowledge
the development of companies and
and evaluated through a personal
gives EBRC a competitive advantage
activities in a demanding yet safe
development plan, combining the
with a wider portfolio,” comments the
environment. Besides, an educated
experts’ wishes and the needs of the
Head of Data Center. In the last few
pool of talent, with unique expertise
Data Center department within EBRC.
months, the concept of resilience has
and multilingual skills, is available in
“A training programme is then defined:
been widely used: EBRC has been
Luxembourg.
we advocate training and development,
FOR THE LAST 10-12 YEARS, THE MANAGEMENT OF DATA CENTERS AND ITS RELATED ACTIVITIES HAS EVOLVED CONSIDERABLY. BACK THEN, WE USED TO TALK MAINLY ABOUT FACILITY MANAGEMENT WHEN TODAY IT REFERS TO ACTUAL OPERATIONAL MANAGEMENT OF DATA CENTERS. promoting it for almost 20 years, making “resilience” and “Cyber-Resilience”
— A TEAM OF SEASONED AND CERTIFIED EXPERTS
whether it concerns hard or soft skills. Certifications bring additional value,
two of the main components of its
“For the last 10-12 years, the management
especially when it comes to our advisory
DNA. As the digital economy keeps
of Data Centers and its related activities
services offer,” comments Bruno Fery.
on growing and developing, the quality
has evolved considerably. Back then,
and availability of infrastructure remain
we used to talk mainly about facility
all the more important. By covering
management when today it refers to
CENTRE OF THE GLOBAL
services from Data Centers to various
actual operational management of Data
STRATEGY OF EBRC
cloud offerings, including the hybrid
Centers”, adds Bruno Fery describing
As explained earlier, CSR is a key
cloud and by providing a full range of
EBRC’s Data Center experts. Team
element of overall EBRC strategy.
advisory services, EBRC has often
members are in a constant process of
Back in 2010, also, it was one of
demonstrated its significant value on all
developing their skills, and retraining
the first companies in Luxembourg
the entire digital value chain, eventually
when necessary, with most of them today
to obtain the “CSR label” delivered
helping its clients improve their services
being the proud holders of individual
by INDR (National institute for the
and products. Lately, EBRC has been
accreditations and certifications. Bruno
sustainable development and CSR),
involved in the France and Germany-
notes that: “this certification strategy
and participates in the POST Group
powered Gaia-X project, which aims at
started back in 2010 and our Data
annual report, which combines financial
developing common requirements for
Center services department currently
and non-financial results. “Through
European data infrastructure.
counts four Tier designers and two
these actions, and notably when
Bruno Fery also underlines the fact
certified experts in the management
it comes to our Data Centers, our
that Luxembourg has the highest
of operations, processes and service
main concern is the protection of the
concentration of Tier IV Data Centers
providers”. Others are certified by CNet
environment and we are therefore
— SUSTAINABILITY AT THE
19
Bruno Fery Head of Data Center Services - EBRC
constantly working on improving power
warming to 1.5 degrees Celsius”. “In
footprint, between 2010 and 2020. At
and energy management”, underlines
this respect, we are leading a discussion
the European level, EBRC actively
Bruno Fery. He continues: “We work
around the future of Data Centers: how
participates in the Code of Conduct
on a daily basis on such topics and
to design them? How to operate them?
Europe initiative, and therefore produces
are regularly audited. We decided
Which standards are required? What
an annual report, with a focus on results
to implement the latest – and most
about ISO certifications?” he asks.
obtained and actions taken.
efficient – technologies, have a Kyoto
Many industry players get together to
Through its global approach – putting
cooling system, etc. It falls within our
define what and how future Data Centers
sustainability, resilience, security and
constant improvement processes”.
could be in the next years: “several
availability at the centre – , EBRC has
The company founded in 2000 is also
players discuss, exchange and explore
developed into a strategic partner
a founding member of and member
the Data Centers of the future. Even
for companies looking for flexibility,
of the board of EUDCA – European
though they are competitors, they all
agility and innovation in terms of
Data Centre Association. Bruno Fery
work together towards a common goal
digital solutions. Ranging from Data
takes part in the technical committee,
which is reducing the global footprint
Center services and multiple cloud
which notably focuses on the newest
and therefore protect the environment”.
offers to awarded managed services,
European registrations and objectives
EBRC is actually engaged in several
cybersecurity and the brand new
towards 2030 and 2050. He adds: “in
other local and international initiatives
“Trusted IT Services on Demand”,
30 years, we have the aim of achieving
aiming at lowering the carbon footprint
the company which “specialises in
carbon neutrality, which means having
and at improving energy efficiency. It
the management and protection of
a balance between emitting carbon and
participates notably in a project led
sensitive information” provides its
absorbing carbon from the atmosphere
by FEDIL and the Ministry of the
clients with the most efficient solutions
in carbon sinks. It is one of the main
Environment in Luxembourg, which
while working constantly on lowering
initiatives in order to limit global
targets a decrease by 14% of the carbon
its carbon footprint.
