1 Cloud Computing Response by British Telecommunications PLC to the 2011 European Commission public consultation August 2011
2 1 Introduction and Key Points The Commission s Expert Group Report on the Future of Cloud Computing recognised rightly the potential of European telecommunications operators to be major players for a European cloud computing strategy. BT is a cloud user as well as a cloud provider and our comments reflect both perspectives. In the new IP based environment BT is heavily expanding its cloud offers in particular for multi site customers in more than 170 countries, whether they are global companies or institutions. Our services are primarily provided over virtual private networks, which require endto-end connectivity, whether across a country, across Europe and across the globe. Regulated wholesale access is therefore a key component, which requires more consideration in the context of a European cloud computing strategy. Such access has been problematic, but fundamental in deploying multinational VPN networks for us across the EU - based on access to Private circuits or Partial Private circuits. As cloud services become more mainstream and thus dependent on typically residential type access products and super fast broadband, regulated access to such mainstream access services will be equally essential to the effective development of cloud services. While wholesale access regulation for broad band is enshrined in the European electronic communications framework, it lacks in many European markets effective implementation and this is potentially deteriorating as these markets move to fibre based access for broadband. In most key markets outside the EU, the situation is even worse including the USA special access area. Access regulation is either nonexistent or still in its infancy. Some markets even refuse to recognise the need for its introduction, thereby causing serious distortion of competition not only in their home market, but also with global consequences. Other areas which need to be addressed in order to promote the provision of EU cloud services are the need for common standards, interoperability and data portability to avoid a lock-in of customers. If cloud computing begins to fulfil the potential predicted for it, also digital inclusion will become increasingly significant. Affordable network access and terminal devices will be necessary components in promoting inclusion but not sufficient. 2 BT s approach to Cloud Computing BT s views on cloud computing are not based on the layered definition Infrastructure Platform Software as-a-service but inspired by its key characteristics: Scalable Multi-tenant IT: Massive scalability using Utility Computing model, multi-tenancy is an essential characteristic Enabled by the Network: Cloud computing only exists because IP Networking makes it ubiquitous and reachable Efficient Utilisation of IT resource: Multi-tenant usage patterns result in efficiency gains from diverse statistical usage Pay as you Use: Replace Capex intensity with flexibility of a shared model, pay as you consume also motivates users to release server capacity after use
3 Agile IT deployments: Cloud makes it possible to test new applications and new businesses without long term commitment and fixed costs, concept-to-market (C2M) cycles regularly reduced by a factor of 10. BT provides services in all the above areas, offers consultancy to help organisations optimise their operations using the cloud and works closely with customers to adapt services to their specific needs. BT s overall approach to address regulatory issues not only in the context of cloud computing - is one which favours an environment for competition, innovation, security and customer choice. We believe that economic bottlenecks (such as local communications access networks, radio spectrum and premium content should attract proportionate regulation. In parallel, however, we believe that new business models and new industries must be given the scope to grow and develop, and that pre-emptive regulation (beyond basic concerns around privacy, consumer protection and interoperability where warranted) should be avoided. Otherwise EU competitiveness will lose out to US and Asian interests; indeed a global approach to principles in the cloud area would be wise. Cloud computing offers scope for great efficiency gains for businesses, SMEs notably, and individuals; and also enhances the ability of the ICT sector to deliver carbon efficiencies. 3 Data Protection BT is involved in outsourced processing and storage of personal data for some of the EU s largest collections of sensitive personal data, e.g. the UK s National Health Service. For cloud computing we see the following areas as essential to be looked at: Conflicts between data protection and information requirements under other regulations - Those are increasingly common e.g. in financial services (whistle-blowing, Sarbanes-Oxley, Swift), transport (airline passenger data) and law enforcement (criminal and civil matters). International data transfers - Mechanisms need to be improved. For intra-group transfers the BCR regime may be less onerous than it has been previously, but combined with the model contacts regime, the system overall is unduly burdensome and has lots of delays. Welcome would be simplification and alternative mechanisms not reliant on prior permissions or notifications. Applicable law - It would be helpful if the approach adopted in the sphere of data protection is aligned with the approach adopted for other areas of law relating to cloud computing (e.g. cybercrime). Coordination with other authorities at global level would be equally helpful. Two of the keys to provide effective cloud computing services are data back-up and server load balancing. This means that the same data may often be found in two places at the same time, and may be switched rapidly between servers on a regular basis. An approach focused on the geographic location of specified equipment is unlikely to provide an answer to current problems. Controller and Processor - Current definitions (Controller, Processor, and Personal Data) are more complicated today. Reluctance by some non-eu service providers to recognise the functional approach to allocation of responsibilities promulgated by the Article 29 WP has resulted in contrived solutions with no real legal certainty. The notion of a Processor (effectively as agent) simply performing a set of operations at behest and instruction of a Controller is largely an
