In private life and in the business world, digital processes are already part of everyday life and are predominantly based on applications that run in the cloud. Authorities and administrations have so far remained largely excluded for security reasons. But they also want the flexibility and efficiency that new cloud services bring. This will enable them to set up their IT in a more agile way and thus meet the great digitalisation pressure that is weighing on German authorities: Processes are to be accelerated, and citizens and companies also want more digital services. But the challenge remains that public authorities cannot compromise on security when it comes to cloudification. Personal and tax data are highly sensitive and must be completely protected. This applies all the more to classified information. Last but not least, there is the issue of digital sovereignty.
The value of digital sovereignty becomes clear when you imagine the opposite, namely digital dependency - for example, on certain providers that make it difficult to switch to another provider, or on the internationally dominant IT companies. The latter can become problematic, for example, when providers operate under US legislation with at least unclear influence on data security. For these and similar reasons, traditional cloud solutions, such as those offered by hyperscalers, often did not meet the requirements of authorities and security-sensitive companies. Sovereign cloud offerings, on the other hand, aim to change precisely this. Digital sovereignty therefore definitely makes a key difference for public authorities and administrations.
First of all, the security level must of course be right as a basic prerequisite. Any cloud solution that comes into question for public authorities should work with highly secure encryption technology. It should be modular and include and combine different operating models - from "on premise" to "as a service". For example, data requiring special protection can be located in one's own IT infrastructure, while other applications are completely outsourced. The standardisation of resources in so-called containers and their orchestration in Kubernetes then ensure that all parts of the cloud infrastructure interlock seamlessly. For German public authorities, it is also important that the infrastructure can be certified according to IT-Grundschutz and the Cloud Criteria Catalogue C5 of the German Federal Office for Information Security (BSI) as well as being approvable for classified information. Another important point is the use of open source building blocks.
The main issue here is transparency and verifiability. Proprietary software that is kept secret by the provider is like a black box for cloud customers. No one but the provider can judge whether it is really secure or not. No authority in security-sensitive areas can afford that. Open source software, on the other hand, is freely accessible and can be checked by anyone at any time. For this reason, by the way, we at secunet have been involved in open source technology for a long time and contribute to its further development - also beyond the cloud.
We will offer customers an independent cloud offering from a single source that is also very broadly positioned so that it can serve a wide variety of customer requirements in terms of technology stack as well as operating model. It is also designed to cover all security levels from GDPR-compliant to the high German secrecy level GEHEIM (SECRET). The portfolio will include a combination of German public and private cloud offerings in the areas of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The basis of the secunet cloud is already available today: We introduced our security-hardened cloud platform SecuStack in 2018. In 2022, we acquired the cloud-native specialist SysEleven, which brings special expertise in the orchestration of standardised containers using Kubernetes as well as its own infrastructure with data centres in Germany. The public cloud offering based on this has already proven itself with several hundred customers. The secunet cloud portfolio will now be expanded building block by building block over the next one to two years. The building blocks are modular and interoperable, which is why we call it an ecosystem. The next milestones we are aiming for are the very first approval of a cloud stack for classified information by the BSI, up to and including GEHEIM (SECRET), as well as a test certificate according to C5.
Our offering is designed as a hybrid cloud ecosystem that can securely incorporate solutions from partners and combine them into resilient multi-cloud offerings. Even solutions from hyperscalers can play a role, for example in less security-sensitive areas. This creates optimal freedom of choice for customers - but at a high level of security and with great transparency.
For more than 25 years, we have been securing digital infrastructures that require special protection, for example in ministries and security authorities. In the process, we have built up unique expertise in high-quality encryption technology, which now forms the basis for the secunet cloud. In addition, our cloud offering incorporates established secunet solutions: for example, with our high-security solution SINA, which is the de facto standard for secure networks and workstations in German public authorities and public administration, we also enable customers to secure the access points to the cloud. This enables us to offer an entire IT infrastructure from a single source.
An innovative industry has emerged around the sovereign cloud in recent years that can offer society something crucial. Now is the time - with all the necessary competition - to exploit synergies, strengthen the open source community and thereby further advance technology development. In addition, the players in the new industry should sometimes speak with one voice so that knowledge about the sovereign cloud spreads. These are the goals of the new association. ALASCA stands for "Alliance for Sovereign Cloud Infrastructures". secunet is one of the seven founding members. The association is open to other European companies that live the guiding principle of open source in the cloud environment as well as digital sovereignty.
The cloud will then have become a self-evident, central component of public authority IT. IT managers will select very different cloud offerings according to the respective technology and security requirements and integrate them into the existing multi-cloud. The user experience will nevertheless be seamless. Furthermore, in a few years, many IT security products that today are still based on hardware boxes will also be available "as a service". The cloud transformation is complete when it permeates all areas of government, business and society.
Norbert Müller heads the Cloud Solutions business unit at secunet. Previously, he was decisively involved in the successful expansion of secunet's cooperation with public administration with regard to classic cyber security.
Do you have any questions or comments about this article? Then contact us using the contact form on the right.
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.