Digital ecosystems must be scalable, flexible, and secure. A Multi-Provider Cloud-Edge Continuum increases scalability and flexibility by dynamically distributing resources and applications between cloud and edge services. To enable this future, FACIS provides a framework of open standards and SLA Governance for secure data flow across borders and industries. But more is needed: To achieve continuous and comprehensive security of data and applications, modern security concepts such as Zero Trust and Confidential Computing are crucial.
By Emma Wehrwein and Oliver Schonschek
When clearly defined, homogeneous IT infrastructures become heterogeneous, distributed digital structures, new security approaches are required. This already applies to the IT structures of a single organization: When the data and applications to be protected are no longer exclusively within the classic corporate network but also need to integrate decentralized locations such as branches, home offices, and external partners, the distinction between internal and external access to applications and data is no longer applicable. Threats can come from both internal and external sources, with users and systems acting either legitimately or maliciously, regardless of their origin.
Digital ecosystems consist of a multitude of such distributed corporate networks that are interconnected, for example, in trade supply chains, ranging from the IT infrastructures of producers and distributors to logistics partners, warehouses, and points of sale, to customers who are also involved in digital ordering and payment processes. Every person, device, and application can pose a risk in the data flow that needs to be monitored and controlled.
Distributed Ecosystems Require a New Trust Basis
To address this challenge, the Zero Trust security model has emerged as a key approach: No device, user, or access attempt is initially trusted, regardless of whether the access comes from internal or external sources. Access to data and applications is strictly granted through continuous, risk-based authentication and authorization – this applies equally to internal employees and external employees, and thus, for example, to the entire supply chain with all participants.
No device, user, or access attempt is initially trusted, regardless of whether the access comes from internal or external sources.
Zero Trust is scalable beyond the protection of individual corporate infrastructures. It increases security not only for individual organizations but also for entire digital ecosystems by continuously verifying identities, restricting access, and dynamically enforcing policies.
To strengthen the development of such secure digital ecosystems, the EU has launched the 8ra Initiative.
The Multi-Provider Cloud-Edge Continuum
The 8ra Initiative lays the foundation for a decentralized, interoperable, and secure Multi-Provider Cloud-Edge Continuum (MPCEC) that ensures seamless IT services across providers and national borders. The overall goal: creating a connected, sovereign digital infrastructure for Europe. Thereby, “Cloud-Edge Continuum” stands for the integration of edge and cloud computing to enable new ways and optimized data processing and storage in distributed networks, for example, for EU-wide health applications, widely distributed smart farming projects, or complete EU-wide supply chains.
Ensuring secure and agile data flows requires a robust security architecture.
Depending on the need, data and applications are placed at edge locations (near end devices or sensors) or in the cloud. This enables faster processing of real-time data at the network edge, while less time- and security-critical tasks are performed in the cloud. The novel “Cloud-Edge Continuum” is crucial for applications that require both low latency and fast connectivity, such as EU-wide trade processes based on ECR (Efficient Consumer Response).
However, such a Multi-Provider Cloud-Edge Continuum is a complex, distributed ecosystem where different infrastructures from various providers must work together. Ensuring secure and agile data flows requires a robust security architecture: The Zero Trust model meets this need by eliminating implicit trust and enforcing continuous, context-based authentication and authorization for every access request.
Zero Trust as a Security Anchor: Using Smart Farming as an Example
An example: In smart farming projects data is collected via IoT sensors (Internet of Things) on the fields of numerous agricultural enterprises across Europe to gain insights into the impact of climate change on soil values and plants. The goal is more sustainable and efficient production of agricultural food.
In this case, sensors from different manufacturers are used, and the participating agricultural enterprises are customers of various cloud providers who, in turn, collaborate with multiple edge service providers. Therefore, sensor data flows from the fields through numerous cloud and edge environments and crosses national borders to be evaluated at various nodes.
