E-residency, data embassy and the CloudAndres Kütt Estonian Information System Authority / Architect

20.11.2014

Estonia in perspective

Population1 Labor force PPP gross national income per capita

Estonia 1 690 391 23.280Latvia 2 1 046 220 21.820Russian Federation 144 76 872 229 22.800

Singapore 5 3 021 715 71.900United States 314 158 666 072 52.610

1 - In millions, rounded to 1

Estonia is so tiny a quarter of our population can become a rounding error.

GNI per capita

0

20 000

40 000

60 000

80 000

1995 1998 2001 2004 2007 2010

Estonia Singapore USA LatviaRussian Federation

The graph shows that no only is our GNI considerably smaller than that of more advanced countries, it is also growing at the same pace. Ergo, we shall be relatively cash-strapped for the foreseeable future.

The solution? Go paperless. Replace the expensive paper-based services with electronic government services that are easier to scale and do not create the feedback loop of bureaucracy creating more bureaucracy.

690 391Our prime-minister-to-citizen ratio is too high.

GAASGovernment as a service. We are already building these web services, why not provide them to others?

10 000 000

This is radical. Illustrates the lengths to which this country is willing to go. Because we have very few other options.

Digital continuity becomes a problem

! We cannot switch back to paper ! For the reasons we went digital in the first place ! Also because we no longer know how

! Digital is built deep into all aspects of Estonia ! Business processes shaped around requesting data, not

delivering documents ! This does not scale without digital

In the digital world, this is certainly the case. The more digitized one is, the more dangerous digital risks become. Estonia can not go back to paperless simply because we no longer know how. This has been the case for so long, our business processes have adapted. For example, a common practice has companies supplying a certificate of tax status as part of public tender processes to make sure they do not owe taxes to the state. In Estonia one would execute a query against the tax board information system instead asking for the status of a particular company. Issuing a certificate would also be meaningless as companies can go and change their tax declarations at will altering their financial standing with the state.

One solution to this would be to move all the services to the Cloud by using Microsoft, Amazon, Google or other cloud service providers. I’ll talk a bit about the challenges and learnings we have had

Agency Agency AgencyAgencyFina

nce

and

port

folio

man

agem

ent

Info

rmat

ion

secu

rity

Information System Registry

Electronic identity

Citizens/Officials/Enterprises

Delivery channels

Integration

Infrastructure

Architecture of Estonian information system

Agency Agency AgencyAgencyFina

nce

and

port

folio

man

agem

ent

Info

rmat

ion

secu

rity

Information System Registry

Electronic identity

Citizens/Officials/Enterprises

Delivery channels

Integration

Infrastructure

Cloud is not simply an infrastructure problem

It immediately becomes a business problem,

if not sooner then when assessing risks

Whom can you trust?

We make a lot of implicit and explicit decisions on trust, cloud

introduces a lot of complexities to these decisions

Small players are too small

What is their actual ability to honour the collateral?

Big players are too big

Appi

What about democratic change?

A nation democratically decides it is OK to look into

files they consider to be under their jurisdiction

“Lady, I never walk into a place I don't know how to walk out of.”

In the end, nobody can be trusted

Not with really important things

Cryptography to the rescue!

Secure multi-party computation

Ability to share data and computation between untrusted parties

Cryptography to the rescue!

X1 X2 AVG(X1,X2)

Original 12 8 10

Node 1 1 3 2

Node 2 4 2 3

Node 3 7 3 5

Browser-based cryptography

Since the server cannot be trusted, the client must encrypt everything

Challenges with the browser

! Related to encryption itself ! WebCryptoAPI coming to age but clearly inadequate ! Big players reluctant to cooperate on Browser/OS issues

! Related to handling of encrypted data ! How to execute server-based tasks like search on encrypted

data? ! Key management issues

Conclusions

What can we make of it all?

Cryptography to the rescue!

Moving to cloud assumes a high level of maturity from the entire organisation

More so than being either in our out of the cloud

Trust decisions need to get explicit

Questions of trust have profound business implications and must thus be made explicitly

Cryptography seems to be a solution

Although it is not entirely clear, how exactly

Thank you!

Andres Kütt andres.kutt@ria.ee