How cloud transformation in the public sector is succeeding
A modern state needs a digital administration. The state's ability to act and control its data must be guaranteed at all times – even in crisis situations. The current government's coalition agreement clearly emphasizes digital sovereignty as a key objective of state intervention. As most IT systems today are based on cloud technologies, it is crucial for the public administration that these systems are sovereign. Werner Achtert, business area lead Public Sector at msg, explains what a suitable framework for the public sector's cloud transformation could look like in this viewpoint interview.
Mr. Achtert, the digitalization of processes has made significant progress across various industries. However, the public sector is often lagging behind and is still in the early stages of adopting digital processes. Why is digitalization so difficult for the state?
There are many reasons for this. The federal structure of the state is one of the reasons for this. It has a decisive influence on our public administration. Fundamental political decisions are made at federal level. But the implementation of most of the laws is the responsibility of the federal states and local authorities. The federal structure leads to different IT systems and numerous architectures and technologies have also evolved over time. In addition, there are many individual developments that are widely used due to the specific requirements of public administration.
Data protection and security also play a key role, as some of the IT systems process sensitive data from citizens and companies. This can sometimes slow down the digitalization process. However, adequate protection is essential for public administration, on which the functioning of our public life largely depends. This is why the sovereignty of the administration is also required in the digital space.
So does digitalization in the public sector depend on digital sovereignty?
Digital sovereignty is definitely a key factor – especially when it comes to cloud transformation. The CIO of the federal government, state secretary Dr. Markus Richter, describes digital sovereignty as ‘The abilities and possibilities of individuals and institutions to exercise their role in the digital world independently, self-determinedly and securely'. ¹ This also means that institutions have the freedom to select IT providers based on their own criteria – and to switch providers if necessary. However, this needs a number of basic prerequisites such as the ability to evaluate alternatives. It also requires knowledge of the development and the operation of your own IT systems as well as the ability to articulate requirements for product features and contract details to system vendors.² All of these are components of digital sovereignty.
These are high standards that many companies also aspire to. How can these standards be implemented in the public administration?
One thing is clear: Complete independence from external IT providers is not possible for either companies or the public administration. However, it is possible to: Reduce the risks of dependencies, by evaluating different possible actions. In this context, the use of vendor-independent standards and open interfaces is an important first step. This is because a modular architecture forms the basis for keeping individual elements of the IT landscape interchangeable and promoting competition in the procurement of IT components. A key prerequisite for this is the development of in-house expertise and expert knowledge to be able to act on an equal footing with providers.
Sovereign cloud systems are often the subject of the current discussion. Why is the cloud such a central topic in terms of digital sovereignty and data sovereignty?
In the past, the public administration was able to operate its IT systems “on premise”, i.e., in its own service centers. Since many IT components are now only offered on a cloud basis, it is no longer possible to work entirely in closed systems when it comes to data storage and processing. The required scalability cannot be achieved with traditional data centers either.
Similar to commercial enterprises, public administration institutions have little choice but to move parts of their IT systems to the cloud. This leads to new challenges and dependencies. The public administration must ensure that data sovereignty, security and the state's ability to act remain guaranteed even when using commercial cloud systems.
What can sovereign solutions look like in the cloud?
First of all, it is important that German legislation is enacted without restrictions when data is processed and stored in the cloud. A crucial question is therefore the legal and actual location of data processing and storage in a cloud. As the market for cloud systems is currently largely dominated by US companies, the question arises as to what extent we can trust a political system and jurisdiction outside our sphere of influence. However, the answer to this question can ultimately only be decided politically.
And what sovereign options are currently available?
At present, all major cloud providers offer solutions that prevent unauthorized access to data. AWS, for example, is also working on the AWS European Sovereign Cloud, a new independent cloud for Europe that will enable even highly regulated industries to meet the strict security, sovereignty and data protection requirements in the cloud. In addition, there are now a number of German companies that offer cloud services “made in Germany”. The public administration even operates its own cloud system, such as the Bundescloud (federal cloud) of the ITZ-Bund (IT center federal government).
Why are certified solutions that are suitable for use in public administration not yet being used on a large scale by the federal, state and local governments?
This is due to the federal structure of our state, as already mentioned. There is no such thing as “the” public administration, and decisions on the use of IT systems are not made centrally. Responsibility is divided between the federal government and the federal states. As a result, the existing federal cloud solutions are only interoperable and compatible to a limited extent.³
To address this problem, the IT-Planungsrat (IT planning council) – a committee for coordinating IT strategies between the federal and state governments – has set up the cloud working group (AG Cloud). The AG Cloud is a working group for the topics of cloud computing and digital sovereignty. Its task is to develop a target architecture for a German administration cloud. This initiative aims to create standards for a federal cloud infrastructure.
This means that significant progress has already been made towards achieving a sovereign cloud transformation. In your opinion, what additional measures are required to securely transition the public administration to the cloud in a sovereign manner?
The discussion about the use of the cloud for public administration is characterized by technical and political aspects. Cloud providers have proposed solutions for the technical issues and the BSI (Federal Office for Information Security) has specified minimum requirements for secure cloud computing.⁴ In my opinion, the political issues are far more difficult to resolve in our federal system. Before we can benefit from the advantages of cloud, such as scalability and the shared use of services, the federal and state governments must agree on the widespread use of standardized cloud systems. At present, however, very few of the existing administrative procedures – whether at federal or state level – are cloud-compatible. The next challenge will therefore be to bring large parts of the administration landscape into the cloud with totally new architecture concepts. There's still a long way to go.
¹ CIO Bund - Digitale Souveränität (CIO Federal Government - Digital Sovereignty (only available in German))
² Strategie zur Stärkung der Digitalen Souveränität für die IT der Öffentlichen Verwaltung (bund.de) (Strategy to strengthen digital sovereignty for IT of public administration (only available in German))
³ Microsoft Word - 20210813_DVS - Rahmenwerk Zielarchitektur_v1.0_final.docx (it-planungsrat.de) (DVS (German administration cloud strategy) - Framework Target Architecture (only available in German)), p. 4
