In Tallinn on 4 July, the Estonian President and chair of the ECP Steering Board Toomas Hendrik Ilves hosted the European Cloud Partnership’s second Steering Board meeting. Recent events surrounding PRISM, Mr Ilves suggested, call for a rapid response to ensure secure and lawful cloud computing in the European Union.
EU Vice-president Neelie Kroes echoed this view, suggesting that the Snowden affair (involving an IT contractor for the US’ National Security Agency) has been a wake-up call. It is up to the ECP to build buy-in and support from businesses and politicians. She urged them to work for a strategy with concrete input – i.e. an EU cloud approach that overcomes fragmentation in the cloud market and helps build the Digital Single Market – to be addressed to the European Council.
Ken Ducatel of the European Commission presented the state of play surrounding key actions of the European Cloud Strategy. The planning and timing of each of the three action points (standards mapping, standard contractual work, including SLAs, and the European Cloud Partnership) were discussed, noting that most key deliverables are scheduled for after the Council meeting.
On 27 September 2012, the Commission adopted the European Cloud Strategy in the form of a Communication entitled ‘Unleashing the potential of cloud computing in Europe’, in which it announced the intention to set up a European Cloud Partnership. Under the guidance of the Steering Board, the ECP brings together public authorities and industry consortia to advance the objectives of the Strategy towards a Digital Single Market for cloud computing.
During the meeting, the Cloud-for-Europe (C4E) project was presented by Michael Hange (President of BSI, Germany) and Reinhard Posch (CIO, Austria). It was pointed out that the key security challenge is the lack of transparency on security. This is not just about data-protection compliance, they suggested, although security is necessary for such compliance. It was reported that we also need more transparency on standards, on the processes behind their use and implementation, on the requirements for service providers, and on the underlying guarantees for cloud users so that they have confidence that their prerequisites have been met.
The C4E project leverages public-private cooperation through pre-commercial procurement with the objective of implementing a safe and compliant cloud for the public sector. The project addresses technical, legal and operational security requirements, and will publicly launch in Berlin on 14-15 November 2013
Jim Hagemann-Snabe (SAP) presented progress on cloud certification schemes, stressing that cloud computing is crucial to support the future European economy and competitiveness in general, and not just to create new services. He asked the question: Could we define high levels of quality – e.g. bronze-silver-gold levels of security – and let consumers and businesses choose in a free-market model? This approach might have sufficient commercial appeal to generate business in the EU, he suggested.
Meanwhile, Thierry Breton (ATOS) presented efforts to establish model terms and conditions. Reports of security breaches have raised concern in the market. Given the need for quick action, he suggested it may be advisable to prioritise European clouds over transatlantic partnerships. Service-level agreements (SLAs) are a key tool for this, as they can provide transparency, assurances and therefore trust. The activities revolve around three key deliverables, building on a unified contractual vocabulary: template SLAs with terms and conditions; a cloud decision flowchart; and a cloud checklist. A recurring concern, he stressed, is controlling data flow. Many experts advocate keeping cloud data flows within Europe, based on the rationale that data should not flow through territories that don’t respect EU legislation and EU policy principles.
Christian Fredrikson (F-Secure) presented the status of activities on SMEs, cloud security and software. Security knowhow and resources are generally limited in SMEs, and they are becoming increasingly aware of this, he reported. This is one of the strengths of cloud computing: the cloud allows users to integrate security into infrastructure at a much higher quality level than with non-cloud, outsourced services that SMEs would typically use. This is a huge opportunity, he said.
The main outputs of these activities were (1) the cloud security guide (i.e. a set of Q&As for SMEs along with their contractual/SLA implications); and (2) the cloud software guide (i.e. guidelines for SMEs, insights and experiences that help them to adopt the cloud). Debates showed that the ECP members saw a convergence that could result in a homogeneous package of guidelines, standards, best practices and standard terms, which will help stakeholders to navigate the cloud more effectively.
After a discussion on public-sector clouds, led by a presentation of the French situation by Jacques Marzin (DISIC, France), the following conclusions emerged:
Cost savings can be realised relatively easily through data-centre consolidation; support from data-protection authorities (the CNIL in France) is important to build trust.
Due to data-protection concerns, public data without privacy implications can be entrusted to public cloud services in France, but private data must be limited to private/hybrid clouds.
Major challenges are the interoperability between clouds (given the separation between public/private clouds) and vendor lock-in; this is always difficult for mixed models.
President Ilves noted that data ownership is important in building trust: the citizen is the legal owner of his/her data and has control over who can access the information. The Board supported this view, and also highlighted the importance of technical solutions (including encryption) to support security: the goal is to ensure security and a single market, as opposed to fragmentation.
In a round-up debate initiated by Vivek Dev (Telefonica), the following conclusions emerged:
An approach based on certification against two or three security levels is deemed very useful.
There is a need to identify minimal standards, based on existing best practices; these should focus on public-sector needs, but the private sector is free to adopt them if beneficial. Delegates referred to European standardisation efforts for GSM, which made the EU a global leader in mobile technology. With a single standard, the EU cloud sector could lead the world market for cloud services.
All of these needs could be met through a charter based on the work done within the ECP.
The next meeting is scheduled for 14-15 November 2013 in Berlin, aligned with the launch event of the Cloud-for- Europe project.
Webpage – European Cloud Partnership