1 Advancing Cloud Computing: What to Do Now? Priorities for Industry and Governments World Economic Forum In partnership with Accenture 2011
2 About this Report This World Economic Forum report was developed by the Forum s IT Industry Partnership in collaboration with Accenture, with input from a group of experts and a dedicated Steering Board. World Economic Forum The World Economic Forum is an independent international organization committed to improving the state of the world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas. Incorporated as a not-for-profit foundation in 1971, and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests. (www.weforum.org) Accenture Accenture is a global management consulting, technology services and outsourcing company, with more than 215,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world s most successful companies, Accenture collaborates with clients to help them become high-performance businesses and governments. (www.accenture.com) About the Forum s Information Technology Industry Partnership The Information Technology Industry Partnership (IP) programme of the World Economic Forum provides chief executives and senior executives of the world s leading IT companies with the opportunity to engage with peers to define and address critical industry issues throughout the year. Identifying, developing and acting on these industry issues is fundamental to the Forum s commitment to deliver sustainable social development founded on economic progress. About the Project Phase I of the World Economic Forum s Exploring the Future of Cloud Computing project culminated in a report on the benefits of cloud computing entitled Exploring the Future of Cloud Computing: Riding the Next Wave of Technology-driven Transformation, published in the spring of The objective of Phase II was to develop recommendations for actions that governments and industry can take to accelerate the deployment and adoption of public cloud technologies, which resulted in this publication. The Future of Cloud Computing Steering Board Guidance was provided by an actively involved steering board of experts, which included representatives from: Akamai Technologies (Paul Sagan, Chief Executive Officer) BT Group CA Technologies (Ajei Gopal, Executive Vice-President) Google (Nelson Mattos, Vice-President, Engineering, EMEA) Microsoft Corporation (Craig Mundie, Chief Research and Strategy Officer) Salesforce.com (Marc R. Benioff, Chairman and Chief Executive Officer; and JP Rangaswami, Chief Scientist) Project Team Contributors From the World Economic Forum: Joanna Gordon Associate Director, Information Technology Industry Chiemi Hayashi Associate Director, Deputy Head of Risks in Depth, Risk Initiatives Stephan Mergenthaler Project Manager, Strategic Risk Foresight From Accenture: Dan Elron Managing Partner, Strategy and Corporate Development Amelia P. Schaffner Manager, Strategy and Corporate Development Bojana Bellamy Director of Data Privacy Many individuals contributed ideas to this report through surveys, workshops and interviews. The project team thanks all participants for so generously sharing their time, energy and insights. Without their dedication, guidance and support we would not have been able to develop this report. World Economic Forum route de la Capite CH-1223 Cologny/Geneva Switzerland Tel.: 41 (0) Fax: 41 (0) World Economic Forum 2011 Accenture All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system.
3 Contents Executive Summary 1 The Clouds about the Cloud 5 A. Data Governance B. Security C. Business Environment What to Do Now? Eight Action Areas Explore and Facilitate the Realization of the Benefits of Cloud 2. Advance Understanding and Management of Cloud-related Risks 3. Promote Service Transparency 4. Clarify and Enhance Accountability across All Relevant Parties 5. Ensure Data Portability 6. Facilitate Interoperability 7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud 8. Provide Sufficient Network Connectivity to Cloud Services Project Outcomes: What Is Next? 19 About the Research 21 References 24
4 Executive summary Cloud is rapidly The potential benefits of cloud changing the world. computing include promoting It is enabling new economic growth, creating business models and employment and enabling innovation and collaboration. creating tension in the These were described in system. the project s first report, Industry Participant, Exploring the Future of Cloud Washington DC Workshop, Computing: Riding the Next November 2010 Wave of Technology-driven Transformation, published in the spring of While recognizing the many benefits of cloud, however, stakeholders also expressed serious concerns about its widespread adoption. In the second phase of the project, the Forum and its Partners investigated and prioritized these concerns in further detail. This report presents eight action areas for providers of cloud computing services and government agencies. It is intended to set the agenda for further engagement among all stakeholders, ensuring the healthy future development of the cloud computing industry. Clouds about the Cloud Many of the concerns about the public cloud, which are outlined on page 5 of this report, have long been discussed in relation to the Internet without satisfactory resolution. As cloud computing technologies significantly exacerbate these issues, the industry and government must address them at a relatively early stage in the evolution of cloud services. All the infrastructure in the cloud is no longer under your control: with cloud, there is a shift in responsibility. Government Participant, Brussels Workshop, May 2010 Project participants already feel that the current regulatory environment has slowed the progress of cloud technologies (in 2010). Further divergence