Since a smart farming ecosystem is very heterogeneous, it does not have a unified security and identity infrastructure. There is no fixed, defined structure that would enable central trust, as the involved devices and partners are too dynamic and diverse. However, the integrity, availability, and protection of data are essential if IoT analyses are to reliably help, for example, with sustainable irrigation and fertilization of agricultural land. Cyberattacks on agricultural systems are not purely theoretical threats; they are already happening.
Since a smart farming ecosystem is very heterogeneous, it does not have a unified security and identity infrastructure.
In extreme cases, manipulated or missing data could lead to crop damage, harvest failures, and, on a large scale, difficulties in food supply. A Zero Trust concept provides the necessary overarching, decentralized security structure and ensures continuous risk assessment before internal and external access to the protected data is granted. This approach is crucial for protecting critical information. Smart farming is just one example.
For instance, when thinking about health records in modern EU-wide e-health services, it involves protecting highly sensitive data. Whether during the treatment of patients abroad in the EU, where data must be securely and reliably transmitted between doctors, or in medical research that uses an EU-wide data space: Access to highly sensitive health data occurs from different cloud and edge environments of various operators and must always be monitored and controlled according to the Zero Trust concept, considering the respective risk.
Continuously Protected Data in the Multi-Provider Cloud-Edge Continuum
The Zero Trust security model usually does not end with considering devices and users who want to access data and applications in the Cloud-Edge Continuum. Providers and administrators in the Multi-Provider Cloud-Edge Continuum are also actors that need to be included in the security strategy. It is imperative to strictly prevent unauthorized access to protected data, regardless of the location of the data and applications or the entity responsible for operating the cloud or edge services.
For example, it should not be possible for the IT service provider of an agricultural enterprise to gain unprotected access to the data flow in the mentioned smart farming project. Similarly, it should not happen that one of the cloud providers in an EU-wide trade supply chain can view confidential data.
It is imperative to strictly prevent unauthorized access to protected data, regardless of the location of the data and applications or the entity responsible for operating the cloud or edge services.
Confidential Computing
While Zero Trust secures access to data and applications, another key technology is Confidential Computing, which ensures the protection of sensitive data during processing, for example, during IoT analyses in the smart farming project.
Confidential Computing is particularly crucial in sectors such as finance, healthcare, and government, where data confidentiality and compliance with legal regulations are non-negotiable. While data is often encrypted during storage (data at rest) or transmission (data in transit), it is usually unprotected during processing (data in use) and thus vulnerable to attacks. Confidential Computing addresses this risk by creating enclaves – isolated, encrypted environments within the hardware where data can be securely processed. These enclaves use hardware-based security features developed by leading manufacturers. Thus, Confidential Computing can protect data even in unattended, uncontrolled cloud environments, ensuring compliance with the highest security standards in a Multi-Provider Cloud-Edge Continuum.
Data Security Requires Identity Security
Confidential Computing is not only an important complement to the Zero Trust approach but can be seen as a foundation of Zero Trust security. A crucial step in verifying access to data and applications in Zero Trust is controlling digital identities in the Cloud-Edge Continuum. For example, in EU citizen services, EU ID Wallets will be used, providing citizens with a universal, trusted, and secure way to identify themselves – not only when accessing public and private services but also allowing them to store digital documents and have full control over how their data is processed by both private and public organizations.
For the security of digital identities, secure hosting of these EU ID Wallets is fundamental. Therefore, the Wallets of participants in a digital ecosystem should ideally be hosted in a Confidential Computing environment. With such protected identity, the Zero Trust concept gains a trust anchor for further risk-based access control.
Confidential Computing is not only an important complement to the Zero Trust approach but can be seen as a foundation of Zero Trust security.
FACIS will integrate the concept of the European Digital Identity (EUDI) into digital contract signing and will create a seamless and legally secure mechanism for cloud-based contract signing with legal recognition based on the eIDAS regulation (Electronic Identification, Authentication, and Trust Services). The Digital Contracting Service aims for immediate identity verification and authentication in multi-party contracts as well as EU-wide legal compliance, enabling efficient collaboration.
