European Commission

MEMO

Brussels, 15 October 2013

What does the Commission mean by secure Cloud computing services in Europe?

Europe should aim to be the world's leading 'trusted cloud region'.

Widespread adoption of cloud computing is essential for improving productivity levels in the European economy; but the spread of cloud could slow in light of recent revelations about PRISM and other surveillance programmes. These surveillance revelations have also led to calls for national or regional cloud computing initiatives.

This challenge must be addressed and also turned into a Europe-wide opportunity: for companies operating in Europe to offer the trusted cloud services that more and more users are demanding globally.

The Commission is strongly against a “Fortress Europe” approach to cloud computing. We need instead a single market for cloud computing. For example the proposal for the data protection regulation will provide a uniform legal base for the protection of personal data in Europe. The fundamental principle at stake is the need to look beyond borders when it comes to cloud computing. Separate initiatives or a Fortress Europe approach is not going to work.

Achieving this ambition is not a task for the European Commission alone, it begins the cloud providers themselves and includes all stakeholders:Member States, industry and individual users.

What is cloud computing?

‘Cloud computing’ in simplified terms can be understood as the storing, processing and use of data on remotely located computers accessed over the internet. Usually it involves sharing computer resources, sometimes with partner agencies or branches of the same organisation, but often it means sharing the computer resources of third parties with other third parties. It is this sharing of systems which gives cloud an economic edge over traditional "on premises IT". It means that users can command almost unlimited computing power on demand, that they do not have to make major capital investments to fulfil their computing needs and that they can access their data from anywhere as long as an internet connection is available.And by adopting common (standard) IT solutions the development and maintenance costs are spread over much large communities, meaning, cheaper and often better quality and often highly professionalised and secure software services.

Europe’s cloud opportunity

While Europe is not the leading provider of cloud services globally it is known for relatively high standards of data protection, security, interoperability and transparency about service levels and government access to information. These characteristics provide a solid basis for further development of cloud computing in Europe, as users become more conscious of the need for cheap, flexible IT services, without wanting to compromise privacy.

In particular, the cloud puts the best IT solutions within the reach of small firms and organisation. These small firms are the bedrock of the European economy, and means the cloud will enable a particularly big leap forward for productivity in Europe if firms can be convinced to use it.

How the PRISM revelations have affected the development of cloud computing in Europe?

The Commission established aEuropean Cloud Partnership Steering Boardprior to the revelations of 2013, and the board’smeeting in July it discussed the possible fall-out of PRISM revelations. The members of the Steering Board expressed serious concern about the effect of PRISM on the adoption of cloud computing in Europe and called for urgent action to address those concerns. In general, post-PRISM, two issues must be addressed:

Firstly, a reluctance to use cloud computing by European citizens, businesses and public administrations. Users already had some reservations over security and confidentiality of information in the cloud; but PRISM aggravated this situation. Trust in cloud computing is suffering, which risksdepressingthe rate of cloud uptake and Europe lagging behind in cloud computing adoption.

Secondly, the revelations on PRISM have led to calls for national or regional cloud computing initiatives. Such fragmentation or segmentation of the cloud computing market along national or regional lines could unfortunately hold back the development of cloud computing in Europe. National or regional computer provisioning is the traditional position for most national administrations and there are national rules that prevent some specific kinds of data (in particular public sector data) from being transferred across borders, even inside the EU. However,national level initiatives in particular where the software systems are adapted to local circumstances will not achieve a scale of roll out that would unlock the full economic benefits of cloud computing. A larger market will increase competition and value for money, and reduce costs. It would also open up new opportunities for European cloud providers, which are at the moment far from being market leaders. A fragmented market for cloud computing will be a set-back for the digital single market, for a connected continent, and for customers and suppliers alike.

What could Europe gain by become a world leading trusted cloud region?

Addressing the justified concerns of European citizens, businesses and public administrations should be seen as an opportunity for the development of cloud computing in Europe.In particular tackling the current lack of regulatory consistency in order could boost the competitiveness of the European economy, as follows:

First of all,Europe can pride itself on high standards for data protection and data security. This could be a competitive advantage for firms complying with these high standards. That is why Europe should aim to be the world’s most secure and trusted region for cloud computing.

