News

By Max Wellenhofer, initially published at Cyberlink AG

In compliance-sensitive industries, the system environments are often highly complex and in Switzerland we expect ICT integrators not only to comply with formal regulations, but also to implement them consistently. In order to meet the requirements of industries such as the financial sector, healthcare and insurance, many companies turn to international consulting know-how. This often brings large foreign hyperscalers into play, whose solutions are convincing on paper, but whose data processing often takes place at locations outside Switzerland.

cloudscale.ch and Cyberlink offer a Swiss alternative. With the SCION Cloud, they have jointly developed a solution that keeps all data and workloads entirely in Switzerland while meeting the highest security and compliance requirements. The architecture is specially designed to meet the requirements of financial service providers, healthcare providers and insurance companies and is backed exclusively by Swiss infrastructure.

With the SCION Cloud, developers and DevOps teams can run their workloads in Switzerland without compromising on technology or concerns about data transfers. The regulations in this country exist for good reason – with the SCION Cloud, companies can meet them efficiently and reliably.

Two Swiss pioneers accept the challenge

cloudscale.ch Ltd. (cloudscale.ch) is an Infrastructure-as-a-Service provider with a strong focus on open source technologies and a self-service platform that enables customers, among other things, to configure data center services via API. The close ties to the DevOps and cloud-native community are no coincidence. Many cloudscale.ch employees used to be consumers of such services themselves. "We focus strongly on the user instead of simply developing products that we ourselves think are good," emphasizes Manuel Schweizer, CEO. Having a background in network technology, he became intensively involved with networks and their optimization early on in his career. As a board member of the Swiss Internet Exchange (SwissIX), he gained valuable experience in the Swiss networking scene. From the very beginning, cloudscale.ch has focused on the needs of customers with high requirements in terms of availability and information security. The company consistently focuses on open source technologies.

Cyberlink Ltd (cyberlink.ch), an innovative service provider in the Swiss ICT market for almost three decades, has established itself as a leading provider of connectivity and cloud services. Under the leadership of Thomas Knüsel, CEO, who has been part of the company since 2012, Cyberlink has strengthened its focus on business customers and highly secure network solutions. The implementation of SCION in particular has enabled Cyberlink to further reinforce its role as a pioneer in secure networks. "We emerged as a pioneer in the Internet sector and have specialized in infrastructure services in the cloud and connectivity area. Our goal as a managed service provider is to offer added value by continuously taking care of the infrastructure so that our customers can focus on their core business," says Knüsel. "In addition, we have always believed that synergies are very relevant, which is how we became aware of cloudscale.ch through SCION. Manuel and our lead engineer in the connectivity area, Matthias Schwarzenbach, worked together to develop a solution that integrates SCION into a modern cloud environment. We were convinced of SCION's capabilities right from the start. It offers exactly the security features that many of our customers need, and through our partnership with cloudscale.ch we can also offer this technology in the cloud."

Both companies share a commitment to staying at the cutting edge and using innovative technologies that enable Swiss companies to meet the increasing demands for protection and compliance. The identification of SCION as the next generation of the Internet was the common denominator that got this partnership started.

The discovery of SCION: Technical curiosity and SIX

SCION (Scalability, Control, and Isolation On Next-Generation Networks) represents a fundamental advancement of existing network technologies. Originally developed at ETH Zurich, SCION offers significant advantages over conventional network architectures: SCION is a revolutionary Internet architecture that offers path control, increased protection and improved availability.

Under the umbrella of the SCION Association, the new Internet architecture is being further developed and advanced as an open standard. In practice, the software implementation of Anapaya Systems Ltd – itself an innovative Swiss SME – is used in particular.

For Schweizer, it was personal curiosity to begin with: "What does this thing actually do? Who needs it? As a technician, I wanted to familiarize myself with the technology first." The key stimulus came when Fritz Steinmann from SIX announced the replacement of the old Finance IPNet with a SCION-based network. "This was a great opportunity for us, as the target group for this technology matches the target group of cloudscale.ch very well," Schweizer explains. With existing ISO certification and ISAE reports, the first steps had already been taken towards the financial and healthcare sectors. Schweizer: "I saw the potential of integrating SCION into our cloud and thus creating real added value for our customers."

