The Federal Administration runs its applications in its own data centres, in private clouds and in public clouds drawing on several providers. It is the responsibility of the departments to select the right solution for each application. The DTI Sector provides legal clarifications, a tiered model and cloud principles centrally so that the administration can make decisions based on common principles.
Cloud Strategy Bund
The framework for the use of cloud solutions in the Federal Administration is defined in the ‘Cloud Strategy Bund’ (available in german). The government is pursuing a hybrid multi-cloud strategy and is therefore continuing to rely primarily on its own data centres and services from federally owned private clouds. These are complemented by public cloud services (hence hybrid), which are obtained from a number of public cloud providers (hence multi).
The federal government's ‘Public Clouds Bund’ project provides its administrative units with the possibility of obtaining public cloud services if required. The decision as to whether an application runs in a private or public cloud rests with the departments. However, the DTI Sector does provide recommendations and tools (see below).
The use of cloud services supports the digital transformation process in the Federal Administration. Cloud services enable the flexible use of the latest technologies. Capacity can be adjusted promptly to take account of fluctuating demand. The combination of private and public clouds allows optimal coverage of administration requirements (e.g. in the area of IT security and data protection, resilience and innovative strength).
Information security and data protection play a central role in all Federal Administration applications. In the case of public cloud services, the administration must exercise additional care, as these run outside its own data centres. Considerations include, among other things, an examination of the legal requirements, the need for protection and the risks. Based on this, the administrative unit concerned must decide which cloud service to use to run a particular application and what precautionary measures to take. The Federal Administration can draw on established tools such as a protection requirement analysis and an information protection and data security concept. In addition, a report on the legal basis and the federal government's cloud principles are available as aids in choosing the appropriate cloud level. They are a central element of governance pertaining to ‘Public Clouds Bund’. The principles are in the process of being drafted and are expected to be available in Q1 2023.
The report on the legal basis provides an analysis of the legal basis for the use of cloud solutions with a focus on data protection and information protection law and professional secrecy. It also contains tools such as checklists to help administrative units with the clarifications they are obliged to make before using cloud services.
Cloud Tier Model
The following graphic shows the different cloud tiers that are available in the Federal Administration. The two upper tiers (I and II) are public clouds, tiers III and IV are private clouds in Federal Administration data centres.
The various tiers differ not only in their functionalities, but also in the data held in them. Generally speaking, the higher the tier number, the higher the data protection level. So according to the tier model, particularly sensitive data is not stored in tier I as a matter of principle.
The tiers are not entirely distinct. For example, a specialised application could run as a hybrid cloud spread over several tiers, to keep sensitive personal data in the private cloud and at the same time use cloud services in the public cloud for non-critical data.