Second, the potential economies of scale of a truly-functioning EU-wide single market for cloud computing where the barriers to free data flow around the EU are substantially reduced would be a massive boost to competitiveness. That is why Europe must establish a fully functioning internal market for cloud computing:

Finally, a wide adoption of cloud computing by the public sector would drive cloud adoption since the public sector is the largest IT procurer in Europe it can set the right framework forEurope's cloud business to get ahead That is why Public Sector in Europe should positions itself as an early adopter of cloud computing.

How to restore trust and build the world’s most secure and trusted region for cloud computing?

Trust can be restored with more transparency and the use of high standards. The European Cloud Computing Strategy, includes measures increase transparency of the market. A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential. We need to deliver even faster on those actions if we want to restore trust.

Users should be able to see clearly what a service consists of. What does any single cloud supplier promise customers? Do they live up to those promises during the delivery of the service? Service levels, such as the up-time of your service and what happens when it doesn't work, need to be transparent. Auditing and reporting on access to data should be accessible to the customer: who looked at my data when and why? And important aspects of cloud services like the interoperability of services, a potential lock-in situation and potential security breaches should be communicated to users.

Moreover, to restore trust, more transparency on government access to data, for example, for reasons of law enforcement and national security is needed, including commitments on what constitutes legitimate government access to data and transparency about what access requests have been made. This is not to deny that intelligence and security services have a legitimate need for such access to defend society, it is merely to lay out a governance framework for such access, particularly where it is cross-border.

How to prevent a fragmentation of the cloud computing and establish a fully functioning internal market for cloud computing in Europe?

In order to prevent a fragmentation of the cloud computingin Europe, we should make steps in building a single market for cloud computing. For example the proposal for the data protection regulation will provide a uniform legal base for the protection of personal data in Europe. We have to look beyond borders when it comes to cloud computing. Separate initiatives or a Fortress Europe approach is not going to work. Of course cloud computing does not yet have the legacy and experience that we have, for example, in the telecoms market. Nonetheless, we need to take a similar direction now for the cloud computing market. Cross-border cloud services should be the norm, not the exception. We need to think across borders if we are to prevent fragmentation of the market and avoid the need for regulatory reform of the cloud industry as we have recently proposed for telecoms.

How can the adoption of secure cloud services in Europe be done? Is there a need for collaboration between the Member States and the private sector?

This has to be a combined effort. The adoption of secure cloud services in Europe is not going to happen overnight through independent actions undertaken by individual stakeholders. The European Cloud Computing Strategy will help but it needs the support of Member States as well. At the next Council Meeting in October, Member States should support concrete actions on the cloud.

Member States and the private sector should work together to share their own best-of-breed solutions. The European Cloud Platform is a platform for this. The Commission is supporting the Cloud-for-Europe initiative, allowing the public sector to prepare for the procurement of cloud services, maximising benefits and competition, minimising pitfalls.

The cloud industry should also deliver and invest in innovative security solutions. Providers should usethe best available technologies; the European Commission has a very extensive R&D programme and provides support for technology development, uptake and exchange of best practices. Back-up: should be done under same security conditions. Providers should live up to their promises and act in a responsible way.

And finally the user needs to act responsibly. Cloud services users are those who can benefit the most from secure cloud computing services. But they need to be able to rely on the framework described above. But users have to responsibly as well. Cloud is not the right solution for everything. A thorough risk assessment is necessary before adopting it, that considers the measures needed to mitigate these risks including encryption of data that is transmitted and or stored in the cloud.

With all those efforts combined, the adoption of secure cloud services in Europe can become a reality.

What is cloud computing security?

Cloud computing security is an evolving sub-domain of information security and it refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

A key aspect of information security is to preserve the confidentiality, integrity and availability of an organisation's information. It is only with this information, that it can engage in commercial activities. Loss of one or more of these attributes, can threaten the continued existence of even the largest corporate entities.

