Feature story from Germany: Resilience of civil data centres of the federal administration, especially in a defence case

10.12.2024

In the rapidly evolving landscape of digital transformation, both society and governments face unprecedented opportunities and challenges. It is imperative that authorities proactively adapt their IT infrastructures to ensure resilience, not only in day-to-day operations, but also in the face of potential military scenarios.

Data centres are at the heart of this digital evolution, underpinning the essential infrastructure that supports public authorities, critical services, and businesses alike. Their secure operation is paramount, especially as the landscape of digital threats continues to expand. By prioritising robust security measures and fostering a culture of preparedness, we can confidently navigate the complexities of the digital age, protecting our communities and enhancing our collective resilience.

We have conducted a comprehensive audit of the resilience of the federal administration’s civil data centres in Germany in the context of defence readiness. This audit included engagement with key authorities on matters of civil defence, digitization, and information security, alongside a thorough audit of the data centres themselves.

Challenges for the federal administration’s civil data centres

In times of war, data centres face an increased risk of targeted attacks from hostile actors, including state-sponsored cyber warfare units, terrorist organisations, and hacktivists. These actors may seek to exploit security vulnerabilities to disrupt operations, steal sensitive data or compromise critical systems.

Wars and armed conflicts pose significant risks to critical infrastructure, including power grids, telecommunications networks, and Internet connections. Data centres, which rely heavily on these components, can suffer outages, data loss and business interruptions as a result of such disruptions.

In the aftermath of a conflict or military attack, data centre operators often face significant challenges due to limited personnel, equipment and financial resources. The destruction of infrastructure, migration of personnel and disruption in supply chains can hamper recovery efforts and prolong the duration of outages.

Germany feature pic1

Data centre resilience

Resilience generally refers to the ability of a system, community or society to withstand, absorb, adapt to and recover from the effects of hazards in a timely and efficient manner. When applied specifically to data centres, resilience embodies the ability to sustain operations despite disruptions, including natural disasters, cyber-attacks and geopolitical conflicts. Resilience enables data centres to provide critical support and services, ensuring stability and continuity in an ever-changing world.

To effectively prepare for emergencies, such as defence situations, it is essential to implement several strategic measures during peacetime. By taking proactive steps, organisations can enhance their resilience and preparedness and ensure that they are well equipped to deal with potential crises. These measures should include:

  • Geographical distribution: Establishing a network of data centres distributed over a wide area can significantly reduce the impact of regional disasters such as earthquakes, floods, or conflicts. This geographical diversity increases the overall stability and reliability of IT services.
  • Robust physical and technical security: Data centres must be fortified with strong physical security measures to prevent unauthorised access, vandalism, and sabotage. Selecting secure locations, and even using underground bunkers that are resistant to various attacks, can provide an additional layer of protection.
  • Redundant infrastructures: To eliminate single points of failure, data centres should have backup systems for critical components like power, network connections, and cooling. These redundant systems should be strategically located in different fire zones.
  • Scalability and flexibility: Resilient data centres must be able to scale and adapt to changing needs. Modular designs and flexible configurations allow for the efficient handling of varying workloads. Adherence to standards is crucial for the seamless transfer of components or services between different organisations or government federal bodies.
  • Comprehensive monitoring and management: Implementing continuous monitoring systems enables the early detection and response to potential issues or attacks, preventing them from escalating into serious problems.
  • Disaster recovery and business continuity: Authorities should develop detailed plans for disaster recovery and business continuity in the event of a crisis. This includes having a trained emergency response team and strategies to ensure the continuity of critical services.

 

Germany feature pic2By adopting these strategies, data centres can enhance their resilience, ensuring they remain robust and reliable even in the face of challenges.

Audit approach and observations

In our discussions with eleven federal bodies, we explored their strategies for improving data centre resilience. While these discussions revealed a commendable commitment to strengthening resilience and advancing digitization, we also identified inconsistencies in the implementation of these initiatives across different authorities.

When it comes to the resilience of civilian government data centres, our findings highlight the need for a more unified approach to ensure robust, consistent and cost-efficient protection of federal bodies.

Our assessment of civilian government data centres revealed several key findings:

  • Our audit showed that many federal bodies have yet to fully analyse or prioritise their critical business processes. This challenge is evident both within and across federal bodies.

 

Germany feature pic3

 

  • Once critical business processes have been identified, it is essential for the government to conduct comprehensive risk analyses. These analyses should focus on understanding the dependencies on IT infrastructures, particularly data centres, and how these dependencies can be effectively managed.

 

Germany feature pic4

 

  • The administration should develop a comprehensive strategic vision for its data centre landscape and architecture.
  • It is essential to establish binding strategic guidelines for ensuring the resilience of data centres that can be applied across all federal bodies.
  • Our audits revealed different approaches to creating data centre redundancies across different federal bodies, with varying levels of effectiveness and cost-efficiency. The overarching aim should be to develop a resilient data centre landscape capable of withstanding a wide range of threats, including those related to military defence.
  • There is currently a lack of mandatory, universally applicable criteria for determining when critical IT services should be configured in a geo-redundant manner and how to manage residual risks. This is particularly important for centralised IT services used by multiple federal bodies.
  • The federal administration needs to prioritise its critical IT services across federal bodies, particularly in the context of potential resource constraints, including financial, equipment, and human resource constraints.