Shielded Data Processing in the Cloud

Using cloud services without running into trouble with the GDPR – the company Edgeless Systems makes it possible. Founder Dr. Felix Schuster reflects on the somewhat difficult entry into a new market.

Felix Schuster founded Edgeless Systems in 2020 during the first Corona Lockdown. Copyright: Michael Schwettmann

The company programs software for secure cloud computing. Copyright: Michael Schwettmann

The team currently consists of 15 employees. More are being sought. Copyright: Michael Schwettmann

The company is in the phase of optimising the product market fit. Copyright: Michael Schwettmann

It was just the two of them on a park bench – this is how Felix Schuster and Thomas Tendyck celebrated the launch of their company Edgeless Systems in the spring of 2020 during the coronavirus lockdown. A good two years later, they have a team of 15, high-profile customers and a prestigious company headquarters in Bochum. Still, the start was not always easy, as Felix Schuster recounts in an interview.

Mr. Schuster, you understand how to use cloud applications, for example in the USA, without coming into conflict with the General Data Protection Regulation (GDPR). What exactly do you offer your customers?
We programme software for secure cloud computing – the marketing term is confidential computing. The fundamental problem with cloud computing is that data is usually processed in plain text. This means that employees of cloud providers or authorities may be able to access it. As a result, companies from the EU can’t use these cloud services, which are mostly based in the USA.

We make sure that you can use the cloud like your own computer. The reason why this is possible is that, for almost ten years now, processor manufacturers have been building functions into the hardware that allow data to be processed in encrypted form. Prior to that, data could be encrypted during transport and on the hard disk, but had to be decrypted for processing. With our software, we ensure that the data remains encrypted at all times, and that this fact can be verified. The processor issues a certificate confirming what has been done with the data and that it hasn’t been decrypted at any time.

For which type of applications is this significant?
A typical scenario is that a company has an application running locally, but wants to move it to the cloud in order to save resources. An example of this would be personnel management software. This involves personal data that requires high levels of protection. Or an example from our practice: our partner Bosch collects data from smart cars. Here, we are talking about intellectual property, and pictures of passers-by can also be involved. The cloud hardware facilitates the shielding and encrypted processing of this data, so to speak. But since that doesn’t work on its own, it needs software like ours.

Can every customer then use these functions quite easily or do you need to bring in people with IT expertise?
Our programme is based on Kubernetes, a very common application in clouds, which is usually already in use at the customer’s organisation. The basic features are therefore often known to the users. But there has to be someone on site who knows the ropes.

You started out by offering your software free of charge and as an open source. How can you finance yourself on that basis?
Currently, it’s pretty much common practice to offer a kind of extended free trial version to begin with. Obviously, you run the risk that users will be satisfied with it and stick with it, or that the competition will copy the programme. But the advantage is that you have a very low-threshold offer for potential customers. The first step has already been taken, and maybe the customer will come back to us to purchase an enterprise version.

In a market as new as ours, this is a good way to see where customers stand. It also helps to identify and acquire new clients. A year after the first free offer, we received many attractive requests.
Unlike in the US, however, this business model is rather uncommon here, and you’re met with incomprehension. But we’ve been much better received by investors.

Seeing that the market is still so young, is there any competition to speak of?
Yes, there’s a lot of competition actually, especially in the USA. But our product is the most mature. The market just has to figure that out. Currently, very few customers know what secure cloud computing is – they may be aware of their problem, but they don’t know the solution. There’s still a lot of explaining to do.

Doesn’t the GDPR play into your hands?
It can definitely be a driving factor. With this in mind, we would also like to cooperate more with European cloud providers. We would then be able to develop a service on the provider’s side, and the customers wouldn’t have to do anything themselves, but could simply be sure that their data is protected.

Let’s go back to the beginnings of Edgeless Systems: was it always your wish to start your own business?
I already wanted to start a software company when I was still at school. During my studies, I worked in a small company, and that’s when the wish solidified. One of my main reasons to pursue a PhD was to search for exciting technologies as a basis for starting up a company.

What does your typical workday look like today?
Well, I’m no longer involved in the technical side of things. They are the domain of my co-founder Thomas Tendyck. I still take care of the product vision and parts of the architecture. Other core tasks include public relations, customer acquisition, staff recruitment and the acquisition of investor funds. In addition, there are many other minor tasks relating to human resources, operations and finances.

Have you ever regretted the start-up?
I have at times – there are always ups and downs. But in general it was a good decision. It’s a lot of fun, though very stressful. I have learned to handle it.

If you could look into the crystal ball and get a glimpse of the next five years, what would you like to see?
As an enterprise, we’re still in the phase of optimising the product market fit – which is perfect if, for example, you can offer a vaccine during a pandemic, so you have exactly the product that the market is demanding at the moment. We’re currently trying to achieve this fit. We’re learning a lot. We want to become the platform for highly secure cloud computing.

In five years, we should have scaled our business model and have over 100 employees. Looking still further into the future, we should be ready for an IPO or a sale of the company. These are the two goals for venture-backed companies like us.

Which advice would you give yourself if you could go back two years?
We started out with a fairly engineering mindset and got bogged down in some areas in order to minimise the risk. Looking back, I’d say we should have taken more risks at an earlier stage and accepted the possibility of failure. And: this is an exciting but also a difficult market. Next time, I’d choose a market that is already somewhat more developed.

That sounds like you’d consider another start-up after a possible sale of your company?
Definitely. But maybe after taking some time off first.

Edgeless Systems
The two founders of Edgeless Systems met while studying at RUB. They laid the groundwork for their start-up with the support of the business incubator Cube 5. Cube 5 is based at the Horst Görtz Institute for IT Security and the Faculty of Computer Science at Ruhr-Universität and is part of the Worldfactory Start-up Centre. The company currently has 15 employees, ten of them full-time. The founders are looking to recruit new staff, preferably from RUB, where most of the current members of staff had studied.

The article is published as part of the IT security special issue of the science magazine Rubin 2022/23.

To the Outreach Website

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.