2020-2021 EDITION
20
PARTNE RS
PRO GRAMME
Interview by Stéphane Etienne, Hypallages
EBRC AND THE UNIVERSITY OF STRASBOURG:
A WINNING PARTNERSHIP
High service availability, 120 computer racks that can accommodate up to 5,000 servers, a usable surface area of 450 m²: the Data Center of the University of Strasbourg is the result of an ambitious project initiated in 2013. This state-of-the-art infrastructure, which has been operational since November 2019, aims at providing the university and its institutional and academic partners with a unique hosting facility for their IT equipment and data. The Real Estate Department and the Digital Department called upon EBRC to design and build this highly technical space. Romaric David, Head of the Data Center at the University of Strasbourg, describes the background of this successful partnership. — A PARTNERSHIP FORGED FROM THE OUTSET OF THE PROJECT
of a Data Center expert. We needed a partner with both certifications and concrete references who could provide
“Given that this was a large-scale project and that it will likely
us with practical feedback. For a project to be successful,
remain the only one of its kind, the University of Strasbourg
you have to pay attention to a thousand details and we did
wanted to get the best help possible and enlisted the advice
not have enough experience in this area. EBRC immediately
— E B R C A N D T H E U N I V E R S I T Y O F S T R A S B O U R G : A W I N N I N G PA R T N E R S H I P —
21
impressed us with the professionalism of its teams and its
efficient in France, with a PUE (Power Usage Effectiveness)
multiple certifications. In particular, it is the only company
of 1.25. The European Commission has also certified that our
in the world to have three Tier IV Data Centers certified by
Data Center meets the criteria of the Code of Conduct for
Uptime Institute. For us, this was undoubtedly a guarantee
Energy Efficiency, meeting 190 of the 200 criteria, earning
of quality.”
it a European Code of Conduct Award in 2019.”
“EBRC has virtually been involved in the project from the
“This award was obtained thanks to the dual innovation of hot
outset. The project was carried out in two phases. During
and cold air flow containment for the racks in the computer
the construction phase, the company provided support to
rooms, combined with geothermal energy used for heat
the Real Estate Department in the capacity of assistant to
exchanges. To achieve this, two wells were drilled in order
the project owner. Practically, EBRC helped design and
to capture water from the water table below the building,
implement the project. It then took part in the building
is then used to cool the Data Center. The heat produced
development phase, which was led by the Digital Department.
by the IT equipment is recovered by a heat pump and is
Its methodology and its stringent requirements enabled
used to heat part of the campus, thus optimising energy
us to check that all the functionalities provided for in the
use and reducing the carbon footprint.”
specifications were present and in perfect working order.” — IN THE END, A TOTAL SUCCESS
OUR DATA CENTER IS ONE OF THE MOST ENERGY-EFFICIENT IN FRANCE
“Today, after only a few months of operation, we are already reaping the benefits. Our site will soon become one of the regional Data Centers for higher education and research that are in the process of receiving certification. We receive many requests for hosting, not only from the teaching and research world, which is our main target audience, but also from teaching hospitals, engineering schools in Alsace and the private sector. The interest garnered from the private
— A SECURE, REDUNDANT, POWERFUL AND GREEN DATA CENTER “After six years of intensive work, we are more than satisfied
sector is the best proof that our Data Center is ultimately a success story, particularly as a result of our partnership with EBRC.”
with the result. Although not officially certified, our Data Center meets the highest international standards in terms of security, redundancy and resilience. Access control is fully secured and all equipment is duplicated as set out in Uptime Institute’s Tier III level requirements, ensuring less than 1.6 hours of downtime per year. In addition to its enormous hosting capacity, our Data Center stands out as having an above-average electrical density. It is powered by two transformer stations that are entirely independent of each other. It has a power of 1.2 megawatts, i.e. an average of 10kW per computer bay with a peak of up to 25-30 kW for some of them. Our research units within the university thus have the necessary capacity for a highperformance computing centre (HPC), which is particularly energy-intensive. This electrical system, supplemented by very high-efficiency inverters and two generators that are immediately operational when needed, was indispensable.” “More value added by the project is its emphasis on eco-
Photo credit: University of Strasbourg
responsibility. Our Data Center is one of the most energy-
2020-2021 EDITION
22
PARTNE RS
PRO GRAMME
Christophe Bourbier CEO - Limonetik Photo credit: Limonetik
Interview by Stéphane Etienne, Hypallages
LIMONETIK,
A REFERENCE IN THE WORLD OF DIGITAL PAYMENTS The payment industry has undergone profound changes in recent years. Online services using instantaneous and international electronic transactions have widely contributed to its development. Cash payments are gradually giving way to a multitude of virtual payment methods. However, as the payment experience becomes simpler and more integrated for customers, the back-office verification and management tasks become increasingly complex. The French company Limonetik has made this its speciality and now simplifies payment services processes in a rational way. We spoke to its co-founder and CEO, Christophe Bourbier, an EBRC customer since 2012.
