contact about cloud summit register login

An action plan for the Cloud - part 1

Posted by Stuart Lauchlan on Fri, 03/06/2011 - 10:34
wef_logo.jpeg

Governments around the globe need to take action to ensure that Cloud Computing's potential is realised. That's the conclusion of the latest phase of the World Economic Forum's (WEF)  research study Exploring the Future of Cloud Computing, which has spawned an 8 point action plan based on the findings of a series of workshops around the world.

The research study was mandated by the IT Governors at the World Economic Forum Annual Meeting 2009 in Davos, Switzerland. Two objectives for the research were defined:

  • Develop an understanding of what is needed to steer the healthy development of both public and private cloud computing environments.
  • Develop a set of industry and public policy action areas that could help mitigate the uncertainties and accelerate the benefits of Cloud Computing.

Consequently, the project was divided into two phases:

  • Phase 1 focused on consulting with a wide range of relevant stakeholders (IT industry, corporate buyers of IT, government regulators, investors, academics, journalists and others) through workshops, surveys and interviews to obtain their views on the potential impacts of cloud computing – on business, society and the global economy.
  • Phase 2 was to develop recommendations for actions that governments and industry can take to accelerate the deployment and adoption of public Cloud technologies.

This resulted in a report which presents eight action areas for providers of Cloud Computing services and government agencies. It is intended to set the agenda for further engagement among all stakeholders, ensuring the healthy future development of the Cloud Computing industry. Government contributors to the research included the UK Cabinet Office, the European Commission and the US General Service Administration while the Cloud Computing industry was represented by such as Paul Sagan, CEO of Akamai, Craig Mundie, chief research and strategy officer at Microsoft and Marc Benioff, CEO of Salesforce.com.

The main conclusion of the second phase work can be summed up as: act now! The report notes:   

Many of the concerns about the public Cloud have long been discussed in relation to the Internet without satisfactory resolution. As Cloud Computing technologies significantly exacerbate these issues, the industry and government must address them at a relatively early stage in the evolution of Cloud services...the current regulatory environment has slowed the progress of Cloud technologies (in 2010). Further divergence and fragmentation in how the public Cloud evolves could further delay potential benefits.
 

The report identifies three broad areas of concern that need to be addressed: data governance, security and the business environment.

Data Governance

The report notes a lack of clarity around which legal jurisdiction data in the Cloud falls – especially if, as many Cloud architectures require, the data is split up and stored in multiple locations. Data often falls under more than one legal jurisdiction, and it is unclear how inconsistencies among those jurisdictions would be resolved. Users surveyed were worried about the potential for foreign governments to demand access to their data while governments in turned were worried about losing the legal ability to “oversee” data in the Cloud and apply their laws to the cloud. These twin concerns risk the imposition of data location constraints, such as requiring data to be located only within national borders which some fear will lead to protectionist behaviours.

A longer term concern would be the potential creation of a new form of the digital divide as some Cloud providers would not be willing (or able) to build new data centres in country in smaller markets:   

Freedom to move data across borders helps to achieve the economies of scale that are a key benefit of Cloud Computing, as there is a significant cost involved in using architectures that keep a customer’s data in a particular country or geographical block, potentially giving the largest providers an unfair advantage.
 

Data privacy and confidentiality concerns still restrict user willingness to use Cloud services for sensitive data. While some governments have mandated national legal requirements for data stored in the Cloud, the cross-border nature of the Clou means that national measures to protect data privacy and confidentiality have only limited capacity to reassure users. This suggests a need for greater global consistency over data privacy, but this isn't going to be easy to pull off:  

 
Government stakeholders note that fundamental differences in their approaches make comprehensive international agreements less likely. For example, the US has a stricter regulatory regime for specific sectors, such as healthcare, where privacy and confidentiality issues are especially sensitive, while the European Union has blanket data privacy laws. Users may need to rely on market mechanisms to assess the trustworthiness of providers in the Cloud.
 

Similarly greater clarity is needed about what rights a Cloud service provider has to access, modify or distribute data in the Cloud. Is legal protection compromised if data is moved through the Cloud to other jurisdictions and who should have the rights to use meta-data? While European Union data privacy laws distinguish between data controllers and data processors, its not clear what this means in the Cloud. The WEF report warns:  

 
There are scenarios in which users and providers could find themselves in a legal limbo, where the law provides no clear answer as to who is responsible for the data if, for example, security is breached or a provider fails. While regulators say they would like to improve both regulations and user awareness of the issues surrounding data ownership, industry stakeholders express concern that over-regulation of data ownership at this point in the cloud’s evolution could prevent them from meeting user needs and improving services.
 

Security

The old bug bear of security worries remains relevan with users particularly concerned that Cloud-held data is more susceptible to cyber-attacks, while governments are concerned that current technical security mechanisms such as encryption could give users a false sense of security. Government representatives also expressed concern about the resilience of Cloud providers to distributed denial-of-service (DDoS) attacks. The report also nots that data deletion is more challenging in the Cloud, because Cloud providers are the only ones with access to the physical infrastructure on which users’ data is stored, and often data may be mirrored on multiple machines.

Government stakeholders are especially concerned that sensitive data, such as healthcare records, should not be recoverable once deleted but there are challenges to ensure data deletion. But the Cloud industry representatives argue:  

Concerns about security in the Cloud should not be overstated. By their nature, cloud solutions aggregate the security requirements of many clients, often to the highest standard, and they are frequently monitored and stringently audited. As a result, security protections in the Cloud are more extensive than in many, perhaps most, private data centres.
 

The Business Environment

When considering the wider business environment some division emerges between governments and Cloud providers. Governments are keen to ensure interoperability as a way of driving competition and increasing the resilience of the Cloud system as a whole, especially where the market consists of only a few providers, but this seems to be at odds with a reluctance by Cloud vendors to focus on standardisation.

Portability of data is also important to government as a way of encouraging competition and building systemic resilience, but again the vendors have other priorities. They argue that excessive focus on ensuring data portability will limit their incentive to innovate by making it harder for them to differentiate themselves through different architectures and offerings.

The need for transparency over reliability of the Cloud also leads to some division. While Cloud providers are content that market mechanisms will evolve that allow users to assess providers’ reputation and reliability. But governments are unhappy with the status quo of there being no consensus among Cloud providers on how much information about their reliability they are willing to disclose.

The WEF report suggests that it is far from clear how principles of free trade should be applied in the Cloud – whether countries that host cloud data centres have an obligation to provide open access to these centres to customers from other countries, under what terms and with what protections. There was also some concern voiced over the current dominance of US Cloud providers. There were also questions about whether national identities, autonomy and sovereignty could be compromised if firms increasingly rely on the same few foreign Cloud providers – seen by some as a form of colonisation.

Based on these concerns and conclusions, the WEF project team developed eight action points for government and industry to act upon. Part two of this special report focuses on those action points.

Now on techcloud 9

Commenting on the cloud

Next | Previous

Twitter feed

Tag cloud

more tags