The sovereign cloud for authorities and administration
Efficiency without dependence

The digitisation of the administration will only be viable if it combines efficiency, sovereignty and security. This is especially true for cloud transformation, which is currently at the top of many German public authorities' agendas. Since the large hyperscalers' cloud offers often leave questions about transparency and data protection unanswered, there is a great need for cloud solutions "made in Germany". These are intended to combine security and digital sovereignty. secunet is currently building an ecosystem of trustworthy solutions and services that enable cloud use even in security-sensitive areas and can also be combined with solutions from hyperscalers. In this interview, Norbert Müller, who is responsible for secunet Cloud Solutions, talks about the meaning and purpose of the sovereign cloud, the role of open source and the newly founded industry association ALASCA.

Norbert Müller
Vice President Cloud Solutions bei secunet
— Mr Müller, why are public authorities striving for the cloud in the first place?

In private life and in the business world, digital processes are already part of everyday life and are predominantly based on applications that run in the cloud. Authorities and administrations have so far remained largely excluded for security reasons. But they also want the flexibility and efficiency that new cloud services bring. This will enable them to set up their IT in a more agile way and thus meet the great digitalisation pressure that is weighing on German authorities: Processes are to be accelerated, and citizens and companies also want more digital services. But the challenge remains that public authorities cannot compromise on security when it comes to cloudification. Personal and tax data are highly sensitive and must be completely protected. This applies all the more to classified information. Last but not least, there is the issue of digital sovereignty.

— Why does the cloud for public authorities have to be not only secure but also sovereign? Is digital sovereignty perhaps a mere buzzword, as some observers think?

The value of digital sovereignty becomes clear when you imagine the opposite, namely digital dependency - for example, on certain providers that make it difficult to switch to another provider, or on the internationally dominant IT companies. The latter can become problematic, for example, when providers operate under US legislation with at least unclear influence on data security. For these and similar reasons, traditional cloud solutions, such as those offered by hyperscalers, often did not meet the requirements of authorities and security-sensitive companies. Sovereign cloud offerings, on the other hand, aim to change precisely this. Digital sovereignty therefore definitely makes a key difference for public authorities and administrations.

— What are the key building blocks of a sovereign cloud?

First of all, the security level must of course be right as a basic prerequisite. Any cloud solution that comes into question for public authorities should work with highly secure encryption technology. It should be modular and include and combine different operating models - from "on premise" to "as a service". For example, data requiring special protection can be located in one's own IT infrastructure, while other applications are completely outsourced. The standardisation of resources in so-called containers and their orchestration in Kubernetes then ensure that all parts of the cloud infrastructure interlock seamlessly. For German public authorities, it is also important that the infrastructure can be certified according to IT-Grundschutz and the Cloud Criteria Catalogue C5 of the German Federal Office for Information Security (BSI) as well as being approvable for classified information. Another important point is the use of open source building blocks.

— The open source idea implies joint software development in a cross-provider community. What do the cloud customers get out of that?

The main issue here is transparency and verifiability. Proprietary software that is kept secret by the provider is like a black box for cloud customers. No one but the provider can judge whether it is really secure or not. No authority in security-sensitive areas can afford that. Open source software, on the other hand, is freely accessible and can be checked by anyone at any time. For this reason, by the way, we at secunet have been involved in open source technology for a long time and contribute to its further development - also beyond the cloud.

In the cloud transformation, resources can be standardised in so-called containers. Using Kubernetes, these containers are then orchestrated across all parts of the cloud infrastructure. © Getty Images
— What is the core of the secunet cloud portfolio and when will it be available?

We will offer customers an independent cloud offering from a single source that is also very broadly positioned so that it can serve a wide variety of customer requirements in terms of technology stack as well as operating model. It is also designed to cover all security levels from GDPR-compliant to the high German secrecy level GEHEIM (SECRET). The portfolio will include a combination of German public and private cloud offerings in the areas of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). The basis of the secunet cloud is already available today: We introduced our security-hardened cloud platform SecuStack in 2018. In 2022, we acquired the cloud-native specialist SysEleven, which brings special expertise in the orchestration of standardised containers using Kubernetes as well as its own infrastructure with data centres in Germany. The public cloud offering based on this has already proven itself with several hundred customers. The secunet cloud portfolio will now be expanded building block by building block over the next one to two years. The building blocks are modular and interoperable, which is why we call it an ecosystem. The next milestones we are aiming for are the very first approval of a cloud stack for classified information by the BSI, up to and including GEHEIM (SECRET), as well as a test certificate according to C5.

— Can third-party offers also be integrated?

Our offering is designed as a hybrid cloud ecosystem that can securely incorporate solutions from partners and combine them into resilient multi-cloud offerings. Even solutions from hyperscalers can play a role, for example in less security-sensitive areas. This creates optimal freedom of choice for customers - but at a high level of security and with great transparency.

"In a few years, many IT security products that today are still based on hardware boxes will also be available 'as a service'."
— In what way does secunet's expertise in traditional IT security contribute to the cloud offering?

For more than 25 years, we have been securing digital infrastructures that require special protection, for example in ministries and security authorities. In the process, we have built up unique expertise in high-quality encryption technology, which now forms the basis for the secunet cloud. In addition, our cloud offering incorporates established secunet solutions: for example, with our high-security solution SINA, which is the de facto standard for secure networks and workstations in German public authorities and public administration, we also enable customers to secure the access points to the cloud. This enables us to offer an entire IT infrastructure from a single source.

— Together with other European IT companies, secunet has founded ALASCA, a new association that aims to promote open source in the cloud context. What is this all about?

An innovative industry has emerged around the sovereign cloud in recent years that can offer society something crucial. Now is the time - with all the necessary competition - to exploit synergies, strengthen the open source community and thereby further advance technology development. In addition, the players in the new industry should sometimes speak with one voice so that knowledge about the sovereign cloud spreads. These are the goals of the new association. ALASCA stands for "Alliance for Sovereign Cloud Infrastructures". secunet is one of the seven founding members. The association is open to other European companies that live the guiding principle of open source in the cloud environment as well as digital sovereignty.

— What will the administrative IT landscape look like in five years' time?

The cloud will then have become a self-evident, central component of public authority IT. IT managers will select very different cloud offerings according to the respective technology and security requirements and integrate them into the existing multi-cloud. The user experience will nevertheless be seamless. Furthermore, in a few years, many IT security products that today are still based on hardware boxes will also be available "as a service". The cloud transformation is complete when it permeates all areas of government, business and society.

Norbert Müller heads the Cloud Solutions business unit at secunet. Previously, he was decisively involved in the successful expansion of secunet's cooperation with public administration with regard to classic cyber security.

Interested readers can find out more about secunet Cloud Solutions here —
Contact request

Do you have any questions or comments about this article? Then contact us using the contact form on the right.

Seite 1
* Required fields

secuview is the online magazine of secunet, Germany's leading cybersecurity company. Here you will find news, trends, viewpoints and background information from the world of cybersecurity for public authorities and companies. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.


In addition to the online magazine, secuview is published twice a year as a journal, which you can subscribe to free of charge in printed form or download as a PDF.

secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.

© 2024 secunet Security Networks AG