— L I M O N E T I K , A R E F E R E N C E I N T H E W O R L D O F D I G I TA L PAY M E N T S —
— In your opinion, what are the main challenges facing the payment industry? This industry has become considerably more international and complex. I will give you a simple example to illustrate my point. Let’s imagine a Chinese tourist buying a luxury bag from a major
23
CASH PAYMENTS ARE GRADUALLY GIVING WAY TO A MULTITUDE OF VIRTUAL PAYMENT METHODS.
Parisian retailer and paying for it with her e-wallet. The transaction is a perfectly
— WHAT SOLUTION DO YOU
common ground. They were direct, offered
simple one for the customer. All she
OFFER TO MEET THIS
practical solutions and were proactive.
has to do is display the QR code on
GROWING COMPLEXITY?
They reassured us and were able to
her smartphone and have it scanned
We are one of the few payment
provide us with support with difficult
by the cashier. Behind the scenes,
platforms to offer a full-service solution
choices or negotiations. The fact that
however, the transaction is a little more
on demand. We offer access to 185 -
they work with many financial institutions
difficult to manage. The money will be
soon to be 250 - payment methods
and are PCI DSS (Payment Card Industry
transferred from a Chinese account
around the world, whether in India,
Data Security Standard) certified was
to the store’s account in Paris, and
the United States, South Africa or
also a decisive argument for us.
charges will be levied by the mobile
Europe. Through a single API, we offer
Over time, our partnership solidified and
payment company.
advanced services ranging from simple
even expanded as a result of our desire,
Today, more than 30% of mobile
processing, fund collection and the
in 2018, to implement an ambitious CSR
t r a n s a c t i o n s a re c ro s s - b o rd e r
reconciliation of financial transactions
policy within our company. We were
transactions. Contrary to what one
through currency conversion, detailed
pleasantly surprised to find that EBRC was
might think, bank cards no longer have
transaction reporting, distribution of
100% compliant with our environmental
a monopoly. Around three quarters of
payments from an unlimited number of
specifications. EBRC powers its five Data
online transactions are now carried out
vendors and commission calculation. We
Centers using entirely green energy, from
using alternative payment methods
also check the identities of all involved
wind or hydraulic power plants, and has
such as AliPay, WeChat Pay, Apple Pay
parties and ensure compliance with
invested heavily in energy optimisation
or Google Pay, to name just the best
relevant regulations. In short, we ensure
solutions (Kyoto wheels, heat pumps,
known. In total, there are more than 300
that international payments are child’s
free cooling, cold corridors, etc.) which
different payment methods worldwide.
play for all our customers and partners.
reduce energy consumption and enable
Therefore, both trends - cross-border
Thanks to this positioning, one of the
the company to save more than 10,000
payments and the increasing number
most disruptive in the payments market,
tonnes of CO2 per year.
of payment methods - will intensify in
we have been able to enter into major
Finally, what also reinforces our decision
the coming years.
contracts with the largest international
to continue working with them is their
This development affects all
PSPs and BtoB marketplaces. The
impressive production and storage
stakeholders in the value chain:
transactions we manage grew by almost
capacity. Our transaction volumes have
Payment Service Providers (PSPs),
70% per year over the last three years.
grown exponentially in recent years and
merchants, marketplaces, purchasers,
all our data is hosted with them. Today,
airlines and the tourism industry. They
—E BRC has been your partner
we have 1.5 billion Euros in transactions
are, and will increasingly be required
for more than 8 years. What
per year and we expect to reach 2 billion
to, manage money flows from all over
attracted you to EBRC and why
Euros by the end of this year. We have
the world almost instantaneously using
do you continue to trust it?
become a major customer for EBRC
a variety of payment methods, each
Beyond the exceptional quality of EBRC’s
and we hope to become even more so
with its own business rules. In short,
infrastructure, it is the expertise of the
in the future. For us, that would be the
a real headache!
people with whom we immediately found
best proof of our success!
