Why does the public sector hardly use cloud-based applications?
Are the benefits not obvious or is the fear of the risks too great?

Our customers in public administration, the judiciary and church and charity organizations, as well as individual notaries and lawyers, rely on digitalization to meet current and future challenges. Cloud-based approaches to digitalization are also to be increasingly taken into account, for example in order to reduce IT costs while remaining scalable as user numbers change. In the private sector, 84% of companies now use cloud computing. Six years ago, the figure was less than two thirds. By 2025, these companies want to move 61% of all their applications “to the cloud”. The fact that the concerns for our customers are higher in cases of doubt is primarily due to the extraordinarily high level of protection required for the data processed here. Westernacher Solutions wants to address this conflict more intensively and develop secure cloud strategies and solutions.

This year’s Bitkom Privacy Conference (#pco22) and Public-IT-Security Conference (#pits2022) of the Behördenspiegel also address the topic with varying degrees of focus. Dr. Frank Laicher (CISO MWIKE NRW) pointed out at the PITS that public administration does not have this eminent compulsion to constantly optimize and reinvent itself. Nevertheless:
Cloud
is a key topic for the future of public administration. The cost savings here are also undisputed in the vast majority of cases. But what are the risks involved?

Which risks do not affect your own data center, but do affect your own application in the public cloud? And which risks affect which public cloud? The discussion about this is quite emotional; the answer is complex. The requirements for cloud operation are certainly different from those of a conventional IT infrastructure strategy. The keyword “zero trust” is sometimes central here. Applications must be prepared for this. This means that specialist procedures – even if they have already been digitized – have to be adapted again, Dr. Laicher continues. Furthermore, it must be identified which data may be processed “in the cloud” at all, let alone persisted. However, these processes are often not yet or not fully digitized. So the question of whether to use the cloud or your own data center is just another step on the road to digital administration. At the moment, it is not an accelerator, but rather an obstacle to transformation due to the unresolved legal situation (#DSGVO, #PatriotAct, #PrivacyShield, #CloudAct, #Schrems2).

This creates a dilemma that requires solutions:

The advantages of the cloud lie in its efficient and scalable operation. This can only be achieved technically and economically through a particularly broad use of the cloud (of the provider). The 4 major hyperscalers (AWS, AZURE, GCP and IBM) in particular have a gigantic head start here. These in particular can combine efficiency and security (integrity, basic confidentiality and availability of data) at the same time due to their technological advantage. So how can I take advantage of the cloud without breaking national, supranational or international law (today and tomorrow)?

The players are well aware of this fact. Efforts are being made to counteract these risks. The prospect of a new agreement between Europe and the USA, which will take account of Schrems II and thus revive the Privacy Shield, offers an opportunity. This Trans-Atlantic Data-Privacy Framework addresses precisely these problems of access by US authorities, according to Alex Greenstein (Director, Privacy Shield at U.S. Department of Commerce) at the Bitkom Privacy Conference. Irrespective of this, cloud providers and partners are making further efforts of their own. Google and Telekom, for example, justify this. the Sovereign Cloud. The fact that Telekom holds the keys is intended to make it more difficult for Google or the US authorities to extract data. Later on, Telekom would even like to take over the operation of the cloud itself, using Google technology. Microsoft, SAP and Arvato (among others) want to offer a cloud solution for public authorities that counters the reservations. The federal cloud of the ITZBund is already in operation. And then there’s always GAIA X, the European cloud. But it is unclear when it will arrive and what it can do compared to the large hyperscalers. And how much Europe is ultimately involved in this or similar projects is questionable, says Prof. Dr. Haya Shulman (Goethe University Frankfurt). The basic tenor of the PITS speakers is that more “cooperation of the good guys” is needed in the context of cybersecurity. Dr. Regine Grienberger (Commissioner for Cyber Foreign and Cyber Security Policy, Federal Foreign Office) calls for more international and European cooperation and brings the keyword ” data messages ” to the table.

It should not go unmentioned that there are also a large number of smaller cloud providers that are definitely bound by the GDPR and may also have the
Trusted Cloud
label of the Trusted Cloud competence network (e.g. Bundesdruckerei, Bitkom, Frauenhofer). But here the question arises as to how efficient an operation with these providers can be and how well they are able to protect data from illegal access (i.e. access not legitimized by the Patriot Act & Co.) and which attacks are more likely to occur.

Going to the cloud is not a question of whether, but only a question of how. And these need to be answered individually for each organization, for each process and for each date. This requires expertise; technical, legal and no less technical! Westernacher Solutions can already address some of these issues today and supports various authorities with experts. We are open to the new requirements of the industry and new technical possibilities and will help develop new topics in the future.

The opportunities are manifold, as are the worries. But this is where our expertise at the Competence Center Security can help to ensure the confidentiality, integrity and availability of your data through technical and organizational measures, while at the same time achieving cost efficiency, flexibility and independence

Tobias Müller // Competence Center Lead Digital Security // Westernacher Solutions

Your contact person

Tobias Müller

Competence Center Lead Digital Security

ALSO INTERESTING

  • Information security – where to start?
  • ISO 27001 Information Security Management System (ISMS)
    More expertise through Competence Center Digital Security