For companies with high security and compliance requirements, SCION with its benefits is an absolute game changer.

Technical challenges and the partnership with Cyberlink

Implementing SCION in a cloud environment was not a trivial task. "I quickly realized that we couldn't do it alone," Schweizer admits. In addition, customers often had different locations with different providers, which required a consistent solution.

"Together with Matthias, the Network Engineering Lead at Cyberlink, we were able to engineer and thoroughly test everything over a period of six months," Schweizer reports enthusiastically.

The technical implementation in detail

Manuel Schweizer describes the challenge of integrating SCION into the cloudscale.ch platform clearly and pragmatically: "We didn't want to have to install individual hardware for every single customer, let alone keep hardware in stock that might never be used." This meant that, instead of dedicated hardware, an efficient and scalable virtual solution had to be created. In areas that are sensitive from a regulatory perspective, such as the Secure Swiss Finance Network (SSFN), meeting the requirement for provider redundancy was one of the biggest challenges. "It would not be enough to simply connect two ISPs to a redundant SCION core cluster," says Schweizer. Edge provider redundancy is required in order to be admitted to SIC/euroSIC. In a physical world, this would have been implemented with separate connections to two different ISPs. In a virtual world, however, this redundancy for the last mile is provided by the cloud provider of choice. In our case, Cyberlink and cloudscale.ch jointly guarantee the geo-redundant connection of each virtual edge to the two SCION cores. As these are in turn connected to different ISPs, the entire setup is highly available and therefore also fulfills the requirement for provider redundancy at the virtual level. This entire connection remains within the cloudscale.ch infrastructure before the traffic leaves the core. "With this clear communication and preference, we then went to SIX and pitched," Schweizer explains.

The discussions with SIX and ultimately with the Swiss National Bank (SNB) led to a crucial point: the SNB, as the supervisor of the financial sector, had the final say on the definitive architecture. The team quickly realized that core cluster redundancy alone was not enough. "We are establishing provider redundancy from the core upwards," Schweizer explains. The two SCION cores are distributed across different data centers and connected to other SCION participants via different upstream connections as well as the SwissIX Internet Exchange. This architecture corresponds to the best-practice setup, which meets the SNB's requirements and ensures the highest compliance standards.

Matthias Schwarzenbach was delighted with the collaboration with Manuel Schweizer: "There were no reservations. Manuel and I sat together in the meeting room for days on end, exchanging ideas and developing solutions. It was this creative, almost informal atmosphere that kept us going." Thomas Knüsel also remembers: "The two of them virtually outbid each other with ideas and so the solution reached a level that neither Manuel nor Matthias could have achieved on their own."

Today, cloudscale.ch is able to connect any isolation domains (ISDs) such as the SSFN or the SSHN (Secure Swiss Health Network) to its cloud. New SCION edges can be provisioned in less than 24 hours – and soon in under 2 hours. A virtual machine with the Anapaya image is started and connected to the SCION cores with two separate VLANs. Additional fiber optic connections or layer 2 services are not required. The solution is fully multitenant-capable and as close to a cloud-native solution as is currently technically possible.

As part of the conceptual design with SIX and SNB, the question arose as to whether the two cores should be operated in a cluster setup. "The advantages were clear," says Schweizer. In the cluster structure, the two cores share the path information. This interconnection increases redundancy and ensures that maintenance work can be carried out without interrupting the connection of the edge. This solution was ultimately approved and has already proven itself in practice.

Schweizer sums up: "We managed to convince the SNB of our solution. The SCION Cloud from cloudscale.ch and Cyberlink meets the highest compliance requirements and offers a fully compliant and high-performance cloud infrastructure."

Advantages for developers and DevOps engineers

The SCION Cloud offers clear advantages for the technical community: Engineers can use the popular features of cloudscale.ch, at the same time they have all the advantages of SCION and do not have to worry about the network connection.

