Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

DOC - Europa

advertisement 
EUROPEAN COMMISSION
MEMO
Brussels, 15 October 2013
What does the Commission mean by secure Cloud
computing services in Europe?
Europe should aim to be the world's leading 'trusted cloud region'.
Widespread adoption of cloud computing is essential for improving productivity levels in
the European economy; but the spread of cloud could slow in light of recent revelations
about PRISM and other surveillance programmes. These surveillance revelations have also
led to calls for national or regional cloud computing initiatives.
This challenge must be addressed and also turned into a Europe-wide opportunity: for
companies operating in Europe to offer the trusted cloud services that more and more
users are demanding globally.
The Commission is strongly against a “Fortress Europe” approach to cloud computing. We
need instead a single market for cloud computing. For example the proposal for the
data protection regulation will provide a uniform legal base for the protection of
personal data in Europe. The fundamental principle at stake is the need to look beyond
borders when it comes to cloud computing. Separate initiatives or a Fortress Europe
approach is not going to work.
Achieving this ambition is not a task for the European Commission alone, it begins the
cloud providers themselves and includes all stakeholders: Member States, industry and
individual users.
What is cloud computing?
‘Cloud computing’ in simplified terms can be understood as the storing, processing and
use of data on remotely located computers accessed over the internet. Usually it involves
sharing computer resources, sometimes with partner agencies or branches of the same
organisation, but often it means sharing the computer resources of third parties with other
third parties. It is this sharing of systems which gives cloud an economic edge over
traditional "on premises IT". It means that users can command almost unlimited
computing power on demand, that they do not have to make major capital investments to
fulfil their computing needs and that they can access their data from anywhere as long as
an internet connection is available. And by adopting common (standard) IT solutions the
development and maintenance costs are spread over much large communities, meaning,
cheaper and often better quality and often highly professionalised and secure software
services.
Europe’s cloud opportunity
While Europe is not the leading provider of cloud services globally it is known for relatively
high standards of data protection, security, interoperability and transparency about service
levels and government access to information. These characteristics provide a solid basis
MEMO/13/898
for further development of cloud computing in Europe, as users become more conscious of
the need for cheap, flexible IT services, without wanting to compromise privacy.
In particular, the cloud puts the best IT solutions within the reach of small firms and
organisation. These small firms are the bedrock of the European economy, and means the
cloud will enable a particularly big leap forward for productivity in Europe if firms can be
convinced to use it.
How the PRISM revelations have affected the development of
cloud computing in Europe?
The Commission established a European Cloud Partnership Steering Board prior to the
revelations of 2013, and the board’s meeting in July it discussed the possible fall-out of
PRISM revelations. The members of the Steering Board expressed serious concern about
the effect of PRISM on the adoption of cloud computing in Europe and called for urgent
action to address those concerns. In general, post-PRISM, two issues must be addressed:
Firstly, a reluctance to use cloud computing by European citizens, businesses and public
administrations. Users already had some reservations over security and confidentiality of
information in the cloud; but PRISM aggravated this situation. Trust in cloud computing is
suffering, which risks depressing the rate of cloud uptake and Europe lagging behind in
cloud computing adoption.
Secondly, the revelations on PRISM have led to calls for national or regional cloud
computing initiatives. Such fragmentation or segmentation of the cloud computing market
along national or regional lines could unfortunately hold back the development of cloud
computing in Europe. National or regional computer provisioning is the traditional position
for most national administrations and there are national rules that prevent some specific
kinds of data (in particular public sector data) from being transferred across borders, even
inside the EU. However, national level initiatives in particular where the software systems
are adapted to local circumstances will not achieve a scale of roll out that would unlock the
full economic benefits of cloud computing. A larger market will increase competition and
value for money, and reduce costs. It would also open up new opportunities for European
cloud providers, which are at the moment far from being market leaders. A fragmented
market for cloud computing will be a set-back for the digital single market, for a connected
continent, and for customers and suppliers alike.
What could Europe gain by become a world leading trusted cloud
region?
Addressing the justified concerns of European citizens, businesses and public
administrations should be seen as an opportunity for the development of cloud computing
in Europe. In particular tackling the current lack of regulatory consistency in order could
boost the competitiveness of the European economy, as follows:
First of all, Europe can pride itself on high standards for data protection and data security.
This could be a competitive advantage for firms complying with these high standards. That
is why Europe should aim to be the world’s most secure and trusted region for cloud
computing.
