The rapid pace of digitalization and growing cyber threats demand IT solutions that not only meet the highest security standards but are also flexible and user-friendly. This is especially critical for government agencies and armed forces, who work daily with classified information in accordance with the Classified Information Directive (VSA) and require a high level of sovereignty.
Daily Cyber Attacks on Corporate and Government Networks
The German Federal Office for Information Security (BSI) records 250,000 new malware variants every day. In the federal administration alone, an average of 775 emails containing malicious software are received daily. The BSI blocks access to 370 websites from government networks every day. Cyber espionage has become a daily occurrence. Here are some examples from recent years:
A tailored cloud infrastructure and a secure working environment designed to meet the demands of government agencies, militaries, and regulated industries – delivering maximum data sovereignty and protection up to the classification level of SECRET.
The use of an open source cloud stack in combination with services such as NSC and VS Workplace offers significant advantages over the conventional cloud stacks of hyperscalers in terms of security, transparency and regulatory compliance - especially in Germany. This is primarily due to the greater controllability, flexibility and openness of open source-based approaches.
When choosing a cloud solution, security and compliance play a decisive role, especially with regard to data protection regulations such as the Cloud Act. In the following, we compare typical hyperscaler cloud stacks with NSC/VS-AP in terms of key security features and their compliance capability:
The cloud stacks of hyperscalers harbor potential risks for the outflow of sensitive data, as they have "call-home" functionalities and are operated on multinational regions. In contrast, open source-based solutions such as the combination of NSC and VS-AP offer significantly more transparency and control - and therefore considerably reduce the risk of data leakage.
This is where the difference between proprietary solutions and the open source approach becomes clear: while hyperscalers' cloud stacks tend to struggle to fully meet these requirements, a US-free open source stack, combined with the ability to implement perimeter protection through an on-premise variant, provides a more reliable basis for regulatory compliance.
When evaluating lifecycle management systems with regard to security guidelines that require insight into the CVE (Common Vulnerabilities and Exposures) score of the code, clear weaknesses become apparent with binary, precompiled or proprietary software. Only open source code enables such guidelines to be fully implemented.
In addition, security scans that are applied to binary files have technical limitations, which means that their results are often less meaningful. In contrast, tool chains for transparent quality assurance, such as those used by NSC or the NATO Software Factory, offer the necessary transparency and auditability - and ensure that a well-founded security assessment can be carried out before each release.
There are justified doubts as to whether the crypto algorithms used in the hyperscaler stacks are actually implemented in certified hardware security modules (HSMs) - rather, it is assumed that they are purely software-based.
In contrast, certified HSMs can be easily integrated into modular open-source stacks, which makes it possible to adapt them to national requirements. The NSC explicitly guarantees this.
The hyperscaler stacks are likely to have deficits in terms of approved security components, as their closed architecture makes flexible integration difficult. Without open or modular software architectures, adaptation to specific national requirements - especially for the German market - is unlikely.
In contrast, modular, open-source-based software architectures enable the targeted integration of components in accordance with the requirements of the BSI (German Federal Office for Information Security). This makes it much easier and more efficient to implement German compliance requirements.
Every cloud requires a hypervisor for virtualisation and resource orchestration. In contrast to conventional clouds, the NSC relies on a modular, microkernel-based hypervisor. The Trusted Computing Base (TCB) – comprising the software and hardware that must be trusted – differs significantly between the NSC and traditional clouds. Conventional clouds rely on monolithic hypervisors with millions of lines of code, whereas the TCB of the NSC’s L4Re Hypervisor consists of only around 30,000 lines of code. This much smaller code base enables complete evaluation
and verifiability, while reducing vulnerabilities and susceptibility to errors.
The NSC is able to run multiple isolated networks or domains for different security levels on a single hardware platform, securely separating them using the L4Re Secure Separation Kernel. This has been approved by the BSI for classification levels up to SECRET.
Structured data can be exchanged between security domains via SDoT Security Gateways. These gateways verify data based on predefined rules. Unstructured data – such as Word, Excel or other files – must be labelled using an SDoT before leaving the security domain. E-mails can also be exchanged securely in this way. These IT security products are approved by the BSI up to the classification level SECRET.
Comprehensive security solutions are provided, including a BSI-approved hardware security module for all cryptographic requirements. Client-side protection is also available through hard disk encryption and "File and Folder" encryption, meeting standards up to RESTRICTED.
The VS-Workstation incorporates the core features of a digitally sovereign workplace designed for government clouds
Advantages of a digitally sovereign workplace for public authorities
Please fill in the form and we will get in touch with you as soon as possible.