and fragmentation in how the public cloud evolves could further delay potential benefits. These issues include difficulties faced by customers in understanding who can access the data that they put in the cloud, how it is protected and how they can be sure it has been deleted when they want it to be. They also include a growing desire by many national governments to direct the evolution of the digital realm within their physical borders, with major implications for where cloud providers can locate the servers that process data. Figure 1. Cloud by the numbers 33% (2) of global companies have deployed or are piloting the more mature layer of clouds, SaaS. 23% of high performing IT companies have already deployed SaaS 25% (3) of global companies will be deploying cloud computing for critical applications within 2 years 44% (3) $55 billion (1) forecasted worldwide revenue from public IT cloud services by 2014 of executives from global companies who believe cloud computing can provide their company with a lasting competitive advantage 30% (1) the rate at which cloud computing will grow in 2011, or more than 5 times the rate of IT industry as a whole 2.3 million jobs (4) the net new jobs created by cloud on a cumulative basis over the period 2010 to 2015 across the top five EU economies 2.1% (4) the average improvement in efficiency of an average employee because of cloud Source: 1 IDC [Worldwide and Regional Public IT Cloud Services Forecast, June 2010]. 2 Accenture [ Mind the Gap Insights from the 3rd global High Performance IT research study, Nov, 2010]. 3 Accenture [Cloudrise: Rewards and Risk at the Dawn of Cloud Computing Nov, 2010], 4 Center for Economics and Business Research [The cloud dividend, Dec, 2010] 1
5 The global community has come together before to address key issues and policy considerations in other industries such as banking, transportation, and telecommunications. We must now do the same for cloud computing. The journey to cloud computing will not happen overnight, but in the months and years ahead we have the opportunity, as a global community, to shape the future of cloud computing and take the first steps together towards a new, more interconnected world. Vivek Kundra, first Chief Information Officer (CIO) of the United States of America, March 2011 Key Opportunities for Multistakeholder Collaboration In response to these concerns, the Forum and its Partners have prioritized a set of eight action areas to be addressed by industry and governments, either separately or collaboratively. Through extensive consultations in Europe, the United States and Asia, the project has sought ways to reconcile the natural conflict between letting an innovative set of technologies mature and the need to protect users and citizens. Presented on page 13, the action areas cover topics such as: Improving transparency on how services are provided, who has accountability for what, how data is protected and which legislative regimes apply; addressing these topics is seen as a critical step towards the broader need, identified by stakeholders, to build trust in the cloud Conducting further research to clarify and spread awareness of the benefits of cloud, and ensure a balanced understanding of the nature of the risks and our current abilities to manage them; this is seen as helpful for enabling informed decision-making by both potential users and regulators Facilitating system interoperability, enabling users to customize their own cloud solutions across multiple providers, and data portability to ease user fears of vendor lock-in and government fears about lack of competition Guaranteeing sufficient network connectivity so that users who entrust their data to the cloud can be confident of being able to access it on demand While complex and sometimes contentious, the eight action areas set out in this report received strong and essentially unanimous support from the companies participating in the private session about cloud computing at the World Economic Forum Annual Meeting 2011 including many of the largest cloud providers and from several official representatives of governments and supranational organizations. With the support of leading providers and governments, we encourage individual companies, governments and existing collaborative initiatives to move quickly to further define and implement the necessary actions that will accelerate the ability of cloud technologies to generate the economic and social benefits they promise. In today s turbulent world, these benefits are more critical than ever. Figure 2. Generating the action areas Benefits Accelerate innovation Better serve customers Lower organizational expenses Improve IT efficiency & flexibility Bring socio-economic improvements Level the playing field Issue areas Data governance issues Data location and jurisdiction; Privacy & confidentiality; Data ownership Security issues Interoperability & portability; Reliability; Service level commitment; Ecosystem maturity Business Environment issues Authorized access; Integrity & availability; Data loss; Data destruction Action areas 1. Explore cloud benefits 2. Understand & manage cloud risks 3. Promote service transparency 4. Clarify & enhance accountability 5. Ensure data portability 6. Faciliate interoperability 7. Adapt & harmonize regulation 8. Provide sufficient connectivity 2