2020-2021 EDITION
24
P A R T N E R S P R O G R A M M E
Jacques Pütz CEO - LUXHUB Yves Reding CEO - EBRC
Interview by Juliette Paoli, Solutions Numériques
OPEN BANKING LUXHUB:
FROM PSD2 TO THE FINANCIAL SERVICES MARKETPLACE The LuxHub start-up offers services which help banks and other electronic payment services to comply with the requirements of the EU Payment Services Directive, aka PSD2, as well as solutions to connect banking institutions and FinTechs via secure APIs.
L
UXHUB was created as a result of a joint initiative
customers’ payment data with TPPs in a secure manner.
by four major Luxembourg-based banks (BCEE,
“In this context, banks have the same legal obligation
BGL BNP Paribas, BANQUE RAIFFEISEN and
to provide technical interfaces that allow third parties to
POST Luxembourg) which joined forces to meet
connect to the end customer with their consent. Banks have
a new regulatory obligation, the European Payment Services
thus become service providers, a profession which is not
Directive, better known as PSD2.
their own and which they have not mastered”, explained
It should be recalled that PSD2 is notably based a major
Jacques Pütz, CEO of LuxHub. They have to deal with a
goal: secure communication between banks and Third
heavy IT legacy and slow strategy implementation.
Party Providers (TPPs) comprised of account aggregators and payment initiators. Banks have had to find a way to
— SIMPLIFIED COMPLIANCE
set up a system for sharing the information they hold about
Created in 2018, this start-up succeeded “in record time”,
—
OPE NB A NKING LUXHUB : FR OM PSD 2 T O T H E F I N AN C I AL SE RV I C E S MARK E T PL AC E —
25
(less than 12 months) in making available to the financial
it joined the list of the RegTech 100, a worldwide ranking of
and digital ecosystem a “by design secure” platform it This
the 100 most innovative RegTechs. This is great recognition
is great recognition developed to help banks - not just the
for a start-up with 24 employees, comprising 11 different
4 that created it - and electronic money institutions comply
nationalities, and whose average age of 41 reveals all the
with the requirements of these new regulations. “We are
experience available on-hand. The company has 38 customers
opening this platform to other entities to help them achieve
and manages 2.5 million accounts. It has a presence in 10
compliance.” The start-up is now active in 10 countries
European countries.
and works for 38 banks. Its first asset is obvious, summed up in this sentence from its director: “We understand our
— MANAGING GROWTH
customers”. Its second asset is no less obvious: “We are
Its biggest challenge today is to manage its growth efficiently,
audited, highly secure and monitored by regulators.”
according to CEO Jacques Pütz. Growth in Europe benefits
The platform is, in fact, obviously not exposed in the Public
from PSD2, a regulation which is proving to be a driver of
Cloud, but is hosted by Luxembourg-based European IT
growth despite the constraints it imposes. One thing is
services operator EBRC in its Trusted Cloud Europe. The
certain: founded by four banks, “LUXHUB will not be sold
choice of EBRC is justified “because it is a Tier IV” and
to the first one who puts money on the table,” which makes
offers “a highly secure environment”.
it very different from other FinTechs.
— A SINGLE API AND A MARKETPLACE
— EBRC, GUARANTEES OF SECURITY
Although the LUXHUB start-up offers services helping banks and other electronic payment services comply with
AND RESILIENCE “When it came to setting up the infrastructure on which
the PSD2 requirements, it also offers solutions to connect
to develop our activities, we chose EBRC,” said Claude
banking institutions and Fintechs via secure APIs.
Meurisse, COO of LUXHUB. “We made this choice for a
“We have new value-added services around this platform”,
variety of reasons, in particular because of EBRC’s location
explained the CEO. LUXHUB One is an integration layer
in Luxembourg. This means it meets the local data hosting
providing access to any bank via a single API, whereas the
requirements of certain customers, such as private banks, but
bank interfaces are completely heterogeneous and lack any
also for the guarantees of security and resilience offered by an
form of standardisation. Credit institutions and third parties
FSP specialised in the management of sensitive information.
can thus bundle large numbers of payment accounts via
Other factors also played a role, like the fact that the company
this standardised API.
has been active for many years, which is a guarantee of
LUXHUB will also launch its own marketplace, a kind of
stability, and the numerous certifications held by EBRC”.
