Gaia X — sovereign and rational ?

Announced by Federal Minister for Economic Affairs and Energy Peter Altmaier at Digital Summit 2019, he called the initiative a “moonshot” that would be “central for Germany, for France and for Europe when it comes to economic strength and sovereignty.” Except for a few insiders, most of the attendees were surprised.

Gaia X - a name that makes you sit up and take notice. Gaia is in the Greek mythology the mother of all Titans and subsequent gods - the origin of all of us. Choosing this name to justify the claim of being and becoming the leading "digital ecosystem" in Europe shows either overconfidence or a sense of reality, because where nothing happens, the smallest activity is leading. Now the name may only be due to excessive marketing, so the content is all the more important.

What is Gaia-X?

In short: Connecting existing cloud providers with cloud services (SaaS, PaaS etc.) and customers (mainly SMEs) while establishing the highest data protection standards. In this way, Gaia-X aims to create a transparent, open digital ecosystem for Europe in which data and services can be made available, merged and shared in trustworthy manner (BMWi).

An ecosystem intended as a bastion against Amazon, Microsoft and Google. Originally. To present itself as a unique European sovereign solution: there is not much left of it, quickly had to realize that it would not work without the big tech companies. Amazon is particularly active in the working groups. No wonder, because Gaia-X is basically a marketplace for cloud solutions. And Amazon and Alibaba know from experience how to build such an infrastructure and are now looking forward to even better times for their business in B2B and B2G.

The idea is smart and rational - on paper; only reality will catch up with the idea. The phrase “if you don't know what to do, found a working group” describes the current status. 22 companies and organizations (11 from Germany and 11 from France) founded an international non -profit organization under Belgian law in June 2020. The purpose and goal of the association is to consolidate and facilitate the work and cooperation within the GAIA-X community - consisting of companies and organizations that are actively involved in the development of GAIA-X. Not only the many participants and the interests that need to be taken into account, but also the comprehensive, complex functionalities will move the company a long way off. According to BMWi, the technical implementation of the federated services will initially focus on:

  • "Implementation of a secure and federated identity management and the creation of trust mechanisms (Security and Privacy by Design)
  • development of sovereign data services that guarantee the identity of the source and recipient of the data and ensure access and usage rights to the data
  • provision of user-friendly access to available providers, nodes and services. The necessary information is provided by the federated catalog.
  • integration of existing standards to ensure interoperability and portability between infrastructure, applications and data
  • introduction of compliance rules as well as certification and accreditation offers
  • provision of open source software and standards to help providers migrate to a secure, federated and interoperable infrastructure.”

In addition to the 22 founding members, around 300 companies, research institutes and public institutions are participating in Gaia-X; many hope to be accepted into the association.

(Too) many interests, one goal ?

Around 40 usage scenarios for areas such as manufacturing, healthcare, energy and the public sector are currently under development. Is it compelling to develop usage scenarios first? Shouldn’t the benefits be self-explanatory? Secure and federated identity management should be used. Anyone who remembers the ordeal of recognizing European trust centers (e.g. EU-DLR) knows about the Sisyphos work. Not to mention the many EU projects such as FIDES, STORK for the application of identities, whose success is still in the stars or has been buried. In contrast, the certification or accreditation topic is treated somewhat half-heartedly, although it could help trustworthiness. There are different levels of certification starting with a self-declaration by the providers, which does not necessarily indicate a high security standard; the higher levels are checked by independent accreditation bodies via document study. Existing certifications can also be used as evidence. So status quo, so far no special security/trust anchors

Conclusion as of May 2021 after 18 months: Good idea, complex requirements, unrealistic planning in terms of content, organization and time.

A marketplace for SMEs that can select suitable and certified solutions (IaaS, PaaS, SaaS) for their use cases would be more results-oriented. This does not require a sophisticated architecture with various interfaces to be standardized, policies, a highly complex compliant promoted IDM and countless use cases that arise through demand itself.

However, the development of an EU government cloud including open data would indeed be desirable. No benefit scenarios would have to be developed for this; they would be obvious.

To be continued — feedback welcome.

Curious, wondering European German. Management consultant.