6 Cloud: The Upside People are used to scarce resources, and the idea of virtualization of resources is forcing a change from a paradigm of scarcity to one of abundance. It s like finding a substitute for oil. Industry Participant, Brussels Workshop, May 2010 The ability to tap into computer applications and other software via the cloud frees organizations, ranging from companies to government institutions and universities, from having to build and manage their own technology infrastructure. The double-digit growth enjoyed by some cloud providers during the recent economic downturn demonstrates that many organizations find this attractive. According to research conducted by the World Economic Forum and Accenture in 2009 and 2010, the benefits of cloud computing technologies go beyond reducing IT costs most participants see facilitating innovation as an even more compelling benefit. In the long term, cloud is seen as a way to gain competitive advantage, not only for organizations but also for whole industries and economies. While empirical evidence is still at an early stage, studies have associated cloud computing with many types of benefits, including: Dramatically accelerating the way companies create new products and services, through enabling innovative new business models, faster research, wider information sharing and more effective collaboration between product development professionals around the world Helping organizations serve their customers better through mining and analysing data to spot emerging trends, such as changing customer needs and competitors market moves Lowering organizational expenditures on data centres, servers, software licenses and maintenance fees and replacing capital expenses with lower pay-for-use operating expenses Enabling innovation and job creation at a macro level, with the playing field between large and small companies being levelled as companies of all sizes gain access to information technology that previously was affordable for only the largest companies Helping emerging economies leapfrog to higher levels of technological development by providing more immediate and affordable access to next-generation applications, tools and infrastructure Empowering governments and citizens to more effectively address such socio-economic issues as delivering healthcare and education, improving access to financial services (insurance, bank accounts, micro-payments) in emerging economies and disaster management provision Reducing the environmental impact of computing as economies of scale lead to less consumption of energy Affirming the benefits described in the project s first report, most participants in the private session about cloud computing during the World Economic Forum Annual Meeting 2011 agreed that cloud computing is likely to have a noticeable impact on GNP growth during the coming five years. Many believe that the impact of cloud computing will equal or exceed the impact of mobile technologies. 3
8 The Clouds about the Cloud Stakeholders Issues and Priorities With the pace of development of the cloud computing industry increasingly raising questions about regulation, a group of high-level IT industry participants at the World Economic Forum Annual Meeting 2009 mandated the first phase of the Future of Cloud Computing project. Senior decision-makers in the public and private sectors explored the benefits that could be derived from the use of cloud computing for society, the economy and individual businesses. They also identified barriers to the achievement of such benefits and mandated that the Forum pursue the identification of a series of collaborative actions that could steer the healthy development of cloud computing. 1 In response to the output of the project s first phase, industry leaders at the Annual Meeting 2010 mandated the second phase of the project, to identify action areas in further detail. The scope of the project remains focused on the use of public clouds primarily for businesses and governments, although many of the issues identified apply to the consumer domain as well. Through a series of initial workshops, surveys, one-toone and group interviews and using a structured issue tool, multiple issues of concern to key stakeholders from industry, government and academia were identified. They were grouped into three issue areas data governance, security and business environment and analysed in detail. Figure 3 illustrates the issues associated with each of these three areas. A. Data Governance Given the legal complexity created by cloud environments, industry players are forced to infringe laws all the time. Who owns data, who has the right to access it and under what circumstances? What rules apply to the use and sharing of data? Such questions tend to be more complicated when data is stored in a shared infrastructure managed by a third party. Industry Participant, London Workshop, December 2010 Stakeholders expressed differing views about the appropriateness and feasibility of regulation alone as opposed to industry self-regulation to specify frameworks that govern data and its use in the cloud. The issues raised under the heading of data governance were: Data location constraints It is not always clear under which legal jurisdiction data in the cloud falls especially if, as many cloud architectures require, the data is split up and stored in multiple locations. In some cases, it is impossible to determine where a particular piece of data is physically at a particular moment. Even if this were possible, data often falls under more than one legal jurisdiction, and it is unclear how inconsistencies among those jurisdictions would be resolved. Figure 3. Key categories of issues identified A. Data Governance 1. Data Location constraints 2. Regulatory protection of privacy and confidentiality 3. Clarity about data ownership 4. Ensuring only authorized access (identity mgmt.) B. Security 5. Ensuring integrity and availability (& addressing data loss) 6. Ensuring data is destroyed as needed 7. Ensuring Interoperability C. Business Environment 8. Ensuring Portability (& avoiding vendor lock-in) 9. Insufficient reliability of cloud 10. Insufficient commitments to service levels 11. Relative immaturity of the cloud ecosystem 5 1.
