Airbus to migrate critical apps to a sovereign Euro cloud Airbus is preparing to tender a major contract to migrate mission-critical workloads to a digitally sovereign European cloud – but estimates only an 80/20 chance of finding a suitable provider. Airbus A350-1000 Seven years later, Airbus is still trying to kick its Microsoft habit READ MORE The aerospace manufacturer, which …
the main benefit of cloud infrastructure is the ability expand and contract your compute estate while only paying for resource consumption
if you own your own systems, then your costs are constant regardless of the amount of resource consumption, and once you hit the limit of your resources you have to go through a CAPEX tender process and al the delays associated, all of this leads to poor performance due to over provisioning to sweat the maximum out of your assets (as demanded by the bean counters)
you then have to put in place expensive security and monitoring systems to fend off attacks, which in a major cloud environment are shared amongst all the customers so you get best of breed security and monitoring for a fraction it would cost on your own systems without any long contracts and escape penalties
so cloud does make sense so long as you can keep all the costs in check
I can’t believes company with Airbus’s global scale and long experience of hosting their own systems can’t handle this already- esp. with their complex supply chain. At the very least get Dassault Systems to drive their Dassault Systems design technical solution.
The need to ‘outsource to the cloud’ feels totally unnecessary and they didn’t learn from the recent cluster-fuck at Boeing regarding beancounters and penny pinching.
As usual, common sense seems to take a back seat, with managers focusing more on advancing their careers than on managing their systems.
As you mentioned, this issue shouldn’t even register on Airbus’ radar. Given their size and the market they operate in, a completely different approach is warranted.
It gives the impression that they failed to act in time and are now caught between a rock and a hard place.
"As usual, common sense seems to take a back seat, with managers focusing more on advancing their careers than on managing their systems."
BINGO. Did anyone else besides me bother to check the resume of Catherine Jestin, Airbus's executive vice president of digital? She's a Harvard business MBA graduate, not a technologist, and has been falling upward since graduation.
I'm sure this decision was solely based on expected ROI for "transitioning to cloud-based infrastructure with expectations of dynamic leveraging of future-developed technologies". Yeah. Because things like "security" are never your problem when you can foist it onto someone else.
I very much agree. They don't have the courage to do what the US-hyperscalers did - invest into their own technology and the offer and make business out of it.
AWS didn't start because Amazon wanted to cut costs - it started because Amazon needed it themselves and nobody could offer it to them. So they built it. And it was so unique that when they opened it to others, everybody wanted to use their services.
Microsoft was later to the game, but invested a lot into their own cloud. They needed it to power their Office365, Teams, OneDrive and other web-based services for enterprises. And they also opened it to others and provided guarantees and enterprise features that AWS has trouble to beat.
On the other hand, big EU corporations struggle to keep their infra in house and perfect it. Often, if they made it perfect even for themselves, it would be cheaper and safer than rent it from others. And, as a bonus, they could open it to others, pivot, and turn it into a business opportunity. With backwards and cowardly thinking, this is never gonna happen.
What about resilience through geographical dispersion of backups? There is also nothing to say that the EU companies couldn't do it differently - e.g., default encryption ON for all buckets. (I could never understand how it was ever otherwise). I guess your meaning includes Airbus owned or rented computers managed by a datacenter company with dispersed geographical base in Europe - so my comment might be null and void.
Encryption doesn’t help since the host has the key to decrypt even if you use on prem key stores. If your key isn’t held in their cloud then you can’t use your dafa in their cloud. If it is, they can access your data.
Unfortunately hosting providers write the software so if you think they don’t have access you are mistaken.
"Apparently shunned in US English...
Absolutely incorrect, we use "they" in reference to a construct like a corporation very often, daily actually. But it needs context, an applied-to 'person' or 'group of people', before the appellation of "they" is understood properly. Who is "they", Ms. Jestin or Airbus, or both? It can be as bad as a royal "We" :D
And important enough, that they can justify their own infrastructure. If "data sovereignty" is important to protect against the evils of Microsoft and Google, why would you trust some company just because it is based in the EU? What happens if that company is purchased by a US firm six months after you've migrated everything there? Or it goes bankrupt?