4 outmoded one. Today, the outsourced supplier itself takes increasingly specific decisions on data processing based on general instructions, thus acting more akin to a data controller itself, acting jointly with the user in this respect. Data Storage and Data Flows - Cloud service providers should have the flexibility to determine their own data storage solution, be it centralised or multijurisdictional, static or dynamic, or a combination. Unreasonable constraints risk stifling innovation and the benefits derived from cloud. Against this background, it is essential to avoid prescriptive approaches and to ensure commercial flexibility. Barriers such as country obligations to locate data or servers within their border, such as the approach being taken in Greece regarding implementation of the Data Retention Directive, should be assiduously avoided. It should be noted that the approach taken by Greece is contrary to guidance produced by the Data Retention Experts Group created by the European Commission. See also our response to the Commission s Data Protection consultation: bt_en.pdf 4 Embracing Interoperability 4.1 Interoperability and data portability issues It is necessary to distinguish between interoperability (using multiple cloud services simultaneously within a single usage scenario) and portability (the ability for a customer to move between providers of cloud services or in-house systems). Both will be required but portability is expected to be more tractable in the short term. Commercial providers of cloud services are not strongly motivated to support portability away from their services, particularly in terms of exporting data where there are barriers in terms of both formats and performance (e.g. time taken to export datasets). Data protection and privacy constraints cause significant issues. Lack of transparency of where and how data is stored and processed is a significant inhibitor to the adoption of cloud services for applications involving personal data. Regulatory and audit requirements are also important for applications in a number of sectors and are typically not supported by cloud service providers. Uncertainties associated with liability, governance of data are significant issues. Data has a tangible value not only for enterprises but also for individuals who are increasingly using cloud services for storing of music, photos, file backup etc. There is a perceived (or actual) loss of control when a decision to use cloud services is made, and a need for trust in the provider, potentially over the long term. The ability to move to an alternative provider or out of the cloud is important in mitigating risk but obligations and expectations are often not clear. Validation and audit of the way that cloud providers treat customer data during and after the term of any SLA is not easy. Their operations are opaque which makes risk assessment and management by the customer difficult
5 4.2. Existing or emerging interoperability standards The current focus is largely on computing infrastructure provided as a service over the Internet. This market is dominated by a small number of large providers, although there are many more specialised players differentiated in various ways. Mainstream adoption of managed services based on cloud technologies by large corporate customers is still at an early stage. Current market offerings are better suited to start-ups (without established IT estate) and specific projects, rather than to critical enterprise systems. There is some existing standards activity associated with cloud, and a perceived high level of interest in cloud standards. However, the most meaningful activity is currently in DMTF (VMAN and OVF initiatives) and OGF (OCCI). There is strong focus on virtualization technologies where the motivation for technical interworking is clearest. Major industry players in these initiatives are IT companies, predominantly US-based. Existing IT and Internet standards provide a good basis for cloud interoperability and portability, although there is currently a lack of consistency in the way cloud service providers select and support these standards. There are numerous initiatives aimed at standards to support cloud computing. However, most of these are at an early stage of maturity typically seeking to define terms, collect use cases and derive requirements. Among the standards specifically targeted at server virtualisation and cloud, OVF (DMTF) is a fairly mature standards activity which provides a way of packaging VM images for multiple hypervisors. This is supported by major vendors and gives some level of VM portability. OCCI (OGF) provides standard interfaces to cloud infrastructure services, allowing virtual computing environments to be described and specified. There are several technical solutions and initiatives which can support interoperability and portability between clouds, including Globus Online/ GridFTP etc for high-volume data movement, and dataliberation.org (Google API for data import/export). Standards to support development of the market are important, but industry consensus is much less mature, although ETSI, ITU and the TeleManagement Forum all have initiatives seeking to represent the interests of service providers, network operators and associated suppliers Missing Standards to enable interoperability and portability Users need control over, and to be able to take responsibility for, their own applications and data, both when dealing with a single cloud service provider for a particular application and in federated scenarios where multiple independent cloud providers are used to support a single complex application. Standard representations and abstractions of cloud service operations and management, exposed to users, are required. At a technical level this includes robust and consistent approaches to naming and addressing of (virtual) resources, and representations of connection to other (independent) cloud infrastructures and platforms. Standard descriptions of policies for handling personal, sensitive or regulated data are necessary. These need to be linked to clear statements of compliance to relevant regulations and offer standard facilities for validation and audit.
