It is hard to imagine today’s digital world without cloud solutions. They are used in both the public and private sectors – and many companies in different industries are also outsourcing their IT infrastructure to the cloud. The advantages are obvious: cost reduction, scalability of IT services, organizational flexibility and significant savings in maintenance and servicing. What is currently still missing is a cloud solution that follows European standards and complies with the legal norms of the DSGVO regulation in terms of data protection and security – thus providing a counterpart to the American cloud providers.
Understanding the cloud
Cloud computing has its earliest beginnings in the 1960s. At that time, software developers came up with the idea of bundling certain IT resources such as computing power or applications and thus making them available to a broad mass of people on demand. The problem at the time was that there was neither a stable Internet nor IT systems with multi-mandate capability. It would therefore take until the 1990s and the emergence of the World Wide Web before the cloud idea could be put into practice.
Today, cloud computing means the provision and use of IT infrastructure such as storage space, computing power or software via the Internet. The required IT infrastructures are made available via a computing network – no longer via local computers. The IT services are provided and used exclusively via technical interfaces and protocols as well as via client software – usually a web browser.
The cloud is divided into two main types and two subtypes:
- Public cloud: Many customers share an infrastructure; providers include Dropbox or Google Drive. For everyday use, without greater data security.
- Private cloud: Infrastructure is provided for only a single customer. The cloud providers specialize in highly sensitive data.
- Hybrid Cloud: Combination of private and public cloud; both cloud environments work together to combine a variety of cloud models.
- Multi Cloud: Two or more public clouds are used within one company.
Cloud computing offers three different service models:
- Infrastructure as a Service (IaaS): IaaS focuses mainly on the provision of technical infrastructure such as computing power, networks and storage space. The use of these services can be flexibly adapted to user requirements.
- Platform as a Service (PaaS): PaaS provides users with a platform on which they can develop and offer their own software applications. Here, programmable development environments are offered flexibly in the cloud.
- Software as a Service (SaaS): SaaS is also referred to as “Software on Demand” and forms the top level of cloud computing. Here, pure software applications are provided by the provider as a cloud service.
It is impossible to imagine today’s world without the cloud – we use it in our daily lives when we watch movies, store photos, etc. Since cloud computing originated in the USA, the leading providers of cloud services are American companies such as Amazon, Google or IBM. Due to American data protection regulations, which are not as strict as the European General Data Protection Regulation (GDPR), data exchange via American cloud providers is currently difficult or impossible for European companies and public administrations.
Cloud-related services have long since become the basis of modern economies. For several years now, efforts have therefore been underway to create a counterweight to the American cloud providers and to establish a central, European data room. This should be based on European standards in terms of both security and data protection and offer the highest level of digital sovereignty. To this end, various initiatives have been established in recent years.
Gaia-X prestige project
According to industry experts, the European data project Gaia-X is currently at an impasse: key members are withdrawing, funding is not flowing as planned, and the remaining members are standing in their own way with their own interests. The project was launched in 2019 with great expectations and the goal of building a secure and GDPR-compliant European data and infrastructure ecosystem that meets the highest standards of digital sovereignty. Behind the initiative are 22 companies and organizations from Germany and France, which founded the international non-profit company GAIA-X AISBL in 2020. It coordinates the cooperation of all participants – now several hundred, European organizations from politics, business and science. The EU Commission is also involved.
Gaia-X aims to create data spaces with trusted platforms that comply with common rules and standards and, thanks to uniform interfaces, allow users to share and exchange data securely and freely between multiple actors. The defined cloud infrastructure standards are subject to European data protection requirements and include interoperability, transparency and compatibility of data and services, as well as collaboration and data exchange between the different cloud entities. Gaia-X is a federated system designed to connect many cloud service providers and users in a transparent environment. To strengthen data sovereignty, the use of open source software is a key aspect.