Second, the potential economies of scale of a truly-functioning EU-wide single market for
cloud computing where the barriers to free data flow around the EU are substantially
reduced would be a massive boost to competitiveness. That is why Europe must establish
a fully functioning internal market for cloud computing:
2
Finally, a wide adoption of cloud computing by the public sector would drive cloud
adoption since the public sector is the largest IT procurer in Europe it can set the right
framework for Europe's cloud business to get ahead That is why Public Sector in Europe
should positions itself as an early adopter of cloud computing.
How to restore trust and build the world’s most secure and
trusted region for cloud computing?
Trust can be restored with more transparency and the use of
European Cloud Computing Strategy, includes measures increase
market. A better overview of standards, certification of the use of
safe and fair contract terms for cloud computing are essential. We
faster on those actions if we want to restore trust.
high standards. The
transparency of the
those standards and
need to deliver even
Users should be able to see clearly what a service consists of. What does any single cloud
supplier promise customers? Do they live up to those promises during the delivery of the
service? Service levels, such as the up-time of your service and what happens when it
doesn't work, need to be transparent. Auditing and reporting on access to data should be
accessible to the customer: who looked at my data when and why? And important aspects
of cloud services like the interoperability of services, a potential lock-in situation and
potential security breaches should be communicated to users.
Moreover, to restore trust, more transparency on government access to data, for example,
for reasons of law enforcement and national security is needed, including commitments on
what constitutes legitimate government access to data and transparency about what
access requests have been made. This is not to deny that intelligence and security
services have a legitimate need for such access to defend society, it is merely to lay out a
governance framework for such access, particularly where it is cross-border.
How to prevent a fragmentation of the cloud computing and
establish a fully functioning internal market for cloud computing
in Europe?
In order to prevent a fragmentation of the cloud computing in Europe, we should make
steps in building a single market for cloud computing. For example the proposal for the
data protection regulation will provide a uniform legal base for the protection of
personal data in Europe. We have to look beyond borders when it comes to cloud
computing. Separate initiatives or a Fortress Europe approach is not going to work. Of
course cloud computing does not yet have the legacy and experience that we have, for
example, in the telecoms market. Nonetheless, we need to take a similar direction now for
the cloud computing market. Cross-border cloud services should be the norm, not the
exception. We need to think across borders if we are to prevent fragmentation of the
market and avoid the need for regulatory reform of the cloud industry as we have recently
proposed for telecoms.
How can the adoption of secure cloud services in Europe be done?
Is there a need for collaboration between the Member States and
the private sector?
This has to be a combined effort. The adoption of secure cloud services in Europe is not
going to happen overnight through independent actions undertaken by individual
stakeholders. The European Cloud Computing Strategy will help but it needs the support
of Member States as well. At the next Council Meeting in October, Member States should
support concrete actions on the cloud.
3
Member States and the private sector should work together to share their own best-ofbreed solutions. The European Cloud Platform is a platform for this. The Commission is
supporting the Cloud-for-Europe initiative, allowing the public sector to prepare for the
procurement of cloud services, maximising benefits and competition, minimising pitfalls.
The cloud industry should also deliver and invest in innovative security solutions. Providers
should use the best available technologies; the European Commission has a very
extensive R&D programme and provides support for technology development, uptake and
exchange of best practices. Back-up: should be done under same security conditions.
Providers should live up to their promises and act in a responsible way.
And finally the user needs to act responsibly. Cloud services users are those who can
benefit the most from secure cloud computing services. But they need to be able to rely
on the framework described above. But users have to responsibly as well. Cloud is not the
right solution for everything. A thorough risk assessment is necessary before adopting it,
that considers the measures needed to mitigate these risks including encryption of data
that is transmitted and or stored in the cloud.
With all those efforts combined, the adoption of secure cloud services in Europe can
become a reality.
What is cloud computing security?
Cloud computing security is an evolving sub-domain of information security and it refers to
a broad set of policies, technologies, and controls deployed to protect data, applications,
and the associated infrastructure of cloud computing.
A key aspect of information security is to preserve the confidentiality, integrity and
availability of an organisation's information. It is only with this information, that it can
engage in commercial activities. Loss of one or more of these attributes, can threaten the
continued existence of even the largest corporate entities.
 Confidentiality. Assurance that information is shared only among authorised
persons or organisations.
 Integrity. Assurance that the information is authentic and complete.
 Availability. Assurance that the systems responsible for delivering, storing and
processing information are accessible when needed, by those who need them.