6 Clear processes and procedures for importing and exporting data to cloud providers in portability scenarios are required. Standard protocols for wide-area messaging in federated clouds are also needed in federated clouds, supporting both the transfer of (transactional) data and of relevant management information. There are several frequently cited barriers to adoption of cloud services. Those where standards can be expected to have a role include: The closer integration of computing and network resources, including interfaces between cloud to networking and data movement. The network is still a significant blind spot for many of the computing-focused standards efforts and is essential both for access by customers and for interworking between cloud providers. Clearly defined SLAs supporting comparisons between providers. 5. Public Sector Cloud We believe that as part of the overall Single Market Act work, the focus on getting public procurement fair and open across the EU27 is vitally important, not least for ICT-related contracts. 6. Future Research and Innovation Programmes 6.1 Key aspects that researchers are working on At the basic infrastructure component level, compute virtualisation is now reasonably mature and addressed by commercial and open source activities (e.g. VMWare, Citrix, Microsoft, KVM). Storage and data management is an important topic. Cloud computing applications frequently involve large datasets, much more difficult to relocate than executable software or virtual machine images. Integration of computation and data/storage is a major research topic. At the infrastructure level the recent research trend is towards federated and hybrid (e.g. private/public, bursting ) cloud deployment models. This is important in allowing users control over their own applications and data, and flexibility in choice of infrastructure provider for particular functionality in different parts of the world. Significant attention has also been paid to service architectures typically by generalising enterprise service oriented architectures, although there are still open issues: Specific security challenges e.g. explicit support for privacy in the use of cloud applications Building of fault-tolerant applications based on cloud computing infrastructures and dependable approaches to test and verification. Deploy and manage complex applications (e.g. multi-tier, geographically distributed) Enterprise adoption of cloud computing for mainstream applications (as opposed to one-off or self-contained projects) is inhibited by the difficulty of migrating existing (legacy) applications to cloud. Research is now underway with the important aim to develop robust software engineering tools and techniques for cloud computing.
7 A major focus has been on the accessibility of cloud computing to users who are not experts in ICT often referred to as service front-ends, incl. individuals with smartphones, tablets etc. acting as thin clients to online applications. Targeted research here aims amongst others at scientists and engineers. Cloud computing approaches to simulation, modelling and management have the potential to enable new, more efficient ways for science and engineering. Big science already makes good use of many of these techniques (and e-science initiatives have contributed many of the technical solutions underpinning grid and cloud computing), but much science worldwide is carried out by small teams, typically lacking access to expertise in effective use of ICT infrastructures Further required research Technical aspects of cloud computing have been the subject of academic and collaborative research for a few years now, building largely on previous work in Grid and e-science. A number of the research activities described above are at an early stage and will require additional work in coming years. Management of hybrid deployments, including federations of on/off premises infrastructures and integration with existing enterprise systems involves a number of complex issues. It requires the ability to manage multiple interdependent virtual machines and data resources, geographically distributed, with explicit dependencies on communication networks, including wide-area (Internet, NGN, wireless). Support for time critical or real-time and interactive applications will also require additional research. Applications associated with pervasive data and control systems (e.g. Internet of Things) are well suited to the principles of cloud computing but today s cloud systems and services would be significantly challenged. Monitoring and protection of critical infrastructure could be an important application of cloud technologies but dependability of cloud services needs to be assured. 6.3 Areas for public funding Public R&I funding is probably not appropriate for development of component systems and technologies which are likely to emerge from commercial research. Pre-competitive research with a focus on integration, interoperability and dependability at scale would be useful and is unlikely to be feasible without public funding. Building explicit support for development and exploitation of new cloud infrastructures into R&I funding for other areas of science and engineering would also be desirable. 7 Global Solutions for Global Problems 7.1 Key issues Cloud computing is inherently a global technology. Ubiquitous networking means that cloud services need to be unrestricted by physical location and geographical boundaries. Their adoption as integral components of enterprise operations means that national borders are becoming less relevant for global businesses. This raises serious issues in regulation relating to telecommunications, data protection, corporate governance, taxation and intellectual property.