“Amazon for financial services”, by reusing the platform it
“I was particularly impressed by the organisation and structuring
set up. “The banker can connect and use the services of
of the EBRC teams during the implementation of the project,”
different providers”. Banks will be able to consult a catalogue
added Jacques Pütz, CEO of LUXHUB. “As with any project,
of FinTech and RegTech companies and test their services. The
ours was subject to deviations and changes,” he added, “but
key advantages is a single point of connection and standard
the EBRC consultants demonstrated a great deal of flexibility
security. The LUXHUB Marketplace thus aims at becoming
and a great ability to listen. Throughout the project, we were
a one-stop API shop for the European financial ecosystem.
able to deliver on time”.
Moreover, LUXHUB organises “Open Banking Parties” linking
EBRC provides the ability to easily scale up. This scalability and
banks and third-party providers. Two events already took
agility enable LUXHUB to consider deploying new services,
place in Luxembourg, and the start-up plans to replicate
based in particular on EBRC’s Kubernetes-as-a-Service
the experience in Paris soon.
offering and the accompanying security tools. Security is a major component of LUXHUB’s products and services and
— A START-UP HONOURED WITH TWO AWARDS
the start-up can rely on EBRC and its DevSecOps approach
In June 2019, LUXHUB was ranked the second largest open
which integrates security by design. The certifications that
banking hub in Europe according to Innopay, at the annual
EBRC holds, ISO 27001 in particular, are also valuable assets
conference of the Euro Banking Association. In September,
for the company and its customers.
2020-2021 EDITION
26
PARTNE RS
PROGRAMME
Eric Mouilleron Founder and CEO BANKABLE
Interview by Michaël Renotte, Youneek
BANKABLE RELIES ON EBRC
EBRC FOR INTERNATIONAL DEVELOPMENT Bankable, the British FinTech whose Banking-as-a-Service platform is hosted in EBRC’s Tier IV Data Centers, recently entered into a strategic partnership with the payments giant Visa. Eric Mouilleron, founder and CEO, explains the reasons for its success and reveals the company’s ambitions.
B
ankable is a designer of innovative payment
awarded the contract, MoneYou was able to deploy its new
services and a supplier of Banking-as-a-Service
service in two European markets”, said Bankable’s founder.
(BaaS) solutions. Its account and payment card
“In the Netherlands, the bank was able to launch an account
management platform is available as a white-label
linked to a Maestro debit card. In Germany, a credit card was
product or via APIs (Application Programming Interface). It
issued, as our platform is able to support various instruments.”
enables any organisation, whether or not it is regulated (i.e.
With MoneYou, Bankable opted to use existing IT systems,
having its own banking license), to rapidly deploy payment
in accordance with its own technological approach based
solutions: current accounts, virtual accounts and e-wallets,
on compliance with legacy environments. “Accordingly, we
virtual and physical cards, money transfer or cash management
created an agile technical layer to complement the existing
services.
banking engine, our platform then becoming the account
“Bankable was founded in 2010. At the time, we were
management system, the main account from which the real-
pioneers in what has since become Banking-as-a-Service”,
time customer experience was built”, said Eric Mouilleron.
said Eric Mouilleron. “In concrete terms, this means that we
“Gradually, throughout the project, we updated the existing
help financial institutions and others create digital banking
system to enable it to manage aspects such as regulation and
activities. To this end, we rely on our clients’ IT systems and
accounting. However, the entire real-time customer experience
provide them with all the technology required to rapidly
well and truly relies on our platform and its processing,
deploy their digital projects.”
payment card management and digital banking capabilities.” It is also the company’s policy to work closely with its clients.
— 500,000 CURRENT ACCOUNTS IN RECORD TIME
“Bankable is neither a licence provider nor a consulting firm”,
Bankable thus enabled MoneYou, a subsidiary of the Dutch
said the company’s CEO. “We have developed a platform
banking giant ABN AMRO specialised in online savings, to
which we can configure to meet our clients’ specific needs.
provide current accounts to its 500,000 clients. The FinTech
In this particular case, ABN AMRO’s teams developed the
provided the bank with its capabilities in account creation
front-end of the solution, which enabled the bank to maintain
and management, payment processing, and card issuance
control over aspects such as brand management and customer
and management. “As a result, six months after we were
experience management.”
