Holger Dyroff: "At its core, this cloud is and remains a Microsoft offering that ultimately ignores any kind of data protection and sovereignty that German authorities need."

© owncloud

SAP and Bertelsmann subsidiary Arvato Systems want to establish a new company with the aim of building a "sovereign" cloud platform for German authorities and ministries. Citizen and other sensitive data is to be stored there. The cloud is to be based on Microsoft Azure, but at the same time they emphasize their independence from Microsoft and the sovereignty of their offering nine times in their short announcement text. In doing so, they are fortunately raising awareness of the justified security concerns about US cloud providers and thus unintentionally confirming them, but at the same time they are not living up to the claim they have formulated themselves.

By using Microsoft Azure and the inevitable dependency on closed source, data sovereignty and customizability fall by the wayside. Instead, the old proprietary game of intransparency and vendor lock-in continues, with all the associated risks, such as problems with data migration or a lack of investment security. Digital sovereignty is not possible without open source code. Without open source, there is neither transparency nor control options. As long as the code cannot be viewed, it is simply unacceptable for authorities, security-sensitive applications or KRITIS infrastructures. This means that if the entire planned cloud platform is not based on open source technology, it cannot be described as "sovereign" and "secure". But neither partner says anything about this.

What should a sovereign cloud platform look like?

A sovereign cloud platform for sensitive government data is therefore de facto impossible with Microsoft technology - and is a contradiction in terms, no matter how much SAP and Arvato emphasize "technical, operational and legal" sovereignty, security and "complete separation from global data centers". GDPR compliance alone does not mean true data sovereignty. And this is an essential prerequisite for cloud use, and not just for public authorities. Time and again, so-called experts claim that it will take years to set up a national open source-based cloud. This is nonsense. Of course, the (German) open source economy is able to develop offerings in a matter of weeks and not years, as is usually the case with proprietary solutions. Government organizations, for their part, should be able to accept such offers quickly.

It is to be hoped that the German authorities do not fall for such a - one could almost say deceptive - package because two German companies are supposedly holding the reins: At its core, this cloud is and remains a Microsoft offering that ultimately ignores any kind of data protection and sovereignty that German authorities need. Government agencies would make themselves dependent on Microsoft's proprietary technologies. We are currently seeing the consequences of such a dependency in the energy market. Is that what we want?