In addition to Gaia-X, other initiatives on the subject of the cloud have emerged in recent years, but these have never been cross-sectoral, but rather involved subsectors such as science (European Cloud Initiative). This was also the case with Cloud for Europe: The initiative, which was funded by the European Commission, was intended to promote the spread of cloud services in the public sector. The aim was to provide public authorities in the member states with cloud solutions that meet the specific requirements of the public sector while complying with European security and data protection requirements. All these initiatives have so far either not reached maturity or the project coordination has already been reinstated – without any significant impact on the cloud landscape in Europe.
Has the European cloud initiative now failed? Are the individual countries concentrating on single solutions? What is Germany doing?
Germany, your clouds
In parallel with European efforts, individual European member states have developed their own cloud strategies in different sectors of the economy – for example, in the automotive industry. Strict rules and specifications continue to apply in particular to highly sensitive data from the healthcare sector or public administration. Here, digital sovereignty and compliance with the GDPR regulation are always at the forefront.
The most secure clouds are characterized by a server location within the EU. In addition, various independent institutions award security marks such as certificates, which customers can use to check whether the specified security standards are met by the provider. According to the German Federal Office for Information Security (BSI), there are various certificates for cloud offerings on the market. The well-known ones include the SaaS seal of approval from EuroCloud, CSA STAR and TÜV Trust IT. The BSI’s IT-Grundschutz certificate can also be used by cloud users. However, there is no legal obligation to certify cloud providers.
The German Administration Cloud Strategy as a Guide for the Digitization of Public Administration?
With the German Administration Cloud Strategy (DVS), the public administration is pursuing a strategy to strengthen the digital sovereignty of public administration IT. It was developed as a joint steering committee of the IT Planning Council, the federal government and the states and is being further developed with various cooperation partners.
The aim is to create common standards and open interfaces for cloud solutions in public administration in order to establish an interoperable and modular federal cloud infrastructure in Germany. There are currently a large number of cloud solutions at the federal, state and local levels of government – which are only interoperable and compatible to a limited extent due to a lack of standardization. With the help of the DVS, a cross-cloud and reciprocal use of applications and software solutions is to be created – the German Administration Cloud (DVC). It is defined as a nationally accessible digital marketplace where federal, state and local authorities can easily and securely obtain digital administrative services.
Which mandatory standards does the German Administration Cloud Strategy implement for the participating cloud sites of the federal, state and local governments? The DVS concept paper lists five areas of standardization:
- Development and development platform,
- Application deployment and management,
- Code Repository,
- Infrastructure service and technological stack as well as
- Operating standards and operating models
All public administration cloud solutions already in existence today, as well as the associated IT service providers, must implement these standards on a mandatory basis if they wish to become participants in the German Administration Cloud. This is also intended to actively support the implementation of the OZG and the EfA principle.
Existing cloud solutions in states and municipalities: The OZG cloud
One cloud solution that has already been successfully in place since 2021 is the OZG cloud, which is becoming a crucial element of administrative digitization in Germany. Currently, the states of Schleswig-Holstein and Bavaria are working together to make applications available to municipalities via the cloud.
The OZG cloud maps the essential requirements of the “German Administration Cloud Strategy” (DVS) – such as the compatibility and interoperability of the already existing cloud solutions of municipalities, states and the federal government, the strengthening of the digital sovereignty of public administration, the guarantee of security, transparency and confidentiality of the data in the cloud as well as the control over the data. The OZG cloud is a collection of scripts and technologies that enable applications to be deployed and maintained in the states’ existing data centers. The result is a multi-cloud solution where all connected data centers can be centrally provisioned.
The basic prerequisite is that each data center provides virtual machines (VM) or a Kubernetes namespace. For the further subdivision of individual clusters, Kubernetes offers the function to create so-called “namespaces” – virtual clusters within a Kubernetes cluster. This namespace remains “territory” of the individual communities. The cloud system makes it possible to provide clients with a system environment “at the push of a button” and was developed with a high degree of automation.