You mean it's safer to go with someone you know you can't trust rather than someone you can trust for now on the off-chance that they might become untrustworthy later.?
For avoidance of doubt, Microsoft's president has admitted that they can't be trusted, although wrapped up in slightly longer phrasing.
That's too much of a simplification.
Many software providers are moving to cloud native deployments, which means users of that software have little choice but to move to some form of cloud deployment (or switch software provider). But the physical hardware of a cloud deployment can vary, just as the ownership of data centres has always varied between wholly owned by an IT company with managed services through to owned and operated by the end user company.
Realistically, saying they are looking for a sovereign cloud provision is about ensuring whatever ownership structure they come up with avoids any claim by US authorities that they can access the contents. Global banks are working on building these same structures, with data centres owned by non-US entities so they are isolated from the implications of the US Cloud Act, whilst still taking advantage of the flexibility and manageability of cloud infrastructure.
Actually it was a problem which was overcome. It relied on a lack of understanding and perhaps some slackness to allow the code in, once in it spread. The issue with cloud is there are so many more vectors that allow an attack.
If I was Airbus I would start my own bespoke IT operation which would be cheaper than trying to manage the consultants and snake oil salesmen that run cloud enterprise computing. Their staff would be absolutely dedicated to protecting Airbus. Airbus also provide some military kit, so how is that to be protected?
COTTONMOUTH-I: A modified USB or Ethernet connector that installs Trojan software and acts as a wireless bridge for covert remote access, using a digital core (TRINITY) and RF transceiver (HOWLERMONKEY).
COTTONMOUTH-II: Similar to COTTONMOUTH-I but deployed in a USB socket (requiring target machine integration) to create a wireless bridge for data exfiltration.
COTTONMOUTH-III: A stacked Ethernet and USB plug that functions as a wireless bridge to enable remote network access and data transfer.
FIREWATCH: Disguised as a standard RJ45 socket, it monitors, injects, or transmits data via radio technology using HOWLERMONKEY, potentially creating a VPN tunnel to the target.
HOWLERMONKEY: An RF transceiver component used in various implants (like COTTONMOUTH) to extract data or enable remote control over air-gapped systems.
NIGHTSTAND: A portable Wi-Fi exploitation system that installs exploits wirelessly from up to eight miles away, bridging to air-gapped targets without physical contact.
RAGEMASTER: Hidden in a VGA cable's ferrite choke, it taps and modulates the video signal to RF (codename VAGRANT) for remote monitoring of a target's screen.
SURLYSPAWN: A keystroke monitoring implant that logs inputs on non-connected computers and transmits them covertly, often via RF methods.
TURNIPSCHOOL: Concealed in a USB cable, it provides short-range RF communication to software on the host, allowing data bridging from air-gapped machines.
It means the data is stored in a centre somewhere in Europe and not in the hands of a potential adversary. It's not just that it could be stolen, but could be basically held to ransom. e.g. maybe Trump decides to be a dick to Airbus and threatens their data in some way as leverage in a "deal".
Personally if I were any company with concerns about foreign adversaries stealing their data I would want to bring as much of it in house as possible, or at least host it as securely as possible. For a BIG company like Airbus I don't know why they'd want to use the cloud anyway if they could avoid it.
You're perhaps a bit ahead of the herd here. Assuming, as seems likely, that the Internet remains wildly insecure and quite dangerous, I think that in about a decade (maybe two) most large companies will decide to pull their important data back in house. The internet will still be there of course. And the transport layers will still be used by everyone needing to communicate with remote destinations. But the upper levels -- the 'cloud' will be used mostly for entertainment, research, commerce, collaborative efforts and cat videos. Under those conditions, the cloud shouldn't be the collection of problems it seems to be today. It might even have a silver lining.
Cloud has a place for some companies for uptime / disaster recovery and other conveniences. For most companies it probably doesn't matter much who their hosting provider is because their data isn't worth spit to anyone else.
But when a company is big and can afford to run and operate its own servers cloud becomes a really bad idea. Especially for a company like Airbus. It must be aware of a lot of threats from competitors and governments and must be subject to a lot of regulations regarding cybersecurity & resilience. The cloud becomes a point of failure and unique threat that has to be considered very carefully. At the very least, don't use an adversary's cloud hosting - and that includes the USA these days - and ensure digital sovereignty. But even better, bring stuff in house. I'm sure Airbus has honking big server rooms and hundreds of IT staff. They have the means and motivation to do stuff in-house and probably should.