Two Concepts Combined for Cumulative Security Power
By protecting sensitive information during processing, Confidential Computing, combined with Zero Trust mechanisms, creates the necessary trust in digital applications and ensures data protection, integrity, and security even in complex digital ecosystems, whether in healthcare, finance, citizen services, trade, or smart farming.
Together, these technologies ensure data protection and sovereignty for all participants in the continuum and fully comply with the General Data Protection Regulation (GDPR) and other relevant regulations while mitigating risks from potential breaches or vulnerabilities within the distributed infrastructure.
Defragmentation of Security in the Multi-Provider Cloud-Edge Continuum
However, it must be clear: Security mechanisms and tools within the Multi-Provider Cloud-Edge Continuum must be interoperable so that all participants can benefit from Zero Trust and Confidential Computing. Accordingly, security requirements should be embedded as fundamental elements of the SLA Framework of the digital ecosystem to ensure unified protection for every participant.
Security mechanisms and tools within the Multi-Provider Cloud-Edge Continuum must be interoperable so that all participants can benefit from Zero Trust and Confidential Computing.
Interoperability is not only key in terms of security but also in general to overcome the fragmentation in Europe’s digital landscape – as it will enable urgently needed digital business cooperation across Europe, flexible and scalable. Thus, this is the main goal of FACIS’s contributions. By utilizing architectural frameworks such as Federation Architecture Patterns (FAPs), introducing machine-readable Service Level Agreements (SLAs), and using Low-Code Orchestration Platforms, FACIS ensures that multi-provider infrastructures can be orchestrated as a coherent, scalable, and secure ecosystem. These solutions are supported by open-source innovations and robust Governance Frameworks, promoting transparency and inclusivity within the European cloud-edge landscape.
A Comprehensive Security Framework for Distributed Ecosystems
In summary, Zero Trust and Confidential Computing are crucial to overcome fragmentation in Europe’s digital landscape. Therefore, these concepts are inseparably linked to FACIS.
By ensuring robust security in multi-provider environments, they protect data and applications, regardless of location. Combined with strong governance and architectural frameworks, these technologies promote a coherent, secure, and transparent cloud-edge ecosystem.
KEY TAKEAWAYS FOR PRACTICE
- For secure data flow in digital ecosystems, overarching security concepts must be used that monitor and control every data access based on risk, regardless of who is accessing (Zero Trust concept).
- Data must be protected from unauthorized access during storage, transmission, and processing. Confidential Computing enables this protection through isolated, encrypted environments where data can be securely processed.
- Open-source innovations such as Federation Architecture Patterns (FAPs), machine-readable SLAs, a joint SLA Governance Framework, and Low-Code Orchestration Platforms, combined with Zero Trust and Confidential Computing, will ensure that multi-provider infrastructures function as a unified, scalable, and secure ecosystem.
Every Month on LinkedIn and www.facis.eu
Every month, we will guide you through the world of FACIS on LinkedIn and www.facis.eu. Our analyses give background and insights into the security aspects of FACIS and its mission to create a unified, scalable, and sovereign multi-provider cloud-edge continuum.
Heading this series of articles is Emma Wehrwein. Emma is Senior Manager Innovation & Digital Ecosystems at eco, the Internet Industry Association, and is the Project Lead at FACIS. She studied business informatics and worked for many years as a project manager in the chemical industry before joining eco. She led the BMWK-funded project to develop the first Gaia-X Federation Services now contributing to the Eclipse Foundation’s ecosystem as the XFSC Project. Emma Wehrwein is supported on this blog by Oliver Schonschek, a security news analyst, physicist and journalist who has been writing about security and digital transformation for twenty years.
Project Lead FACIS
Security & Digital Transformation Journalist