Page 2: Cloud and Infrastructure: SCS as the Foundation

Contents

On the infrastructure level, the Stack defines two layers. Virtualized software-based infrastructure, as the lowest layer, regulates the network level with the MEF-70 standard for Software-Defined Wide Area Networks (SD-WAN) and Network Function Virtualization (NFV) according to ETSI standard. Both aim to make the networking of authority locations software-based and flexible, rather than relying on proprietary hardware appliances. However, standards for software-defined storage and the management of virtual machines are still missing.

The overlying cloud layer names three central pillars: the standards of the German Verwaltungscloud (DVC), OpenStack as an open-source cloud platform, and the Sovereign Cloud Stack (SCS). The Sovereign Cloud Stack, developed by the Open Source Business Alliance (OSBA) and formerly supported by the Federal Ministry for Economic Affairs and Climate Action, builds on OpenStack and Kubernetes and defines a completely open, interoperable cloud technology stack.

The fact that the SCS is included in the Deutschland-Stack is noteworthy: Federal funding for the project had expired, which had caused considerable criticism in the open-source community. Its inclusion in the binding standard catalog could give the project new momentum.

The cloud layer is supplemented by the EVB-IT – the Supplementary Contract Conditions for the Procurement of IT Services, i.e., the standard contract templates of the public sector. However, standardized service level agreements are still missing for practically all relevant operating areas: Compute, Storage, Communication, Logging, Backup, Support, Cost Calculation, and Performance Management.

Modern Software Development Becomes Administrative Standard

The most extensive layer of the entire Stack is that of integrated lifecycle (DevSecOps) and interface management. It reads like the toolset of a modern software engineering team.

For software development, Git is defined as the version control system, CI/CD pipelines for automated build and deployment processes, Infrastructure as Code (IaC), and Policies as Code (PaC) as standards. Particularly noteworthy is the inclusion of SBOM (Software Bill of Materials), i.e., machine-readable parts lists of all software components, which are crucial for securing software supply chains. This is supplemented by OWASP, the Open Web Application Security Project, as a framework for web application security.

For interface management, the Stack defines a broad API ecosystem: REST and OpenAPI as the basis, supplemented by gRPC for high-performance service-to-service communication, GraphQL for flexible data queries, and MQTT as a lightweight messaging protocol, which is particularly relevant for IoT scenarios and smart city applications. Kubernetes is defined as the standard for container orchestration.

The document names IPv6, HTTPS, FTPS, SMTPS, and QUIC as prerequisite base protocols. The still young transport protocol underlies HTTP/3, which is increasingly establishing itself on the internet. The fact that QUIC is explicitly mentioned as a prerequisite protocol is unusually progressive for an administrative document.

Here too, there are open issues: Standards for observability, security tooling (SIEM, IDS, EDR), static and dynamic code analysis, as well as for package management, service mesh, and service discovery are still missing.

IT Security: Post-Quantum Cryptography Fully Planned

The IT security layer combines proven frameworks with future-oriented cryptography standards. The overarching frameworks are BSI IT-Grundschutz, the Technical Guidelines of the BSI, and the C5 catalog (Cloud Computing Compliance Criteria Catalogue). These are entirely established instruments that already form the security framework for administrative IT today.

In terms of cryptography, the Stack relies on the classic triad of AES (symmetric encryption), RSA, and ECC (asymmetric methods). However, the real message lies in a fourth standard: ML-KEM – the Module-Lattice-based Key Encapsulation Mechanism is a post-quantum standard for key exchange. It is intended to complement or replace classic public-key methods like RSA and ECC in this field in the long term. The fact that German administration is already including post-quantum cryptography in its standard catalog is a clear signal: it wants to be prepared before cryptographically relevant quantum computers become a reality.

For identity and access management, the Stack defines a complete protocol stack: OAuth for token-based authorization, OpenID Connect (OIDC) for federated authentication, JSON Web Token (JWT) as the token format, and OTP-based multi-factor authentication. This stack is suitable as a technical basis for federated identity services.

What is still missing is a format for crypto-agility, i.e., the ability to exchange cryptographic methods quickly and systematically when they are compromised. Given the post-quantum topic, this is a non-trivial gap.