  • Confidentiality. Assurance that information is shared only among authorised persons or organisations.
  • Integrity. Assurance that the information is authentic and complete.
  • Availability. Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them.

There are a number of security concerns associated with cloud computing but these issues fall into two broad categories: security issues faced by cloud providers and security issues faced by their customers. In most cases, the provider must ensure that their infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information.

Are the on-premises solutionscompletely secure?

For many companies, the default option in the face of doubts about security in the cloud is to keep the data and its processing on-premises. On-premises solutions refer to installations of software and hardware directly owned or leased by an end-user in its own data centres. Arguably, cloud type systems can be implemented in such data centres but they would generally lack the scale of infrastructure to provide flexible scaling to match peaks of demand and more seriously they would lack the performance offered by fully scaledup cloud applications and platforms.

Moreover, the premises solutions are not completely secure, because they generally lack the ability to call on very high levels of professional security that cloud provisioning can deploy to counter some of the risks of traditional computer provisioning through implementation of more effective authentication, strong cyber defences, and state of the art security implementation. The technology systems on which they are based have the same vulnerabilities as cloud based provisioning and indeed they may be less secure as software implemented in specific enterprise environments usually has extra vulnerabilities because the security features will not be standardised or as fully tested. It is also true that human factors remain the critical vulnerability of all computer systems (e.g. malicious insiders / over friendly employees). Moreover, IT systems today are not hermetically closed as in the past because of the use of mobile services, the trend towards using own devices and the sharing of platforms with customers, citizens, business partners, etc. . This is why cloud computing, with the right specifications, should be considered as a safer solution to store data than on-premises.

Should encryption be used to protect sensitive information in transit and storage?

Encryption can and should be used to protect sensitive information in transit and storage. The data is encrypted by the user, or by the provider, so that it is protected when going through the Internet, and to the cloud where it is stored. The data can be brought back through an encryption gateway for processing on secure servers. This makes encrypted data stored in the cloud a secure solution.

It is true however that cyphers can be broken, or the keys can be accessed. But solutions can be developed to make encryption as safe as can be. Once again the critical point of weakness is likely to be the human and procedural failings.Security authentication could for instance remain only in the hands of the data owner using the cloud. This would eliminate the risk that someone else can decipher the encryption keys, but would in most case require a reconfiguration of the typical data stack. Such innovative solutions to encrypt and protect data in the cloud should be deployed in Europe.

What has been done as regards standards and voluntary certification?

In September 2012, the Commission has adopted the European Cloud Computing Strategy 'Unleashing the potential of the Cloud Computing in Europe'. The aim of the Strategy is to facilitate faster adoption of cloud computing in Europe.

One of the key actions of the Cloud computing Strategy refers to standards and voluntary certification. In this context, the European Telecommunications Standards Institute (ETSI) has been tasked to map existing cloud computing standards in collaboration with all relevant stakeholders. ETSI has already delivered an intermediary standards overview in June 2013 and is planning to deliver final results before the end of 2013.Morover, the European Commission undertook to 'work with the support of ENISA and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing and establish a list of such schemes by 2014. Also the Select Industry Group (SIG) working group on certification was established to support the work on certification.

Certification of cloud computing services can help to provide more transparency in the cloud computing market, as certification allows cloud computing suppliers to show their customers that they are meeting certain standards, for example on network and information security.

Although certification is not a magic solution to overcome the limitations of a market that is not transparent, we can see that certification can be of benefit to both cloud computing suppliers and users. Already, we can see existing solution available in the market for cloud computing.

And these existing solutions are exactly what the working group on certification initially has focussed on. This has already resulted in intermediary results before the summer of this year: a list of existing certification schemes and a set of principles and recommendations that the SIG-certification group finds important when it comes to cloud computing certification.

Currently, these intermediary results are advanced with the help of the European Network and Information Security Agency (ENISA). The expertise and support of ENISA is crucial and will provide essential steps towards more transparency of the cloud computing market.

Contacts

Email: l: +32.229.57361 Twitter: @RyanHeathEU

1