— B A N K A B L E R E L I E S O N E B R C F O R I T S I N T E R N AT I O N A L D E V E L O P M E N T —
27
— STRICT STANDARDS
the Data Center industry occupies in the Luxembourg
This dual approach enables Bankable’s clients to focus
financial centre”, said Bankable’s CEO. “In addition to the
on the commercial aspects of their project, as the FinTech
priority placed by government authorities on cutting-edge
takes care of the creation, launch and management of the
infrastructures and connectivity solutions, we have found
product. “Our ability to manage the product throughout its
in EBRC a partner able to meet our clients’ requirements.
lifecycle is an important consideration for our clients in the
We have developed a perfect understanding with the EBRC
banking sector”, said Eric Mouilleron. “We comply with very
teams, with which we share a culture of excellence and
strict standards. Not only do we have SOC 2 certification, a
which are also able to meet all of our technical constraints.
banking standard, but we also have PCI DSS, a data security
EBRC’s Tier IV Data Centers and their many certifications
standard applicable to the payment card industry, and ISO
guarantee excellent quality of service combined with the
27001 certification. Very few stakeholders in the market
highest levels of security and availability.”
hold all of those certifications”, he added. “Every year, we
“In addition, the very nature of EBRC’s shareholding structure,
undergo penetration tests at the request of various banks.
and the fact that the company is indirectly and wholly owned
Our infrastructure and our applications are of strategic
by the state, is a guarantee of stability and sustainability
importance for those banks, since we process their clients’
for us and for our clients. Finally, although Bankable is an
critical data.”
English company, it must be kept in mind that 85% of our income comes from international business. As a result of
— SERVING A GLOBAL CLIENT BASE FROM LUXEMBOURG
being hosted in Luxembourg, we enjoy a de facto Brexitproof infrastructure”, he said wryly.
Bankable has the particularity of counting many banks among its clients, with the corollary that the company must comply with the highest standards of security and quality.
— A POWERFUL CATALYST FOR INTERNATIONAL DEVELOPMENT
“This also benefits our non-banking clients, essentially
In April 2019, Bankable received investment from and
other FinTechs and large accounts, which can therefore
entered into a global partnership with Visa. This partnership
take advantage of a proven architecture that is used 24/7
will enable the members of the Visa network around the
by financial institutions with high requirements”, said
world to access the Bankable platform and to deploy
Eric Mouilleron. Bankable has developed a network
digital banking and real-time payment services.
of distributors for its platform. The distributors, which
“Our common strategy involves relying on the 21,000
are currently number 25, are banks and FinTechs which
members of the Visa network to promote innovation in those
themselves have many clients. The only exceptions to
banks”, said the founder of Bankable. “Most of them use
this distribution method are a few very large companies
legacy architecture. Our platform enables them to launch
active in the aviation or engineering sectors with which the
new products in record time while preserving existing IT
company works directly.
assets. We have already opened two subsidiaries on other
“We serve many clients in Europe – in Germany, France,
continents, one in Dubai and the other in New York, to
the Netherlands and the Scandinavian countries”, said
bring us closer to Visa’s customers and to enable us to
Eric Mouilleron. “Some of our clients have global operations.
better serve them.”
We mainly work with those companies through Corporate Expenses programmes that must be deployable in all the
— A STRONG PARTNER
countries in which they operate. As a result, we serve some
“Our ambition is to serve ever larger international clients in
of our clients in over 40 countries from our infrastructure
more and more countries through single contracts, using
in Luxembourg”, he explained.
our unique ecosystem of turnkey solutions”, said Eric Mouilleron. “It is therefore crucial for us to have been able
— BANKABLE AND EBRC: A COMMON CULTURE OF EXCELLENCE
to build a privileged relationship with a major stakeholder in the financial industry such as Visa. However, it is equally
“When we opted for EBRC to host our infrastructure, the
crucial to be able to rely on a strong technology partner that
decision was especially based on the special place that
is able to support this growth. And that partner is EBRC.”
2020-2021 EDITION
28
PARTNE RS
PRO GRAMME
Georges Berscheid CTO - Finologee
Interview by Sébastien Lambotte, T2U
THE ADVANTAGES OF DEVOPS
WITHIN A TRUSTED CLOUD With its Trusted Cloud Europe, EBRC is able to offer innovative services to support the digital transformation journeys of its clients. Its Kubernetes as a Service (KaaS) solution makes it possible to automate the process development and application implementation; thus enabling the clients to gain flexibility by implementing continual deployment processes.
—
T HE
A DVANTAGES
OF
DE V O PS
WITHIN
A
TRUSTE D
CL OUD
—
29
O
rganisations making extensive use of digital tools have to continuously boost their adaptative capacity: a necessity to meet client demands but also to face increasingly tough competitive
pressure. Service offerings should continuously evolve to meet these challenges. Time-to-market has to be cut to a minimum, as each new functionality is rolled out. “To achieve this, our clients seek to automate operational processes linked to the development, deployment and use of IT applications,” explains Yuri Colombi, Head of Solutions & Innovation at
this on-going work, we ensure it incorporates the latest
EBRC. “We want to support our clients in their process
developments by Kubernetes and its associated eco-system.
of adopting a DevOps approach, using our Trusted Cloud
For example, we are working on a new service which will
Europe platform hosted in Luxembourg.”