9 No matter how much Users are concerned about we invest, data is the potential for foreign going to escape governments to demand internationally; that access to their data. Governments worry about is just a fact of the losing the legal ability to Internet. oversee data in the cloud and Industry Participant, apply their laws to the cloud. Washington DC Workshop, These concerns can result November 2010 in data location constraints being imposed for example, requiring cloud providers to locate data within national borders, or subjecting transfers of data outside a given jurisdiction to additional legal hurdles and authorizations. Some stakeholders, however, see these concerns as thinly veiled excuses for protectionism. For their part, some cloud providers indicate that, if countries insist on data being stored within national boundaries, they will be unwilling to build new data centres in smaller markets. They point out that the freedom to move data across borders helps to achieve the economies of scale that are a key benefit of cloud computing, as there is a significant cost involved in using architectures that keep a customer s data in a particular country or geographical block, potentially giving the largest providers an unfair advantage. Data Privacy and Confidentiality Many users say that concerns about data privacy and confidentiality restrict their willingness to use cloud services for sensitive data. In the cloud, data is stored on remote machines that are shared with other users. This makes many users concerned about the potential for business competitors or government authorities to access their data in the cloud without their awareness or consent. Governments would like to mandate and apply national legal requirements for data stored in the cloud, and many already have. Given the cross-border nature of the cloud, though, national measures to protect data privacy and confidentiality have only limited capacity to reassure users. Some stakeholders feel that, given these regulatory challenges, users concerned about data privacy and confidentiality will ultimately have to rely on market mechanisms to assess the trustworthiness of providers in the cloud. Nonetheless, there is no guarantee that adequate market mechanisms will emerge in a timely fashion. Clarity about Data Ownership When a user moves data to the cloud, it is not always clear what rights the cloud service provider gains to access, modify or distribute that data. Some users are concerned that certain types of legal protection associated with data they entrust to the cloud will be compromised if data is moved through the cloud to other jurisdictions for example, they may be exposed to insufficient or conflicting regimes with regard to their intellectual property. Ownership of meta-data is often raised as a concern. Meta-data is created from connections between separate individual items of data, or from the context of when and how those individual items of data were provided. Metadata can be extremely sensitive and valuable, even when the individual items of data are not. Who should have what rights to use meta-data and capture the value that arises? There is a lack of agreement on these issues, and regulation is not always conclusive. EU data privacy laws, for example, distinguish between data controllers and data processors but, in the cloud, it is not always obvious what the respective roles and responsibilities are. There are scenarios in which users and providers could find themselves in a legal limbo, where the law provides no clear answer as to who is responsible for the data if, for example, security is breached or a provider fails. While regulators say they would like to improve both regulations and user awareness of the issues surrounding data ownership, industry stakeholders express concern that over-regulation of data ownership at this point in the cloud s evolution could prevent them from meeting user needs and improving services. There is a desire for greater global consistency in data privacy requirements applying to the cloud but government stakeholders note that fundamental differences in their approaches make comprehensive international agreements less likely. For example, the United States has a stricter regulatory regime for specific sectors, such as healthcare, where privacy and confidentiality issues are especially sensitive, while the European Union has blanket data privacy laws covering all data. 6
10 Building a Secure Cloud without Undue Points of Control By Jonathan L. Zittrain, Professor of Law and Professor of Computer Science at Harvard University and Member of the Project Working Group In 2010, cloud provider Amazon.com elected to shut down its hosted version of the WikiLeaks website. Amazon, like many such vendors, offers hosting to all comers but under terms of service that give it broad latitude in deciding ultimately whom to serve. Given the public controversy over WikiLeaks, Amazon s action crystallized something already known about cloud computing: when one s data or software is hosted far away and under the care of a third party, there are new risks and complications that can offset the ways such hosting can make life simpler and safer. Some of these risks can be managed: businesses can shop carefully for an enterprise-level cloud provider, and pay more for those that can persuasively claim more reliable service, or for contracts that penalize unanticipated or unjustified takedowns or interruptions. (For consumers, who plan and bargain less, the equation can be particularly dangerous: a lifetime s worth of or photos, or a social network comprising hundreds or thousands of hard-won relationships, can have its rules changed, or even evaporate, in an instant.) However, not all risks can be easily mitigated. For example, network trouble or government-mandated filtering can come between a business and its cloud processes. And, as events in Egypt and Libya demonstrated, there are occasions in which an entire nation s Internet