European Cloud Computing Strategy

Dr Ken Ducatel

DG CONNECT

What is at stake?

2/4/2014 2

Cloud as a growth engine

Business creation: • 400.000 new

SMEs Boosts productivity and efficiency: • Up to 90% of cost

savings for public administrations and private companies

Boost GDP : • €940 bn

cumulative impact for 2015-2020

• €250bn in 2020

Potential for job creation: • 3.8 million

cloud-related jobs

0%

5%

10%

15%

20%

25%

30%

1% to 4%

5% to 9%

10% to 19%

20% to 29%

30% to 49%

50% or more

We have seen (or expect

to see) a cost

increase

Too early to

tell

Don't know

Cost Savings

Almost all users see cost savings peaking at

10-20%

2/4/2014

3

But.... Need for Trust, Regulatory Certainty and Openness

2/4/2014

4

Legal

jurisdiction Security and

data protection Trust Data Acces and

Portability

Feb-14 © IDC

Barriers’ Analysis: Clustering

Indicator 1 - Assessment of cloud relevance

Average Impact Indicator*

Legal Jurisdiction 1.00 0.72

Data location 0.71 0.58

Security& data protection 0.93 0.70

Trust 0.86 0.70

Data Access and Portability 0.79 0.66

Change control 0.45 0.33 Ownership of customisation 0.36 0.61

Local support 0.54 0.42

Evaluation of Usefulness 0.27 0.84

Local language 0.09 0.45

Slow Internet Connection 0.18 0.17

Tax incentives on capital spending 0.00 0.22

5 * Average Impact Indicator: Average of Indicators 2, 3, 5, 6. Indicator 4 included in indicator 5.

Data

Jurisdiction

/location

Interoperability

and Tech

Transparency

Business

Security/

Trust

Industrial

policy

IDC 2012

Cloud computing services: public sector drivers and draggers

Drivers Draggers

Security worries

Contracts

Budgeting & costs

Scalability Technology

Standards

Audit

Legal compliance

Reversability

Data location

New demands: Mobility, BYOD, etc

Cost caps

Capital caps

Interoperability

Legacy apps, etc

Cutting through

the jungle of

technical

standards

The Cloud Select Industry Group

on Service Level Agreements

The Cloud Select Industry Group

on Certification Schemes

The Cloud Select Industry Group on

Code of Conduct

ETSI: Cloud Standards

Coordination

The European Cloud Partnership

Cloud strategy's key actions

Groups working on

implementing the strategy

Development of

model 'safe and

fair' contract terms

and conditions

A European

Cloud Partnership

to drive

innovation and

growth from the

public sector.

The Cloud Computing

Contract Group

The European

Commission's

strategy

'Unleashing the

potential of cloud

computing in

Europe'

Adopted on 27

September 2012, it is

designed to speed up

and increase the use

of cloud computing

across the economy

The Cloud Computing

Strategy

Launched on

4-5/12/2012

Launched on

21/02/2013

Launched on

10/04/2013

Launched on

21/02/2013

Launched on

19/11/2013

Launched on

19/11/2012 Steering Board

Cloud for Europe To be launched

In 11/ 2013

Progress

2/4/2014 8

• Key action 1:

• Standards mapping by ETSI

– Cloud Standards Coordination Conference Brussels 11/12/2013

• List of certification schemes

– ENISA list and meta-framework mid 2014

– Pilots 2014

• Key action 2:

• Cloud Service Level Agreements

- Draft Templates mid 2014

• Code of conduct (data protection)

– Stable draft Feb 2014,

– to Art 29 WP, endorsement during this Commission

• Cloud Contract Group

– first results mid 2014

• Key action 3

• Cloud 4 Europe project

– Official launch 14 November 2013

– Pre-notice April, tender early summer 2014

Cloud Standards Mapping

ETSI @ CSC Workshop – 10/12/12013

• Launched in December 2012

• Workshop in Cannes, co-organized by EC, 200+ participants

• Definition of work structure: 3 TGs, a coordination group (‘reference’)

TG1 for definition of Roles and TG2 for collection of Use Cases

TG3 in charge of Use Case Analysis and Production of the Report

ETSI Support: Laurent Vreck

Identified EXISTING Certification schemes

• Data security: recognized standards/schemes, but only few fit for cloud purpose

• Data protection: no recognized standards/schemes yet

• Lack of transparency about some schemes (recognition, scope, added value, etc.)

• No one-stop shop in EU

Initial Evaluation Cloud Security Alliance –

Open Certification Schema

ISO 27001

Europrise

Eurocloud Star Audit

SOC / ISAE 3402 / SSAE16

Fisma

PCI-C

Cloud Industry Forum

Code of Practice ISO 20000 / ITIL

ISACA - COBIT

LeetSecurity

Rating

TÜV Rheinland

Solutions • Listing certification schemes

– Anything can get on the list

– Characteristics that can be objectively assessed/discussed

– Who governs the scheme, who audits, what is the standard

– A process for adding/updating schemes

• Meta-framework to be developed by ENISA

– Part of ENISA’s WP for 2014

– High level security objectives

– Detailed auditable security measures

– Security measures divided in levels

– Mapping to existing schemes

– Close collaboration with CERT-SIG

– First draft due mid 2014

– Pilots ECP?