8 The Commission expert report underlines the opportunities for EU firms, particularly those with a background in telecommunications. We see that economies of scale and scope will be the key sources of competitive advantages in an all-ip environment where (a) computer servers and software are the principal engines for production of electronic communications services and (b) data transport, data storage, and data processing will increasingly be offered as a single package particular to businesses. The EU market is remarkably open for such services. It seeks to ensure that the bottleneck regulation of the Electronic Communications Framework is applied to IP data transport services. This is not the case in many key markets outside the EU, in particular not in the US. US providers are consequently able to use their access to the EU market to enhance the economies of scale already offered by a large home market. On the other hand, a large part of Europe s potential cloud service exports to the US and other key markets remains blocked. This severely limits the size of the addressable global market for European exporters of cloud services. Cloud Computing can help addressing global problems. It promises availability of previously inaccessible high performance computing and data resources which can be used to improve efficiency of many activities with major impact on global priorities: 1. More efficient use of energy and natural resources in delivering IT solutions themselves. 2. Improved processes for mitigating climate change, water management, energy management supply-side and demand-side - through monitoring, modelling and automated control. 3. Cooperative activities in science, incl. long-term curation and archival of large scientific datasets of global significance e.g. genomics, pharmaceuticals, biology, earth observation, ecology, seismic activity and astronomy. 7.2 The way forward If the European Commission aims to promote a European cloud industry with telecom companies as major players, the issue of lack of effective wholesale access regulation is important as are issues arising from diverging national data protection rules. Both need to be addressed from a global perspective. In respect to the former the EU would benefit from greater focus on: o o o opening of third country markets for Virtual Private Network (VPN) services at multilateral as well as bilateral level (WTO, FTA negotiations, regulatory dialogues, TEC) lifting the non-tariff barriers (NTBs) which result from inadequate application of the WTO Telecommunications Reference Paper lifting the non-tariff barriers which derive from national requirements relating to encryption and customer premises equipment. For providers of cloud computing services to business customers using VPNs local access links must be considered as an essential facility.
9 The European Commission and its US counterparts recently negotiated a set of ICT principles to be promoted vis à vis other third country markets. While we welcome and support the initiative as very helpful for the IT services industry active also in the cloud, principle 9 dealing with Interconnection falls short of the access needs described above. We think that common principles in the cloud area across key jurisdiction e.g. regarding transborder data flows and data privacy, would be very valuable not least in assessing jurisdictional aspects. A Treaty or even an MRA may be a bridge too far here, but at least agreeing a set of common norms to be implemented by the EU and US and Japan would be valuable e.g. for dialogue with the BRICS nations. The challenges and opportunities raised by cloud computing are large and complex with the technical issues probably among the more straightforward to address. Early dialogue and consensus building is important and it must therefore be made easy for key stakeholders to engage. Commitment to cooperation between existing fora to address clearly defined issues is then required. In general, we would urge however to limit for practical reasons the number of fora where global issues related to cloud computing are discussed. For further information, please contact: Tilmann Kupfer, BT Group Offices worldwide British Telecommunications plc 2004 Registered office: 81 Newgate Street, London EC1A 7AJ Registered in England No: