Thought Leadership
There is a rather neglected topic in IT that most people probably haven’t heard much about: the “cloud exit”. An article by Prof. Dr. Dennis-Kenji Kipker, Research Director, cyberintelligence.institute.
As easy as this term is to understand, it is also easy to explain: If a company or public authority has outsourced its IT in the past, it may prove useful in the future to host it on-premise again, which was also the standard for many years before. For example, the UP KRITIS has already published “Recommendations for preparing an exit strategy when using cloud services” in 2022.
“IT from the socket” as the mantra of the 2020s
Of course, not every facility is a critical infrastructure, and you don’t read much about cloud exit at the moment – quite the opposite: Bitkom recently published its “Cloud Report ” at the beginning of July 2024, which makes it abundantly clear that the path in the next five years will not be out of the cloud, but into the cloud: Not only do 81% of companies in Germany use cloud computing, but 4 out of 10 of the cloud users surveyed in the study have a “cloud only” or at least “cloud first” strategy. It is therefore not surprising that new cloud offerings are emerging everywhere and terms such as “IT from the socket” are becoming the mantra for IT infrastructure in the 2020s. However, despite all the praise for scalability and availability, IT procurers too often forget – or simply ignore – the key issues surrounding cyber security, data protection and compliance of cloud applications. And that is a fatal mistake, because not all IT problems can simply be solved at the push of a button by outsourcing.
Semi-sovereign clouds and permeable data boundaries
Some of the major hyperscalers have also recognized this and are therefore now offering “sovereign clouds” – first and foremost Microsoft, which coined the term “EU data border” quite significantly and from the very beginning. According to Microsoft, this EU data border is “a geographically defined boundary within which Microsoft has committed to store and process customer data and personal data for our Microsoft Enterprise Online Services, including Azure, Dynamics 365, Power Platform and Microsoft 365, subject to limited circumstances in which customer data and personal data will continue to be transferred outside the EU data border.”
This definition makes one thing clear above all: the concept of a “sovereign cloud” is just as vague as the concept of a “data boundary”. And this is precisely what companies such as Delos Cloud GmbH have recently been taking advantage of, presenting themselves as a “sovereign and secure cloud platform for the digitalization of the public sector in Germany” – but technically based on Microsoft Azure and Microsoft 365. And in this way, the term “sovereign cloud” is quickly bent to suit the situation, because what is quickly lost in the marketing communication about this very sovereign cloud is the fact that the proprietary software used to implement it and its interfaces are a black box that cannot be verified either openly or independently. Nevertheless, the new Delos Cloud is set to become the flagship project of administrative digitization in federal IT – and bring back the digital sovereignty that was thought to have been lost.
The location of the data center is not decisive for the question of sovereignty
However, this is precisely a momentous fallacy: in the case of Microsoft in particular, it is not even absolutely necessary to argue with legal arguments relating to the US Cloud Act or the questionable continued existence of the EU-US Data Privacy Framework adequacy decision, as Microsoft has proven to be neither a cyber-secure nor a trustworthy company in the past. Against this backdrop, the “Summer of Snowden” in 2013, when it became known that Microsoft was also involved in the global network surveillance program “PRISM”, has been forgotten too quickly. As a result, it’s also a bit of a joke if a “sovereign” cloud is to be set up in Germany based on Microsoft products.
So what we can say is this: Germany is still a long way from a “cloud exit”, and the exact opposite is currently taking place with the additional use of AI from the cloud. Allegedly technology-sovereign solutions are widely available on the cloud market, but it is important to note that it is not primarily the location of the data center that matters, as is so often communicated, but the operator and the underlying software. And supposedly “sovereign clouds”, such as those offered for the public sector by Delos, for example, should be treated with extreme caution, as “sovereignty” is not a legally protected term.
