Skip to main content

Hitachi

Hitachi Research Institute

Research Project

Introduction HRI research topics by researchers

Government Cloud Through Decentralization and Linkage Aimed at Enhanced Data Protection

Takeshi Matsumoto,
Deputy General Manager

In the major countries/regions of the world, including the US, the UK, the EU, and Japan, government agencies start introducing cloud services for their information systems (hereinafter referred to as “Government Cloud”). Government Cloud is expected to provide advantages and effects that on-premises systems (hereinafter referred to as “On-Premises”) could not provide.*1 Because some functions of Government Cloud are commonly used by multiple government agencies, Government Cloud realizes such lower costs, greater ease of deployment, and better scalability. On the other hand, there are raising concerns about risks when it comes to data protection. Important data, such as personal/corporations data and operational data of essential infrastructure, are stored in cloud servers outside of government offices. To have both the cloud services’ merits and data protection, the EU start developing Government Cloud in combination of public/private cloud platforms and On-Premises. Hitachi Research Institute has been conducting Government Cloud research with particular focus on the EU and its member state of Germany. The research considers that decentralization/linkage of servers/data are the key to unravel the background, purpose and formats of Government Cloud. Also, to prevent the unauthorized access, leakage and falsification of data, data protection is crucial when it comes to the linkage of decentralized data.

*1
An information system consisting of network equipment, servers, software, etc., that users build (or outsource to a third party the building thereof) on their premises, which the user then owns and operates.

1. EU hybrid multi-cloud principles aimed at data protection

In May of 2019, the European Commission (the executive arm of the EU), adopted the ”European Commission Cloud Strategy”. This strategy encourages EU member states to move their government information systems to the cloud. At the same time, in principal it asks them to introduce “secure multi-hybrid cloud systems”, which require to involve “multiple” service vendors. This principle appears by several concerns of government authorities to the foreign public cloud vender.*2*3 Their concerns include (1) enforced access to data of the EU by the foreign government (the cloud service provider’s home country), (2) the leakage or falsification of personal information (names, dates of birth, addresses, social security numbers, income and tax payments, etc.), (3) the time and cost to collect data when cloud service contract terminates.*4 The EC is wary of these as a violation of the EU’s data sovereignty. To tackle this situation, the EC is promoting the use of cloud services operated through decentralization and linkage (Figure 1). In this mechanism, government agencies of EU member states use a combination of relatively small private cloud platforms (preferably made by EU companies) and On-Premises. Personal data would be stored in a “decentralized” manner within their respective systems. When the analysis require cross-agency data (e.g. analyses of income taxes, various benefits)., they create “data linkage” between the systems. For data sharing among government agencies, sufficient security controls is neccesary.

*2
The European Commission classifies not limiting usage to one public cloud platform as a “multi-cloud” and the combination of different forms of systems (such as private, public or On-Premises) as “hybrid cloud.”
*3
The EU cloud services market is dominated by US companies. Despite the EU’s track record in the private sector, research undertaken by Gartner, Inc. shows that three American companies (Amazon Web Services, Microsoft and Google) had acquired a share totaling 75% of the cloud services market in the EU in 2019. Meanwhile, there are cloud service providers in the EU, such as T-Systems (Germany), Orange (France) and Atos (France), but their share accounts for less than 2% of the total market.
*4
In March 2018, the Clarifying Lawful Overseas Use of Data Act went into effect in the US. The act gives US government agencies the power (with certain conditions) to compel cloud vendors to disclose data held on servers located outside the US.


Source:Prepared by Hitachi Research Institute based on various documents, hearings, etc.
Figure 1: Cloud system architecture built by the EC

2. On-premises private cloud system built by the German government

The German government is a pioneer to deploy cloud systems combined decentralization and linkage of data in the EU. Its government-only private cloud platform “Bundescloud” has been built and operated by the German government itself. This is used by several ministries, including the Federal Ministry of the Interior and Community, the Federal Ministry of Finance, the Federal Ministry of Health, and the Federal Ministry for Digital and Transport (Figure 2).*5 However, some of the federal ministries of Germany, such as the Federal Foreign Office, continue to use On-Premises. As such, they connect together Bundescloud and their On-Premises via a secure, government-only network. When required, they share data in between.