SLAs: Creating A Common Vocabulary of Understanding

Purchaser’s Dilemma SIG SLA Support

“Cloud Contracts are not comparable and use different definitions”

Template SLAs and Terms and Conditions

“I don’t know which Cloud Delivery Options are right for my specific need”

Cloud Decision Flowchart

“I don’t know if I have considered the most important aspects for this contract”

Cloud Contract Checklist

Code of Conduct on DP: Background

14 Oct 2013 CSIG Plenary

• Directive 95/46/EC art 27 encourages adoption of codes of conduct and their endorsement by art 29 Working Party

• EC Cloud Computing Strategy of 29-09-2012 “Work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law.”

Data Protection Code of Conduct

14 Oct 2013 CSIG Plenary

• Code of Conduct Working Group

1st meeting 10 April 2013

Under DG Connect’s Cloud Select Industry Group

Continuous drafting until end of August

• Work progress

• WP29 Technology subgroup presentation on Sept 5th,

• Observation of WP29 TS on Sept on principles for the CoC on Sept 17th

• Cloud-Select Industry Group plenary on Oct 14th

• CoC group plenary session on Oct 21st

• Set up drafting team to produce second draft by end of year

• Stable draft for February 2014 for presentation to WP29 in March

• Aim for endorsement before end of this Commission

2/4/2014 15

• Key action 3 European Cloud Partnership

• European Cloud Partnership Steering Board

• Cloud 4 Europe project

EU approaches to Public sector cloud adoption: 3 main emerging Models

16

Country Procurement and marketplace Model

Resource Pooling

Model

Standalone applications

Model UK Yes Abandoned Yes

Italy Yes

Germany Yes (but limited) Yes (marginal)

Denmark Yes

France Yes Yes

Netherlands Yes (future) Yes

Portugal Yes Yes (project)

Spain Yes

Belgium Abandoned Yes

Austria Yes (long-term future) Yes (future)

2/4/2014 17

• Privacy and security are common barriers –addressed but stressed at different levels

• Other:

• Regulatory issues (e.g. requirements for sharing data between administration in Italy - rigidity in EU procurement law (G-cloud))

• Technical issues (e.g. lack of maturity of technologies)

• Financial issues (e.g. assessing real costs of cloud deployment)

• Adapting SLAs to cloud and public sector

• Changes in process and ways of working are, if not a barrier, a main challenge in implementing cloud initiative in the public sector:

Cloud requires adjustment in ICT management processes, automation of tasks and changes in skills requirements for staff, pulling resources together between administrations used to manage their own bespoke ICT solutions, etc.

Public sector & policy barriers

ECP Steering Board Membership • Toomas Hendrik Ilves, Chair of Steering Board, President

of Estonia

• Léo Apotheker, former CEO of SAP AG and HP

• Thierry Breton, Chairman and CEO of ATOS

• Bernard Charlès, President and CEO of Dassault Systèmes

• Kate Craig-Wood, Managing Director of Memset

• Christian Fredrikson, President and CEO of F-Secure

Corporation

• Michael Gorriz, CIO of Daimler AG and President of

EuroCIO

• Jim Hagemann-Snabe, Co-CEO of SAP AG

• Vivek Dev, CEO Digital Services, Telefonica Digital

• Pierre Nanterme, CEO of Accenture

• Karl-Heinz Streibich, CEO, Chairman of the Management

Board and Group Executive Board of Software AG

• Hans Vestberg, President and CEO of Ericsson

18

• Werner Vogels, Vice President and Chief Technology Officer of

Amazon.com

• Katarina de Brisis, Norwegian Ministry of Government

Administration and Reform, Deputy Director General of the

Department of ICT policy and public sector reform

• Aitor Cubo Contreras, Deputy Director General of Programs,

Studies and Promotion of Electronic Administration, Spanish

Ministry of Finance and Public Administrations

• Jacques Marzin, ICT Corporate Director for France, Direction

interministérielle des systèmes d'information et de

communication de l’État

• Michael Hange, President of the German Federal Office for

Information Security

• Maarten Hillenaar, Government CIO and Director of the

central government ICT-policy department, Dutch Ministry of

the Interior and Kingdom Relations

• Reinhard Posch, CIO and Chair of the Austrian e-Government

DIGITAL:AUSTRIA, Austrian Federal Government

• Andrzej Ręgowski, Vice-Minister, Polish Ministry of Administration and Digital Affairs

2/4/2014 19

Cloud-for-Europe main characteristics

PREPARE PUBLIC SECTOR FOR PROCURING SECURE, RELIABLE, COST-EFFECTIVE CC SERVICES, AND

AVOIDING LOCK-IN.

• Funded thru RTD programme.

• Umbrella initiative: adding to and building on national initiatives – best of breed.

• Inclusive: vehicle for getting a wide range of interested countries on-board through consultation, dissemination, awareness raising and training.

• Cooperation public sector-industry through pre-commercial procurement.