access can be threatened. The solution is not likely to involve retreat to one s own basement servers. Basements aren t fail-safe either, and another marker thrown down by the WikiLeaks episode is the prevalence and power of denial of service attacks: all but the most bunkerized homes for data and code are vulnerable to compromise or attack. We do not want to see the move to cloud computing, which can offer so many benefits, slowed if the fears brought into focus by the WikiLeaks episode remain unaddressed. Yet we also do not want to find ourselves continuing a march to cloud computing that entails clustering under only a handful of powerful umbrella service providers, leading to limited competition and a handful of points of control. Solutions may lie not as much in centralization as in its opposite: creating protocols and processes by which data is voluntarily mirrored among otherwise-independent sites. Then if one is disrupted, other copies remain. And at the network s physical layer, we may see projects such as mesh networking -- creating connectivity without relying upon Internet service providers -- move from the interesting to the downright vital. While the approaches and examples can vary, answers to these very new problems may be inspired from the oldest of human instincts and political organization: mutual aid. As cloud computing accelerates, our creativity and sociability will be tested as we seek to realize its gains without creating undue vulnerabilities. 7
11 B. Security No-one will Users want to be confident unequivocally declare that their services and data that cloud is 100% are secure in the cloud safe just as no one will declare airplanes that is, always available to are 100% safe. Let them and never available not security become to unauthorized others. the bogey that ll stop They also demand recourse the whole thing be mechanisms if something pragmatic, solve the goes wrong. Industry problems as they come along, and be stakeholders point out that open. greater security involves Academia Participant, trade-offs with cost and New Delhi Workshop, usability, and that technical November 2010 solutions can never fully protect against security breaches originating from users themselves. Security-related issues raised by stakeholders include: Ensuring Only Authorized Access Users are concerned that data in the cloud is more susceptible to cyber-attacks, as aggregating multiple users data and services on a single platform makes it a more attractive target. Providers point out that no security mechanisms are foolproof, and all come with trade-offs: using encryption can be expensive, and using hypervisors to virtually isolate a user s applications and data can still leave vulnerabilities. More broadly, both industry and government stakeholders expressed concern that technical security mechanisms such as encryption could give users a false sense of security. Encryption is only as effective as the user s control of who has the key, and does not solve the problems of a malicious insider or of users being manipulated into giving access. These concerns are bound up with wider questions of how to manage and verify identities. Ensuring Integrity and Availability (and Addressing Data Loss) When users store their data on their premises, it is clear who is accountable if the data is corrupted, lost or temporarily inaccessible. This is not necessarily the case when the data is stored in the cloud. When it is unclear whether a problem lies with the cloud provider or with the networks the user is using to access the cloud, users are concerned that they will be unable to establish who is liable, and to seek redress. As many users data may be shared on one machine, users are concerned about the possibility of problems with one user s services affecting another s. Government stakeholders express concern about the resilience of cloud providers to distributed denial-of-service (DDoS) attacks, and note there is an inherent disincentive for providers to report on breaches and problems. Some industry stakeholders, however, believe they are already being transparent enough, especially given that a great majority of client agreements require the service provider to notify the client of any breaches or data loss. Ensuring that Data Is Destroyed as Needed Most computer users are aware that even when they delete data, it can still be recovered from their hard drives additional steps are needed to make sure data can never be retrieved. True data deletion is more challenging in the cloud, because cloud providers are the only ones with access to the physical infrastructure on which users data is stored, and often data may be mirrored on multiple machines. Without any way of verifying if their data has been destroyed, users have no option but to trust the provider. Government stakeholders are especially concerned that sensitive data, such as healthcare records, should not be recoverable once deleted. Industry stakeholders note, however, the significant technical difficulties involved in guaranteeing data deletion. Overall, many cloud providers are keen to stress that the above concerns about security in the cloud should not be overstated. By their nature, cloud solutions aggregate the security requirements of many clients, often to the highest standard, and they are frequently monitored and stringently audited. As a result, security protections in the cloud are more extensive than in many, perhaps most, private data centres. 8
