E-residency, data embassy and the Cloud
-
Upload
andres-kuett -
Category
Government & Nonprofit
-
view
137 -
download
0
description
Transcript of E-residency, data embassy and the Cloud
E-residency, data embassy and the CloudAndres Kütt Estonian Information System Authority / Architect
20.11.2014
Estonia in perspective
Population1 Labor force PPP gross national income per capita
Estonia 1 690 391 23.280Latvia 2 1 046 220 21.820Russian Federation 144 76 872 229 22.800
Singapore 5 3 021 715 71.900United States 314 158 666 072 52.610
1 - In millions, rounded to 1
Estonia is so tiny a quarter of our population can become a rounding error.
GNI per capita
0
20 000
40 000
60 000
80 000
1995 1998 2001 2004 2007 2010
Estonia Singapore USA LatviaRussian Federation
The graph shows that no only is our GNI considerably smaller than that of more advanced countries, it is also growing at the same pace. Ergo, we shall be relatively cash-strapped for the foreseeable future.
The solution? Go paperless. Replace the expensive paper-based services with electronic government services that are easier to scale and do not create the feedback loop of bureaucracy creating more bureaucracy.
690 391Our prime-minister-to-citizen ratio is too high.
GAASGovernment as a service. We are already building these web services, why not provide them to others?
10 000 000
This is radical. Illustrates the lengths to which this country is willing to go. Because we have very few other options.
Digital continuity becomes a problem
! We cannot switch back to paper ! For the reasons we went digital in the first place ! Also because we no longer know how
! Digital is built deep into all aspects of Estonia ! Business processes shaped around requesting data, not
delivering documents ! This does not scale without digital
In the digital world, this is certainly the case. The more digitized one is, the more dangerous digital risks become. Estonia can not go back to paperless simply because we no longer know how. This has been the case for so long, our business processes have adapted. For example, a common practice has companies supplying a certificate of tax status as part of public tender processes to make sure they do not owe taxes to the state. In Estonia one would execute a query against the tax board information system instead asking for the status of a particular company. Issuing a certificate would also be meaningless as companies can go and change their tax declarations at will altering their financial standing with the state.
One solution to this would be to move all the services to the Cloud by using Microsoft, Amazon, Google or other cloud service providers. I’ll talk a bit about the challenges and learnings we have had
Agency Agency AgencyAgencyFina
nce
and
port
folio
man
agem
ent
Info
rmat
ion
secu
rity
Information System Registry
Electronic identity
Citizens/Officials/Enterprises
Delivery channels
Integration
Infrastructure
Architecture of Estonian information system
Agency Agency AgencyAgencyFina
nce
and
port
folio
man
agem
ent
Info
rmat
ion
secu
rity
Information System Registry
Electronic identity
Citizens/Officials/Enterprises
Delivery channels
Integration
Infrastructure
Cloud is not simply an infrastructure problem
It immediately becomes a business problem,
if not sooner then when assessing risks
Whom can you trust?
We make a lot of implicit and explicit decisions on trust, cloud
introduces a lot of complexities to these decisions
Small players are too small
What is their actual ability to honour the collateral?
Big players are too big
Appi
What about democratic change?
A nation democratically decides it is OK to look into
files they consider to be under their jurisdiction
“Lady, I never walk into a place I don't know how to walk out of.”
In the end, nobody can be trusted
Not with really important things
Cryptography to the rescue!
Secure multi-party computation
Ability to share data and computation between untrusted parties
Cryptography to the rescue!
X1 X2 AVG(X1,X2)
Original 12 8 10
Node 1 1 3 2
Node 2 4 2 3
Node 3 7 3 5
Browser-based cryptography
Since the server cannot be trusted, the client must encrypt everything
Challenges with the browser
! Related to encryption itself ! WebCryptoAPI coming to age but clearly inadequate ! Big players reluctant to cooperate on Browser/OS issues
! Related to handling of encrypted data ! How to execute server-based tasks like search on encrypted
data? ! Key management issues
Conclusions
What can we make of it all?
Cryptography to the rescue!
Moving to cloud assumes a high level of maturity from the entire organisation
More so than being either in our out of the cloud
Trust decisions need to get explicit
Questions of trust have profound business implications and must thus be made explicitly
Cryptography seems to be a solution
Although it is not entirely clear, how exactly
Thank you!
Andres Kütt [email protected]