Welcome to CypSec Group
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
A reference implementation for local government.
Mansfeld-Südharz, Germany - November 29, 2025
The first time we drew the logical map of the county’s production network, the diagram looked like a family tree that had married its own cousins: a single flat /16 inherited from the days of Novell NetWare, VLANs numbered by mood, and a DMZ that was really just a different coloured cable. Zero-trust folklore tells us to rip everything out and start over with shiny SASE portals, but folklore does not have to balance a budget voted by councillors who still remember the Pfennig. Instead, we treated the existing copper like archaeological layers: leave what still carries bits, tunnel what must be encrypted, and enforce decisions as close to the socket as physics allows. The result is a reference blueprint that any county—no matter how small its IT department—can copy without vendor lock-in, capital drama, or violating the sovereignty clauses that NIS2 will soon audit.
The philosophy is simple: identity becomes the new perimeter, but identity must be cheap enough to issue to a janitor’s tablet and strong enough to satisfy a German privacy court. We therefore split the problem into three concentric circles that can be rolled out one per budget cycle. Circle one is session-level trust: every TCP opening carries a client certificate issued by a tiny CA that runs inside a Hardware Security Module borrowed from the county’s e-government smart-card project. The certificates are short-lived—four hours—and are automatically rotated by an agent that ships as a systemd unit, so no Microsoft domain upgrade is required. Because the CA chain terminates in a sovereign HSM, the county retains full revocation authority even if the upstream ISP is sold to a non-EU operator tomorrow. The first site went live in April; after 90 days we counted exactly zero successful phishing callbacks that managed to pivot beyond the initially compromised workstation, a figure that convinced even the most sceptical treasurer that four-digit euro HSMs beat six-figure ransomware.
Circle two is micro-segmentation, but we refused to buy new switches. Instead, we installed an open-source VXLAN controller on top of the existing L3 core, turning every hypervisor into a miniature MPLS router that can spawn an encrypted overlay in milliseconds. Policy is expressed in a single YAML file that looks like a firewall ruleset written by a human, not by a marketing department: allow DNS from source role “library-pc” to destination role “dns-farm” on port 53, deny everything else. Roles are attached to identities, not to IP addresses, so when a social-worker moves her laptop from the town hall to the field office she keeps the same cryptographic label and the network rewrites her path without re-addressing. The controller consumes only 2 GB of RAM on a five-year-old Dell server that the county had already written off, which means the segmentation project sailed through procurement under the “green IT” clause that gives bonus points for hardware re-use.
Circle three is continuous verification, the piece that turns zero-trust from a slogan into a reflex. We embedded a tiny attestation agent into every Linux and Windows endpoint that hashes the running binaries every 30 seconds and ships the measurement to a local verifier. If the hash deviates from the golden image, the verifier instructs the VXLAN controller to move the device into a quarantine overlay that contains only one hop: a web portal that offers a clean re-image and nothing else. The entire cycle—detection, isolation, notification—averages 42 seconds in production, fast enough to outrun most human attackers and slow enough to keep help-desk unions from revolting. Because the verifier runs on an immutable OS installed on a Raspberry Pi 4 bolted inside the server rack, an attacker would need to compromise both the ARM firmware and the AMD64 hypervisor in the same campaign, a hurdle that exceeds the ROI threshold of commodity ransomware.
"Zero-trust is not a product; it is a county council resolution that every packet must prove its innocence—again and again, every millisecond."
Integration with legacy county applications is where most zero-trust projects suffocate, because no one wants to recompile a 1998 SAP client that still expects NetBIOS. We sidestepped the problem by wrapping each legacy service inside its own sidecar gateway: a lightweight container that speaks mutual TLS on the front end and whatever antique protocol the service demands on the back end. The gateway holds a long-lived certificate signed by the same sovereign CA, so the legacy binary never sees cryptography it cannot parse, while the outside world sees only modern, attestable endpoints. The pattern is repeatable: for the wastewater SCADA that insists on Modbus/TCP, for the library ERP that needs Named Pipes, for the parking-meter backend that only understands plain ASCII over port 2000. Once the sidecar is deployed, the service inherits all the segmentation and attestation benefits without a single line of code changed, which keeps union lawyers and software vendors equally calm.
Budget reality is baked into every layer. The entire software bill-of-materials is Apache-licensed or GPL-3; the only recurring cost is the HSM, which leases for 1 200 € per year and can be shared across multiple counties through a cryptographic sharding scheme we published on GitHub. Staff training is included: the Alliance runs a quarterly boot-camp that teaches two administrators per county how to read the YAML policy, how to rotate the CA keys and how to debug a container that refuses to enrol. Graduates receive a micro-credential that is recognised by the German IT-Grundschutz catalogue, which means the education hours count toward the mandatory continuing-professional-development quota that NIS2 will impose on public-sector IT staff. In short, the blueprint exports not just software but employability, turning austerity-bound councils into attractive employers for young engineers who would otherwise head for Berlin.
The first external audit is scheduled for spring 2026, carried out by TÜV Saarland under the new EUCS (European Union Cybersecurity Scheme) that will certify local-government clouds. Auditors already confirmed that the architecture maps 1-to-1 to the zero-trust controls listed in Annex 4 of the draft NIS2 delegated act, which means counties adopting the blueprint can pre-empt up to 60 % of the upcoming compliance burden. More importantly, the design is sovereign by default: no dependency on non-EU identity providers, no telemetry home to third-party clouds, no licence server that can be bricked by export-control disputes. If a geopolitical storm ever forces Germany to decouple from foreign hyperscalers, counties running this blueprint can keep printing birth certificates and collecting waste-water data without missing a beat. That is the final deliverable: not a glossy box, but an insurance policy that fits inside a shoebox and boots from a USB stick.
The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.
Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.
We specialize in advanced defense and intelligent monitoring to protect your digital assets and operations.