12 Cloud Computing in India and Emerging Markets The change created by the cloud ecosystem will be manifested 20% in the realm of technology and the remainder through social change. Industry Participant, New Delhi Workshop, November 2010 The World Economic Forum held a workshop in New Delhi on 23 November 2010, convening over 30 leading Indian decision-makers, including service providers, users, government representatives and academia. The goals of the workshop were to identify the potential benefits and opportunities of cloud computing in India and other emerging economies; address the unique challenges to its implementation in emerging markets; and explore in which areas emerging markets could take the lead in cloud development. Market Potential Small and medium-sized companies with limited resources and access to IT are expected to be the greatest beneficiaries in India from the efficiency gains promised by cloud computing. For these companies, participants expect cloud to facilitate more efficient delivery of services to bottom of the pyramid consumers one of the key future market potentials in emerging economies. Similar efficiency gains could also improve public services in India. Some government representatives argued that cloud service models could, in fact, be the only means of delivering certain essential services (such as microtransaction banking, micro-insurance and healthcare) given the vastness of the country, with large remote and poor populations. Other areas of public service that could benefit from the cloud include disaster management and the agricultural sector. More broadly, providing access to data and computing power to people who would normally be deprived of such resources could unleash significant new innovation. Specific Challenges in India The lack of economic returns represents one of the key challenges for the development of the domestic cloud market in India. While many IT companies are engaged in the cloud business, they feel that currently there are insufficient incentives to offer economically sensible cloud models and services to the domestic market, particularly those targeting micro, small and medium-sized enterprises. Hurdles to the adoption of cloud include the limited availability of digitized data and the need to deal with requirements of 28 different states. In addition, limited and/or unreliable wired and wireless broadband infrastructure hinders access to, and hence development of, cloud services in India. This calls for greater engagement from the government to provide a fertile environment for domestic cloud markets and to engage in public-private partnerships on cloud development. In terms of regulation, while privacy and personal data protection are not widely established in Indian law, IT companies that export services are keen to have Indian regulation align with European and US data protection frameworks. The development of such a framework in India would assist the industry in competing on an international scale. Additional implications for Emerging Markets Overcoming connectivity challenges is critical. The development of mobile-based access in India and other emerging markets will drive the adoption and growth of cloud computing. Access management is another area in which India is developing promising initiatives. Given the large population base and the huge number of potential cloud users, identification and access management poses unique challenges. India s Unique Identification Card (UID Card) project, which relies on cloud technologies, could be seen as a model case. 9
13 C. Business Environment Cloud services and business models are still at an early stage of development, but several areas have been identified that are of concern to key stakeholders. They include: Ensuring Interoperability Interoperability is the ability of different systems to seamlessly communicate with each other. Users favour greater interoperability as it allows them to customise their own solutions by purchasing best of breed services from multiple cloud providers and to move more easily between providers. Governments also favour interoperability as a way of driving competition and increasing the resilience of the cloud system as a whole, especially where the market consists of only a few providers. However, industry stakeholders are concerned that a premature focus on standardization to promote interoperability could hold back innovation and the evolution of better solutions. Ensuring Data Portability Closely related to interoperability is the question of data portability that is, users being able to move data (or even complete application stacks) easily among cloud providers. Many users express the fear of being locked in to a single cloud provider if it turns out to be inefficient, time consuming, expensive or impossible to transfer data to a different cloud, or back to their premises. Government stakeholders are also concerned about portability from the perspective of encouraging competition and building systemic resilience. However, as with interoperability, industry stakeholders are concerned that an excessive focus on ensuring data portability will limit their incentive to innovate by making it harder for them to differentiate themselves through different architectures and offerings. Concerns about meta-data also complicate efforts to ensure data portability. Insufficient Reliability of Cloud Many users perceive that the reliability of cloud solutions is not yet sufficient for them to trust the cloud with their mission-critical needs. They are concerned about being alerted to planned downtime and having accurate reports about unplanned downtime; having access to their data slowed by other users creating contention for the provider s resources; and the need for backup strategies in the event of unanticipated crises or a provider going out of business. Industry stakeholders generally feel that, as the cloud matures, market mechanisms will evolve that allow users to assess providers reputation and reliability. Nonetheless, there is no consensus among cloud providers on how much information about their reliability they are willing to disclose, and government agencies are not satisfied with the status quo. Insufficient Commitments to Service Levels Related to reliability concerns, users note that the kind of SLAs (service level agreements) they rely on from providers of their on-premises IT solutions do not tend to be offered by cloud providers, or that what is offered is insufficient for important