Sovereign Cloud Stack

Sovereign Cloud Stack (SCS) is federated cloud technology built entirely with Open Source Software — putting users and providers in control.

SCS: We continue to work on Gaia-X for more digital sovereignty

Kurt Garloff November 25, 2021

(By Dr. Manuela Urban, Felix Kronlage-Dammers, Jonas Schäfer, Kurt Garloff)

Context

The second Gaia-X Summit took place on November 18 and 19, 2021, in which concepts were introduced of how Gaia-X enables rule-based federated data ecosystems to emerge and to create a well-functioning, trustworthy basis for data-based innovation.

The summit was a bit overshadowed by Scaleway’s visible exit from Gaia-X. Scaleway expressed disappointment with the slow progress and believes that the broad involvement of the hyperscalers is the reason for this and that there is a risk for the project to develop in the wrong direction and that in the end, little will be achieved for digital sovereignty.

This was picked up sporadically in the press. It has been viewed as evidence for the long-held suspicion that Gaia-X as an initiative initiated by politics, as a club of large corporations, as an initiative embraced by the hyperscalers, as a dish with too many cooks was thus bound to fail.

We, as SCS project, continue to believe in Gaia-X’s goals. While some shortcomings exist, we have no reason to dismiss Gaia-X as an important and useful initiative.

Cooperation between OSB Alliance and Gaia-X

The Open Source Business Alliance (OSB Alliance, OSBA) has been a Gaia-X member since summer 2021, but has already accompanied the founding process of the Gaia-X project through personal commitment and OSBA members such as PlusServer since the beginning of 2020.

With the Sovereign Cloud Stack project, the OSB Alliance is leading a significant project funded by the BMWi (German Ministry for Economic Affairs and Energy) and provides technology that makes it much easier for infrastructure operators to provide Gaia-X-compliant, sovereign infrastructure. As such, it is involved in some Gaia-X working groups with its community and its employees and helps shaping the work, e.g. in the provider working group. The SCS project is also anchored here as an open work package.

Expectations and Gaia-X reality

The expectations of Gaia-X are high and very varied. In some cases unrealistically high, to which statements such as “Moonshot” have certainly contributed. In many cases, goals were projected onto Gaia-X that did not correspond to reality at all, such as the hope that a European hyperscaler would be created through government intervention with the help of Gaia-X to push back the worrisome influence of the American platforms.

The approach of Gaia-X is different: Verifiable standards are created to provide transparency, which then allows services from different providers to be combined automatically. The transparency should not only ensure technical compatibility and describe the corresponding interfaces, but in particular also contain aspects such as control, security and data protection. This enables users to make a conscious decision as to which combination of offers meets their requirements. The transparency on the compliance with European data protection regulations thus also allows legally compliant use. The transparency is provided via certifiable and verifiable self-descriptions, which are kept in a catalog by the federator. Self-descriptions are defined in the corresponding Gaia-X working groups, filled out by the service provider and, if necessary, checked and confirmed by certifiers (Conformance Assessment Bodies). An open source implementation of a distributed catalog is being created, among other things, in the Gaia-X Federation Services (GXFS) project - another project funded by the BMWi to strengthen Gaia-X.

The path to these standards is not an easy one. Many contributors have to come to a consensus in order to achieve both good quality as well as broad support by the stakeholders. This may be frustrating at times, but it is in the nature of things. A dominant company with an integrated architecture can advance faster than an ecosystem in which several actors at different levels have to agree on common interoperable interfaces. With a top-down approach, you make decisions faster than with broad participation. This does not make them any better - in the long term, the arduous path is the more effective. It is important that the professional competence from the practical implementation is also included in the decisions and that the processes run transparently. Communication is not always easy in rapidly growing structures like Gaia-X, but things are moving forward.

Gaia-X is not just theory

All theory remains theory if nobody puts it into practice. In fact, there is a lot of discussion about concepts and standards in the working groups and committees of the Gaia-X entity and thus far little implementation is visible yet. In our experience, good, practicable and accepted standards are almost always created in close exchange and in an iterative process between theory and practice. A desired side effect is the creation of visibility and the attention to the goals of Gaia-X. For the needed open standards, a fully open (reference) implementation will need to be created.

But the reality in Gaia-X is better than it appears at first glance. There are some groups working on the implementation of Gaia-X concepts. There are the major projects funded by the BMWi such as e.g. GXFS: There, based on detailed specifications, code on the topics of compliance, data sovereignty services, identity & trust, federated catalog and the portal is to be developed. The Sovereign Cloud Stack Project (SCS, https://scs.community/) published Release 1 in September 2021 and is already being used in production by cloud providers. SCS is being developed as completely free software by an open community in an open process. GXFS is also under an OSS license.

There are also the French project to supplement the Federation Services, projects from the BMWi funding competition, the Eclipse Data Connector, work in Catena-X and numerous initiatives by companies and groups around Gaia-X. Many of them come together in the work package “Minimal Viable Gaia” and take part in the second Gaia-X Hackathon on the 2nd + 3rd. December - technology is actually developed and tested there.

Join the Gaia-X Hackathon #2 in which you will among other workshops have the chance to attend a guided SCS deployment.

Unfortunately, little of this was visible at the Gaia-X Summit - the presentation of the highlights from the hackathon there didn’t work out because of the ordering of the events on the schedule.

Labels beyond data protection

The concept of so-called labels was presented at the Gaia-X Summit. These are the certificates with which services and providers show their conformity with Gaia-X standards. Behind this are criteria and the associated test catalogs, which must be verified accordingly (ideally in an automated manner). It will be necessary to look closely at the details - of course, the goals of a high level of transparency and digital sovereignty would not only be missed but even counteracted by too soft criteria catalogs.

It makes sense to have different levels of conformity. This also includes and makes transparent offers that do not meet high standards in the area of data protection. Interoperability and transparency are still an added value - not all IT services and data have high data protection and sovereignty requirements. US-American hyperscalers can also make a valuable contribution at this level.

The three levels of basic, substantial and high outlined in Gaia-X are based on the corresponding levels of ENISA in the European Cybersecurity Scheme for Cloud Services. At the highest level, access from outside Europe would be excluded with a high degree of certainty - this can only be guaranteed with platforms that are completely under the operational control of European companies.

This means that the area of data protection is well reflected by Gaia-X Labels and it makes sense to link them to proven standards in this area.

However, digital sovereignty goes far beyond data protection.

The ability to innovate on and design digital platforms requires the ability to give users control over the technology and its implementation. This can hardly be achieved with proprietary technology stacks, but requires complete openness. This is exactly what we are working on in the Sovereign Cloud Stack project and see the combination with other free technologies from the Gaia-X environment (and in the future the planned IPCEI-CIS) such as GXFS as an attractive combination for companies to provide federated, interoperable and completely sovereign services for their own use or for third parties.

Unfortunately, this important aspect of digital sovereignty has not yet been taken into account in the description of the Gaia-X labels - we expect that further development will take place here and are also working towards this as part of our cooperation in the Gaia-X working groups and open work packages.

Gaia-X is a large project that is collaboratively built. It requires support from many parties and a long term perspective. But that is also its strength.