What CISOs need to know about Europe’s GAIA-X cloud initiative

Europe doesn’t have a strong foothold in the cloud computing space. The rise of cloud hyperscalers out of the US and China—and European reliance on them—combined with an east-west trade war and fears of governments accessing data beyond their own borders is making some in the EU uncomfortable.

To remedy this, a new cloud initiative called GAIA-X from France and Germany looks to help European technology companies compete with the incumbents and offer European CIOs and CISOs a “made in Europe” cloud that provides guarantees around portability and privacy that is safe from foreign governments.

What is GAIA-X?

First announced in October 2019, the GAIA-X project provides a cloud platform that fits “European values” on issues such as data sovereignty, data protection and openness. GAIA-X is designed to be a competitor to cloud providers such as Microsoft Azure or Amazon Web Services (AWS).

Rather than creating a purpose-built competitor and building infrastructure from scratch, GAIA-X aims to be part marketplace, part standards and part certification body, offering a catalog of services from existing European vendors that have been adapted and certified to fit its requirements that the customer then contracts with the individual vendor. It plans to do this through a series of federated services and aligning participating network and interconnection providers as well as service providers to GAIA-X’s requirements.

Companies involved include Atos, Bosch, BMW, Deutsche Telekom, EDF, Orange, OVHcloud, SAP and Siemens. Use cases listed on the site so far focus largely around industrial, health, finance and public sector such as condition monitoring, edge datacenters, and medical records storage and sharing. Proofs of concept and an alpha release are expected later in 2021.

French telecom company Orange is among a group of European providers that joined the GAIA-X initiative from its inception. Cedric Prevost, director of trusted cloud solutions at Orange, says the company believes that GAIA-X is an opportunity to create a European data space with data sovereignty and transparency at its core, build a solid ground for trust in Europe, and leverage data protection regulations such as GDPR to bring the best infrastructure and data services to Europe. 

“GAIA-X is not meant to do better than current major cloud players by itself,” Prevost says. “It will bring more transparency to different key characteristics of cloud players’ offers, especially but not limited to sovereignty-related attributes, facilitating interoperability between providers and ensuring core values like reversibility or data privacy follow clear guidelines.”

Prevost says Orange’s existing public cloud offerings, such as Flexible Engine or Flexible Computing Advanced, will be available in the GAIA-X ecosystem, and it is mostly a matter of integrating these trusted services into the GAIA-X interoperability framework. 

Does GAIA-X have appeal for CIOs and CISOs?

Forrester reports that up to 80% of cloud workloads in Europe are already on at least one of the major cloud providers and only 12% of European enterprises chose a European-based public cloud provider, begging the question of why another provider is needed.

Data sovereignty around the cloud isn’t a new issue, and for many companies isn’t the most pressing issue. On the merits of its own technical capabilities, there might be limited appeal for GAIA-X, says Paul McKay, senior analyst on Forrester’s security and risk team, especially from the likes of UK clients. “The appeal is going to be towards European headquartered companies,” he adds. “I wouldn’t see it as having broad appeal to companies that are headquartered elsewhere with European operations. I’m not entirely convinced that that would cut it back in the head office location.”

Some of GAIA-X proposition is political. European reliance on Azure, AWS, and Google Cloud from the US and Alibaba’s cloud offerings out of China harms European providers, and politicians worry about ongoing trade disputes. This, combined with far-reaching regulation coming out of the US and China around access to data beyond their borders, might cause some European CIOs and CISOs to seek another viable option.

“It’s clear that while security is important, the level of security capability being offered by hyperscalers is seen as good enough by the majority of clients,” says McKay. “However, in some countries—and France and Germany are the two that come up most often—there’s still enough doubt as to the level of transparency and openness of the hyperscalers that they feel it’s necessary to create this kind of offer. If you look at the kind of use cases that they look to be targeting this towards, Europe probably does have a reasonable claim to make around having a leadership position.”

McKay says GAIA-X could appeal to organizations that seek more transparency around data sovereignty and where data resides and is processed from hyperscalers. This is especially true for use cases such as backup and recovery, processing sensitive data that the organization is required to know where it is at all times, or storing intellectual property in undesirable locations. “To compete with the hyperscalers, [GAIA-X] needs to focus on the areas where they can provide unique value, and that comes from the domain knowledge in industry-specific use cases,” he says. “I could see them competing as an alternative for those sensitive workloads if they can provide a set of solutions which solve problems in domains where customers are not happy to give to the existing market.”

As a member of GAIA-X founding panel, Siemens spokesman Yashar Azad says his company’s interest in the project is to fuel the growth of European data ecosystems. He says “virtually any use case that relies on generating insights from industrial data” is a potential candidate for use on GAIA-X.