automatically check each deployed container before it goes into production, thus ensuring there are no vulnerabilities,”
— A CONTAINERISATION PLATFORM FOR GREATER AGILITY
explains EBRC’s Head of Solutions & Innovation. “This creates real added value, based on our security and business continuity
With this in mind, EBRC has implemented its new Kubernetes-
expertise, without creating additional burdens on the client’s
as-a-Service offering. This is a unique containerisation
deployment process. In addition, throughout the platform,
platform, hosted and managed from EBRC infrastructure
the user has access to numerous indicators related to the
in Luxembourg. It enables organisations to manage their
availability, performance and use of the various applications.”
applications from their development to the go-live, all within EBRC’s secure environment. No call to the IT resource
— FINOLOGEE: NOW IN FULL AUTONOMY
manager is required. “Our teams have been working on
Finologee, a FinTech that enables financial sector players
this service since 2017, with the goal of meeting the needs
to move to open banking, was one of the first users of this
of Luxembourg’s financial players, energy companies,
platform. “To help us grow we equipped ourselves with an
health services providers and more,” adds Yuri Colombi.
ecosystem of tools which automates many stages of our
“Many of these activities are highly regulated and should
development as well as implementing numerous control
meet the highest levels of data security, as well as unique
functions. This encompasses everything from writing a
market challenges. In this framework, local data hosting is
new line of code to putting into production a new version
usually a vital component.” EBRC was therefore keen to
of an application,” explains Georges Berscheid, the CTO
give these clients maximum flexibility, while enabling them
of Finologee. “Using containerisation technology through
to meet supervisory requirements easily. “Thus, we give our
Kubernetes allows us to develop quickly without making
clients a single locally-based managed platform to deploy
us dependent on a particular service provider.”
applications with speed and flexibility, without them having
For Finologee – and especially for their clients – it was
to worry about the underlying infrastructure. Either with an
important for its solutions to be run from a Luxembourg-
on-premise solution (in EBRC’s Data Centers) or on hyper
based, regulated Professionals of the Financial Sector (PFS)
clouds such as Microsoft Azure or AWS,” says Yuri Colombi.
compliant environment. “EBRC’s hybrid platform is open to the public cloud, thus it enables us to develop and test
— GUARANTEED TRANSPARENCY AND SECURITY
our applications in that environment, while maintaining a
The platform is based on open-source technology, a de facto
hyper-secure production environment that complies with
standard, thus guaranteeing the highest level of transparency
financial sector regulatory requirements. These are the key
for all users. It also gives real independence in the management
advantages of EBRC’s Trusted Cloud Europe,” explains
and deployment of the application environment. “We work
Georges Berscheid. “As all of this operates in an integrated
to make our clients as autonomous as possible,” says Yuri
and transparent way, our containers can be quickly moved
Colombi. “We ensure that the platform is available at any
from a public model to private production via EBRC’s hybrid
time, enabling the client to use it as they wish. As part of
cloud service.”
2020-2021 EDITION
30
PARTNE RS
PRO GRAMME
Interview by Sébastien Lambotte, T2U
I-HUB STRENGTHENS ITS SERVICE CONTINUITY
WITH EBRC AND ACHIEVES ISO 22301 CERTIFICATION
i-Hub worked with EBRC to achieve ISO 22301 certification for its Management System of Activity Continuity. By integrating this norm in the heart of its organisation, i-Hub, one of POST Luxembourg Group’s subsidiaries, strengthens its outsourced AML/KYC process management systems and is now in an even better position to meet its client requirements.
support from the management as they seek the highest
S
this process we wanted to guarantee the sustainability of
standards. In February 2019, the firm decided to take the path towards achieving ISO 22301 certification. This “specifies the requirements to plan, implement, put to work, manage, revise, maintain and continuously improve a documented management system to protect against disruptive incidents, reduce their likelihood of occurring, to prepare, to react and to restore after an incident” (source ISO.org). “With
ince 2017 i-Hub has developed innovative
our activity, to preserve our reputation, and above all, to
solutions that help financial sector businesses
reinforce the trust our clients put in our services,” Mr Correia
ensure their KYC (Know Your Customer) and
added. “We are developing structured solutions suitable
AML/CTF (Anti-Money Laundering/Counter
for any potential crisis, and seeking every opportunity to
Terrorism Financing) compliance. This subsidiary of the POST
ensure excellence and operational resilience.”