I recall talking to some very competent experts in a specialist area of business cost analysis, and they reckoned that a consistent failure of business when outsourcing was (other than believing the vendor's outright lies) not allowing for the costs of service quality assurance and vendor management. They reckoned 3-6% of total contract value should be budgeted for those, but rarely were.
They would be far from the first European organisation with strong security requirements to have their own private fully sovereign cloud. It has been done repeatedly, and at scale.
Google seem to usually provide most of the tech because they're quite happy to sell you the full stack for you to run independently. Usually in conjunction with someone else wrapping the whole thing in whatever security you want.
Other options exist too but for true sovereign cloud Google always seem to win these days.
I suspect their bigger problem is working out how to shift their existing infrastructure to any sort of cloud environment as they probably have all sorts of specialist stuff that works nicely on-prem and will be a pain to shift.
Even if the entire stack from hardware up to control software and management infrastructure is sold and given over to the customer, isn't there still a dependency on the Chocolate Factory for software updates and security notices? That's assuming the software has not been quietly backdoored.
In any case "Embargo on!" is going to leave the customer wallowing in pig excrement fairly quickly.
Airbus already has its own sovereign, private, on-premesis cloud. And it meets all export control, national and governmental regulations for any contract you could dream of. It works well for simulations and hard processing that comes in bursts, and suddenly needs processing resources, and then doesn't again for a while
The problem is that they have pushed SAP into every part, and SAP are now saying cloud only. My corner is still suffering from SAP introduction, and after 10 years, and millions of extra development, and string and gaffer tape and chewing gum and sticking plasters, it still can't do what or own, internal system did, and we're hemorrhaging millions a year in licensing, support costs and extra plugins.
UK governments of every colour hadnt spent 4 decades shoving €billions to US & Indian & Chinese firms... in fact ANYONE except UK firms, that they were happy as Larry to allow to be sold to anyone and everyone including actual enemies.. the chinese!
genuinely, we'll be fulfilling thatchers wish of being a nation of shopkeepers soon...as in, we will all be working in tesco stacking shelves with Masters Degrees
> UK governments of every colour hadnt spent 4 decades shoving €billions to US & Indian & Chinese firms...
That was not a possible scenario.
In a (very small) nutshell, lend-please, the need for which was partly caused by Britain's failure to sufficiently industrialise the colonies, prevented the self-reliance scenario that you allude to.
> they were happy as Larry to allow to be sold to anyone and everyone including actual enemies.. the chinese!
The Chinese are not the enemy.
This post has been deleted by its author
Microsoft and AWS operate in China using local independently owned and operated datacentres that comply with China's strict cybersecurity and data sovereignty laws that presumably the US government can't get their hands on. That would seem to be a shovel-ready governance model for Europe to copy.
Once upon a time business transformation projects like this would fire up a programme team of business, project and technical contractors to support in-house teams deliver the much needed business investment. Then along came HMRC with its war on freelancers and Boris Johnson's points-based immigration system (minus the old Resident Labour Market Test) and now the work goes to well-known global consultancies who fly in their bargain basement teams from overseas leaving government wondering why so many of their highly-skilled domestic workforce are economically idle or retiring early and where in the world all that lovely tax revenue and growth went.
so having a NON US (EU) cloud providers makes wonderful sense until it grows to the point Google, AWS, M$ see it cutting into their margins and see it as a threat
then one of them will try and buy it to remove the competition
even if the EU say no US company could by it, all AWS,Google or M$ will do is set up a separate company and base it in the EU, then with a loan from the parent buy it and marge it someway
add to that no doubt the big 3 clouds would probably try and find a way to make it not cost effective by using data export charge etc
personally I think the US has had to much influence and control over IT / Cloud etc and its time for that to change
Why it just buy your own equipment host it in a colo data centre, therefore all the environmental systems are managed for you and you are responsible for your own machines.
You can have two or more in different locations for backups.
The company i work for has at the time of writing, 2 hosted in the uk, 1 in the USA and others, all shortly to be connected via 100gb private links…
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