applications. Potential users of cloud computing are held back by the lack of clear commitments from providers on such issues as uptime, response times, bandwidth, reliability and security or by the lack of stipulated penalties if these commitments are not met. Users also note that the lack of standardized SLAs makes it difficult for them to compare competing services. There were, however, mixed views among industry stakeholders on the feasibility of working towards standardized SLAs, given the great diversity of architectures and users needs and circumstances. Relative Maturity of the Cloud Ecosystem While cloud services are evolving rapidly, many stakeholders express concern about the speed at which other necessary aspects of the ecosystem in which public clouds operate are evolving. Common concerns include: The still-widespread lack of understanding about cloud, as potential users do not feel sufficiently informed about the risks and benefits and are nervous about committing to relatively new business models such as pay-as-you-go access to IT Future speed, reliability and global availability of the network access required to use public clouds Availability of expertise, as there are still relatively few IT professionals globally who are trained to architect cloud solutions Current underdevelopment of insurance solutions, which could protect users against problems with the cloud Threats to intellectual property from using cloud solutions outside a firewall, as more information and approaches to running a business are externally exposed 10
14 The Cloud in Context: Geopolitics and Economics Some of the fundamental issues identified by the project illustrate how sensitive and complex cloud technologies have become at this relatively early stage in their development. Many stakeholders are concerned by the current dominance of cloud providers based in the United States, because of the potential loss of competitiveness and decreased ability to influence how the cloud operates. This may explain the development of individual clouds in countries such as China. Some officials are worried that jobs may be lost in private data centres as companies move to the cloud, although most stakeholders agree that, in the longer term, the cloud s net effect on jobs is likely to be positive. The skills issue also comes into play a country s capacity for innovation could be compromised if its citizens are not sufficiently aware of how to utilize cloud technologies, especially if no local cloud providers exist and if local R&D is limited. There are also questions about whether national identities, autonomy and sovereignty could be compromised if firms increasingly rely on the same few foreign cloud providers. This reliance is seen by some as potentially a new form of colonization. Finally, it is still far from clear how principles of free trade should be applied in the cloud whether countries that host cloud data centres have an obligation to provide open access to these centres to customers from other countries, under what terms and with what protections. Figure 4. Key topics that emerged at the 2010 workshops Brussels Economic and social impacts of cloud Interoperability and vendor lock-in 3rd party validation & certification Secure access & network security Industry-led standardization Growth-enhancing initiatives Clarify (roles, relationships, data location and ownership of data) Clarification on application of regulation Data privacy & confidentiality Washington, DC Education & awareness raising Government access to data Interoperability & portability "Privacy by Design" R&D needs Quantifying ROI Harmonization & Transparency Addressing risk India Economically sensible cloud models Government-Industry partnership Government incentive Enabling cost (e.g. Infrastructure, utility) of delivery in emerging markets Compliance with int'l regulations on data Social change India's youth Lower concerns about data sensitivity Focus on small, micro businesses U.K. Macro-regulatory framework Transparency & trust Co-regulation model Integrity & reliability Accountability Concrete security measures Interoperability & portability Number of actors 11
16 What to Do Now? Eight Action Areas Working from the major issues described in the previous section, the project set out to develop recommendations and identify actions that governments and industry can undertake to accelerate the deployment and adoption of public cloud technologies. While the underlying issues are complex and contentious, eight critical action areas were selected by government representatives and companies including many of the largest cloud providers and regulators from Europe and North America and then confirmed in the private session about cloud computing held during the World Economic Forum Annual Meeting Explore and facilitate the realization of the benefits of cloud 2. Advance understanding and management of cloudrelated risks 3. Promote service transparency 4. Clarify and enhance accountability across all relevant parties 5. Ensure data portability 6. Facilitate interoperability 7. Accelerate adaptation and harmonization of regulatory frameworks related to cloud 8. Provide sufficient network connectivity to cloud services As described below, these action areas are put forward as a charter for further engagement among key stakeholders. They are intended to form a cohesive agenda, bringing together several areas in which there are existing but disparate initiatives. We hope this step will lead to industry and government collaboration to further define and implement the necessary actions to move the agenda forward and accelerate the uptake of cloud technologies. 