• Path control and traffic engineering: Developers can explicitly control the data path through the network, opening up new possibilities for optimization and security strategies.
• Integration with DevOps tools: The SCION Cloud is fully API-managed and can be seamlessly integrated with tools such as Terraform or Ansible.
• Security and compliance: The highest security standards are met, which is particularly important for applications in regulated industries.

One specific example is the integration of Kubernetes clusters into a SCION-embedded environment. "From my point of view, we can offer our customers the best technical solution currently available on the market," Schweizer is convinced.

Compatible with any isolation domain

The SCION Cloud is already compatible with every ISD, natively multitenant-capable, flexibly scalable and can be connected as required. The elegant combination with Cyberlink's connectivity services enables users to access applications operated at cloudscale.ch via the appropriate ISD either physically or virtually.

Financial sector: Secure Swiss Finance Network (SSFN)

Since the announcement that the Finance IPNet would be replaced by a SCION-based network in September 2024, it has been clear where developments in the financial sector were heading. In this young but currently best established market, the SCION Cloud is characterized not least by the approval by the SNB. Banks and financial service providers must ensure that their networks meet the highest standards while remaining flexible enough to satisfy new requirements. The SCION Cloud offers a comprehensive solution: it allows control over the data path and enables users to utilize an any-to-any architecture. This means that they are no longer reliant on point-to-point connections such as MPLS. With SCION, financial service providers can establish connections that are not only secure but also flexible – they can decide which partners they want to connect to and which paths they want to use for data transmission. As soon as the new technology is used not only to replace old systems, but also to optimize legacy meshes and consistently reduce superfluous leased lines, this flexibility holds enormous potential for cost savings and significantly simplifies the management of the network infrastructure. The SCION Cloud is the ideal choice, especially for fintechs and banks that want to access cloud services or move their own applications to the cloud.

Healthcare: Secure Swiss Health Network (SSHN)

Cyberlink and cloudscale.ch also see great potential in the healthcare sector in particular: health insurance software providers and other players in the healthcare sector could be integrated into the SSHN to protect the entire infrastructure stack. The SCION Cloud makes it possible to host healthcare applications in a secure, fully compliant and scalable manner. The focus here is on the protected and reliable networking of medical practices, pharmacies and hospitals. However, a key challenge for the Secure Swiss Health Network (SSHN) was user access to the SCION Cloud. How do you get healthcare providers onto this network within a reasonable period of time? How do you equip all practices and clinics in Switzerland with the necessary hardware to connect to the SSHN? As a combination of the best that cloudscale.ch and Cyberlink have to offer, the SCION Cloud opens up two options here: For larger facilities such as hospitals, Cyberlink's Managed SCION Edge is used, which is installed locally and ensures the highest security standards. For smaller practices that may not require the same infrastructure, there is an alternative solution with the "Anapaya Gate". This gate allows access to the SCION world via existing home networks. While it offers a lower level of security, it remains a viable option for less critical applications. This comprehensive connectivity portfolio offers all participants in the ecosystem secure access to sensitive data and a wide range of healthcare applications.

Other compliance-sensitive industries and their ISDs

Other sectors will follow with dedicated ISDs. With its accredited and compliant IT infrastructure, the SCION Cloud is also ready for the strict regulatory requirements of these GRC-sensitive industries, such as the energy and payment sectors, as well as other critical areas. The SCION Cloud ensures that compliance requirements are reliably met while offering the scalability that companies need to grow in the market.

SCION is the Internet of the future

Cyberlink and cloudscale.ch have a clear vision: "SCION is the Internet of the future. With cloudscale.ch as a top Swiss cloud provider and Cyberlink with 30 years of experience in connecting Switzerland, we have the best prerequisites to help shape this future." This team was able to pass one of the strictest auditors in Switzerland with a new technology and do so on time. This would never have been possible without the right partner. A partnership between two top Swiss providers that you can rely on 100%, even in the most challenging crises.