There are a number of security concerns associated with cloud computing but these issues
fall into two broad categories: security issues faced by cloud providers and security issues
faced by their customers. In most cases, the provider must ensure that their infrastructure
is secure and that their clients’ data and applications are protected while the customer
must ensure that the provider has taken the proper security measures to protect their
information.
Are the on-premises solutions completely secure?
For many companies, the default option in the face of doubts about security in the cloud is
to keep the data and its processing on-premises. On-premises solutions refer to
installations of software and hardware directly owned or leased by an end-user in its own
data centres. Arguably, cloud type systems can be implemented in such data centres but
they would generally lack the scale of infrastructure to provide flexible scaling to match
peaks of demand and more seriously they would lack the performance offered by fully
scaled up cloud applications and platforms.
4
Moreover, the premises solutions are not completely secure, because they generally lack
the ability to call on very high levels of professional security that cloud provisioning can
deploy to counter some of the risks of traditional computer provisioning through
implementation of more effective authentication, strong cyber defences, and state of the
art security implementation. The technology systems on which they are based have the
same vulnerabilities as cloud based provisioning and indeed they may be less secure as
software implemented in specific enterprise environments usually has extra vulnerabilities
because the security features will not be standardised or as fully tested. It is also true that
human factors remain the critical vulnerability of all computer systems (e.g. malicious
insiders / over friendly employees). Moreover, IT systems today are not hermetically
closed as in the past because of the use of mobile services, the trend towards using own
devices and the sharing of platforms with customers, citizens, business partners, etc. .
This is why cloud computing, with the right specifications, should be considered as a safer
solution to store data than on-premises.
Should encryption be used to protect sensitive information in
transit and storage?
Encryption can and should be used to protect sensitive information in transit and storage.
The data is encrypted by the user, or by the provider, so that it is protected when going
through the Internet, and to the cloud where it is stored. The data can be brought back
through an encryption gateway for processing on secure servers. This makes encrypted
data stored in the cloud a secure solution.
It is true however that cyphers can be broken, or the keys can be accessed. But solutions
can be developed to make encryption as safe as can be. Once again the critical point of
weakness is likely to be the human and procedural failings. Security authentication could
for instance remain only in the hands of the data owner using the cloud. This would
eliminate the risk that someone else can decipher the encryption keys, but would in most
case require a reconfiguration of the typical data stack. Such innovative solutions to
encrypt and protect data in the cloud should be deployed in Europe.
What has been done as regards standards and voluntary
certification?
In September 2012, the Commission has adopted the European Cloud Computing Strategy
'Unleashing the potential of the Cloud Computing in Europe'. The aim of the Strategy is to
facilitate faster adoption of cloud computing in Europe.
One of the key actions of the Cloud computing Strategy refers to standards and voluntary
certification. In this context, the European Telecommunications Standards Institute (ETSI)
has been tasked to map existing cloud computing standards in collaboration with all
relevant stakeholders. ETSI has already delivered an intermediary standards overview in
June 2013 and is planning to deliver final results before the end of 2013.Morover, the
European Commission undertook to 'work with the support of ENISA and other relevant
bodies to assist the development of EU-wide voluntary certification schemes in the area of
cloud computing and establish a list of such schemes by 2014. Also the Select Industry
Group (SIG) working group on certification was established to support the work on
certification.
Certification of cloud computing services can help to provide more transparency in the
cloud computing market, as certification allows cloud computing suppliers to show their
customers that they are meeting certain standards, for example on network and
information security.
5
Although certification is not a magic solution to overcome the limitations of a market that
is not transparent, we can see that certification can be of benefit to both cloud computing
suppliers and users. Already, we can see existing solution available in the market for cloud
computing.
And these existing solutions are exactly what the working group on certification initially
has focussed on. This has already resulted in intermediary results before the summer of
this year: a list of existing certification schemes and a set of principles and
recommendations that the SIG-certification group finds important when it comes to cloud
computing certification.
Currently, these intermediary results are advanced with the help of the European Network
and Information Security Agency (ENISA). The expertise and support of ENISA is crucial
and will provide essential steps towards more transparency of the cloud computing
market.
Contacts
Email: comm-kroes@ec.europa.eu Tel: +32.229.57361 Twitter: @RyanHeathEU
6
Related documents
Slide - People
Slide - People
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
MSc Internet and Database Systems
MSc Internet and Database Systems
Abstract
Abstract
Download
advertisement