However, when it comes to security, he says that Siemens has not been involved and any further details about the security of GAIA-X cannot be communicated with sufficient reliability yet partly because the GAIA-X Association, which is required to take binding design decisions, has yet to start operations. “We trust that both GAIA-X and the major cloud players will (continue to) take extensive measures to ensure cybersecurity. Please note that the value proposition of GAIA-X is less about offering a better cybersecurity and more about giving users better control over their data.”

What do CISOs need to know about GAIA-X?

GAIA-X’s appeal to security is largely around keeping “European values” around sovereignty at the core of its ecosystem. This is done through “policy rules” that all companies must respect to be part of GAIA-X. These include contracting terms that must allow reversibility without barriers and precise attributes of providers’ service descriptions around things like datacenter locations, GDPR compliance, or extra-territorial regulations such as the US CLOUD Act.

Prevost says that as it is a decentralized ecosystem, GAIA-X will provide three common services: a federated identity to ensure using multiple providers remains user friendly, a catalog of providers and their services to enable customers to find services, and a compliance framework to ensure that everyone plays by the rules within the ecosystem. “Details about the security features of the federated services of GAIA-X, like identity, is still largely in progress” he adds. “This is why it has not been fully described yet, but this will definitely be the case once the specifications are ready to start a beta phase.”

From what we do know, the federated identity and trust mechanisms will allow users to quickly push their designated security and sovereignty requirements across all GAIA-X services that a customer is using. The user decides what data resides where, where it is allowed to go, and who is allowed access to it. Users will be able to lift and shift data among different GAIA-X providers.

While some of its promises around enabling moving data and transparency could be a useful contribution to the market, McKay doubts whether there is enough differentiation to appeal to CIOs and CISOs. “I haven’t seen any evidence to suggest that this is going to make a huge dent in the European market beyond that the data sovereignty and the data security issues. I need to see the compelling business value that’s going to make CIOs take it seriously.”

A main issue around GAIA-X is the lack of details about how the project would work in practice, both around security and generally. “It’s still white papers,” McKay says. “None of that is fleshed out yet. That’s the problem. We need to see something real hit the road very soon if this is going to fly.”

McKay wants to see more clarity around the European Cloud Security certification scheme, which could see GAIA-X working with ENISA to create a banded set of assurances for users to see which services can offer the security, transparency, openness and regulatory guarantees required for specific data and workloads. “The bit that’s missing from all of this is what is this precise set of security requirements, control objectives and so on and so forth, the usual kind of detail that you’d expect to see as to what’s going to be required at each of those levels….That is going to be quite important to where service providers and their service offerings are going to fall within the vendor pack.”

There are likely to be problems around expecting cloud providers to demonstrate “ex-ante” compliance (i.e., you can prove compliance with the rules before a breach of the rules) with the GAIA-X security requirements once defined. “This means that cloud providers will have to have dynamic means of continuously proving compliance and implementing technical means to show the movement of data, its compliance with the customers wishes around where data is resident,” says McKay. “While some aspects of this type of monitoring is already in existence, for some GAIA-X service providers, doing this and being sure of it being considered ex-ante in a fail-safe manner by the regulatory bodies overseeing the certification of GAIA-X will be tough.”

McKay is currently advising that CISOs keep eye on GAIA-X but not give it serious thought until it proves that it can provide real value and CIOs start to look more closely at adoption. “If those proofs of concept fail or they didn’t deliver the value that’s expected by at least the middle of next year,  and we don’t see something working that has unique market value from a busines capability as well as the security elements, then I don’t see how this initiative has long term future. The next six to nine months is really crucial as to whether that will happen or not to me.”

At the same time, the large cloud providers are not standing still. As well as joining GAIA-X, many are increasing efforts around confidential computing and challenging government reach. Microsoft recently promised to challenge every government request for public sector or enterprise customer data from any government where there is a legal basis to do so, and that it will provide monetary compensation to customers if data is disclosed in response to a government request that violates GDPR.

In the short term, McKay says there needs to be good staffing decisions made around the leadership of the GX foundation to push the project on. To be a success long term, he thinks the EU needs to start to wrapping its arms around the project and link it to the broader digital single market strategy to appeal more widely across the continent and beyond just France and Germany.

McKay also warns that GAIA-X could harm its own chances in the market if it succumbs to “protectionist pitfalls” and finds adoption among government bodies purely out of a desire to avoid the large incumbents. “I don’t see how that’s going to help its reputation in the market if it’s seen to be being provided by public sector on the basis of the sovereignty and where that provider happens to have their headquarters, as opposed to winning because it deserves to win and offers the best technical solution to the government bodies’ requirements,” he says. “It has to win because it deserves to win. It needs to be the best technical solution, not just the best French solution or the best German solution.”