Luxembourg group offers a unique service featuring the collection, verification, maintenance and storage of identity
— REINFORCE CONTINUITY MANAGEMENT
data and documents. i-Hub cuts the administrative burden
To integrate ISO norms in the heart of its processes, i-Hub
by offering its clients and their partners secure access to a
called on the expertise of EBRC’s continuity specialists. An
personal digital dossier including all necessary information. “We
early step was to lead a process audit, which demonstrated
manage data and documents linked to the identities of our
that best practices were already in place. These were
clients’ clients. It is essential that we can guarantee the highest
then documented while the finishing touches were put to
level of security, integrity, availability and confidentiality,”
being compliant with ISO 22301. “Several months of work
commented José Correia, i-Hub’s Chief Administration
were required, particularly completing and formalising
Officer, CISO and Business Continuity Manager. “Since we
documentation, implementing new processes, and creating
were founded, we have continually invested in security, but
a system of continuity management which put us in line
also in operational continuity management, as we know these
with best practices regarding continuous improvement and
are essential to winning and maintaining our clients’ trust.”
performance measurement,” Mr Correia added. The i-Hub team supported by EBRC consultants worked
CONTINUITY: A TRUST VECTOR
with the staff to understand normal work processes and the
Supervised by the financial sector regulator the CSSF as
approach to a range of related risks. “The business impact
i-Hub must meet demanding requirements. As regards
analysis (BIA) sessions and the risk analysis enabled us to map
business continuity, internal teams are able to rely on strong
and evaluate the criticality of these activities and the related
31
From left to right: Christophe Ruppert, EBRC - Barbara Risse, EBRC - Quentin Mouzard, EBRC - José Correia, i-Hub
threats, to identify what resources are needed, to identify
work was carried out remotely, as new modes of supervision
internal and external stakeholders, to define the interruption
were implemented to limit the virus spread. “A continuity
tolerance levels, and create a timetable for the resumption of
management system must, above all, give the business
activities,” commented Barbara Risse, an EBRC Business
the capabilities to react effectively as quickly as possible
Continuity Management consultant. “From this we can
to all eventualities, enabling each team to contribute to the
create a coherent, effective continuity strategy including
maintenance of activity,” explained Christophe Ruppert,
staff, buildings, public authorities, suppliers, applications,
a Senior Business Continuity Management consultant with
data, and telecommunications services,” noted Quentin
EBRC. “It requires perfect understanding of the business, and
Mouzard, also an EBRC Business Continuity Management
effective management support to give the organisation a real
consultant. From this came the business continuity plans, all
culture of resilience to its core. A clear sense of committment
documented and tailored for each activity. “The role of this
by everyone within i-Hub can be felt, from the management
document is to support department heads when they face a
to every team, coupled with professional competence and
major incident such as the lack of availability of employees
a focus on business objectives,” Mr Ruppert added.
or buildings, the outage of a critical service or technology provided by third parties, a pandemic and so on. This is a
— TEAM WORK
detailed document that will be consulted in a crisis. First, it
An audit of all i-Hub’s activities by the accredited independent
enables essential activities to resume, followed by a return
firm Bureau Veritas showed full compliance with ISO 22301.
to normal as soon as possible,” added Ms Risse.
The overall document quality and the management system were highlighted by the auditor, who was incidentally leading its
— COVID-19 HAS BEEN A REAL-TIME TEST
first remote audit . “Passing the certification is the culmination
The pandemic emerged in the middle the external audit
of substantial teamwork, featuring expertise and support
certification process, which enabled i-Hub and its staff to test
from EBRC. Throughout the project, there was a positive
the effectiveness of its recent business continuity management
spirit which enabled us to progress in a smooth, coordinated
system. While many considered the pandemic as a major
fashion,” Mr Correia noted.
crisis, i-Hub and its partners saw an opportunity. They
“With ISO 22301 certification, we meet our clients’ demands
reacted quickly, and needed only minimal effort to document
for integrated, robust, proven solutions, and we satisfy our
their plans (regarding continuity, crisis communication, IT
regulatory supervisor as well. This certification matches
continuity, and more) as well as the continuity policy and
i-Hub’s philosophy perfectly in terms of reliability, and
strategy required during this unique period. Henceforth the
service quality, sustaining our clients’ activities.”
2020-2021 EDITION
The Inuksuk represents the HEART of EBRC: Human, Excellence, Agility, Responsibility, Trust
Inuksuk Inuk = human being suk = substitute, acting on behalf of Inuksuks are piles of stones which serve as a reference point (orientation = consulting), but also, a hiding place (store = Data Centre). They are closely associated with orientation and resilience; with survival in a hostile world. Their longevity is legendary, as well as their resistance to the elements. This symbol, our logo, ties in perfectly with the polar iconography, resilience, solidarity and orientation. It is a concept which stands out and is coherent with our company history.
w w w. e b r c. c o m