*5
Actual construction and operation undertaken by ITZBund. ITZBund (Information Technik Zentrum Bund; Federal Information Technology Center in English) was created in 2016 as a result of the consolidation of several IT departments within the Federal Government of Germany. It is a government agency falling under the supervision of Federal Ministry of Finance. It is also an in-house IT services vendor of the German government.


Source:Prepared by Hitachi Research Institute based on various documents, hearings, etc.
Figure 2 : An overview of cloud governance in Germany

Furthermore, the German government attempts to introduce non-EU companies’ cloud services, seeking advantages such as low cost and high-speed processing. Some assumptions are planning to be set for its data protection. Examples include (1) to place servers of non-EU companies in German data centers owned by German government agencies/companies and to operate by German government agencies/companies, (2) to implement the same data storage and middleware as Bundescloud, and (3) to virtualize data stored on non-EU companies’ cloud servers in data centers (real data being stored on Bundescloud). In this way, the German government is currently eyeing linkage between Bundescloud and non-EU companies’ cloud platforms based on the premise that data protection can be maintained. As described so far, through Bundescloud, the German government has realized the principle of a “secure multi-hybrid cloud system” as laid out by the EC.

3. Data control technologies enabling decentralization and linkage

Bundescloud is a private cloud platform, but it is categorised as On-Premises because the data center is located in a government agency. The German government refers to Bundescloud’s information system format as an “on-premises private cloud system”. It pursues the advantages offered by cloud services (such as the aggregation of network storage and the sharing of operating systems, middleware and administrative applications) as well as maintaining data protection by using an On-Premises. The German government also tightly control data exchange occurring amongst the various information systems on multi-hybrid cloud systems. For example, when the Federal Foreign Office issues a passport to an individual as an administrative practice, they assess to the individual’s basic information (data) on the Bundescloud. This data is stored by the Federal Ministry of the Interior and Community. Then, Federal Foreign Office copies and moves it to its On-Premises for processing. As described, when ministries share data which require high level of protection (e.g. personal information), it is important to use data control technologies to ensure a safe transfer. Such technologies include data encryption, access rights to virtual server and data with time duration settings, data access authentication, and management of duplicates, transfer, and deletion logs. The German government has outsourced the development of these technologies to a German middleware company and this has implemented them both for Bundescloud and for On-Premises (e.g., used by the Federal Foreign Office to issue passports). Furthermore, when cloud services are introduced by non-EU companies in the future (as mentioned above), it is expected that such data control middleware will be implemented.*6 for the relevant cloud platform to ensure secure data sharing with Bundescloud.

*6
Relates to one of the conditions for the introduction of cloud services provided by US companies being considered by the Federal Government of Germany (stated in the second section of this paper), which is that “middleware be implemented for data control which is the same as that used for Bundescloud.” Such implementation of data control middleware is expected to be a key factor when it comes to decisions on the introduction of cloud services.

4. Issues to be considered in the development of Government Cloud in Japan

The Japanese government plans to develop a system for Government Cloud by the end of FY 2025 with the goal of providing and improving upon highly convenient government services. In October 2021, the Japanese government announced its adoption of a U.S. public cloud service for Government Cloud in Japan, but a Cabinet council changed its policy in December 2021. Subsequenly the Government announced to promote “the use of hybrid cloud systems in accordance with the level of confidentiality of the information.” For the further development of Government Cloud in Japan, it is crucial to consider how to ensure low costs, ease of installation, and good scalability alongside data protection. Hitachi Research Institute will continue the research on Government Clouds around the world and propose how that of Japan should be like.

Author’s Introduction

Takeshi Matsumoto
Deputy General Manager, Hitachi Research Institute
His recent topics of research include digital technology / data policy, trade policy, He worked at the International Business Division of Hitachi, Ltd. and the Economic Partnership Division of the Trade Policy Bureau at the Ministry of Economy, Trade and Industry. His recent topics of research include digital technology and data policy, trade policy, corporate regional strategies, and business resilience.