1. Explore and Facilitate the Realization of the Benefits of Cloud Cloud ecosystem participants should dedicate additional resources to understanding the benefits of cloud and accelerating the adoption of innovative applications of cloud technology. Topics include product and process innovation and job creation, collaboration, broad delivery of IP, government effectiveness and efficiency, and other economic benefits. Underlying many of the issues discussed in the previous section is a sense that the benefits of cloud computing beyond those related to IT efficiencies are not well understood. This manifests itself as a problem in two main ways. First, users may be held back from moving to the cloud if they perceive the risks more clearly than the benefits. Second, regulators find it hard to make balanced decisions that are in line with the European legal principle of proportionality if they lack a clear sense of how their decisions could potentially impact the macroeconomic and societal benefits of the cloud as well as the risks. The principle of proportionality argues, among other provisions, that regulation should detract as little as possible from the benefits of what is being regulated. It is normal enough for any new technology that independent, objective research on its benefits is difficult to find. However, a balanced view of the potential benefits is especially necessary for cloud, given the unique concerns it raises. It would be useful, for example, to have independent and objective research into the potential for cloud computing to facilitate collaboration among multiple and diverse participants in industries such as healthcare, education and complex supply chains, or to deliver cross-border protection of intellectual property rights. In particular, it has been expected for some time that cloud would significantly advance healthcare and education, and it is important to understand why this has not yet happened. During the past decade, there has been extensive research on the benefits of broadband, particularly its ability to accelerate GNP growth. This may provide a model for similar research into the cloud, given its complementarity with broadband access. Such research should focus on the potential for job creation (and loss), looking especially at how small and medium-sized businesses could benefit from access to best in class computing solutions. 13
17 2. Advance Understanding and Management of Cloud-related Risks Relevant stakeholders (providers and government) should encourage research into the unique risk drivers in cloud computing and identify potential solutions. The flipside of clearly understanding the potential benefits of cloud is ensuring that perceptions of risk are also grounded in reality. It is arguable that several of the stakeholder concerns described in the previous section apply just as much to the public Internet as to the cloud, where data centres may be protected by security mechanisms that are so sophisticated they actually reduce risk rather than exacerbate it. If concerns are indeed overstated, the development of the cloud would be needlessly held back. For the moment, However, authoritative research there is very little is lacking on how serious the information on what risks are for different types of is going on behind applications and data; how well they can be managed; the scenes in terms of and how they relate to broader security management global risks such as political in the cloud. issues affecting the movement Industry Participant, of information across borders. London Workshop, Collaboration among industry December 2010 and regulators on conducting and publicizing such research could educate and reassure users, and help to ensure that government regulation is appropriately targeted. Risk mitigation strategies need to address the different risk profiles of different types of data, such as personal data and trade secrets. Innovative approaches to managing risk could include industry players developing codes of conduct and mutual assistance schemes whereby providers agree to assume responsibility for each other s service commitments in the event of outages or breaches. A better understanding of risks would also facilitate the development of nascent cloud insurance models to offer compensation to customers in the event of losses caused by the cloud. 3. Promote Service Transparency Providers of cloud services should make available to customers information about how their services are provided and how they perform. This includes letting customers know how data is secured, where data is stored and/or what jurisdictional provisions apply, how and by whom it can be accessed, and how it can be deleted. In addition to further research into the benefits and risks, greater transparency (i.e. public disclosure) about cloud computing would go a long way towards addressing many of the stakeholder issues detailed above notably privacy and confidentiality, data ownership, security, liability and reliability. Clearer and more easily accessible information about cloud service delivery models and offers would accelerate the development of the market by improving levels of user trust and facilitating the creation of aggregated services provided by multiple providers. Greater transparency should also reduce the risk of excessive regulation that could hinder the industry s evolution. Government stakeholders indicate that as more consistent and comparable information on cloud performance and security becomes available to customers, the less they will be concerned about the need to protect less-sophisticated customers through regulation. There is an opportunity for cloud providers to take the lead on transparency through developing codes based on shared good practices. Efforts to improve and standardize reporting are underway, and there is scope for them to be consolidated. Voluntary certification schemes could also play a role, with cloud There is a need to be transparent with regard to roles, relationships, locations and ownership of data. Industry Participant, Brussels Workshop, May 2010 Transparency is one of the key requirements: we need to learn to trust cloud services. Industry Participant, London Workshop, December 2010 providers asking a third party agency to audit, certify or rate them. Such a move could help to build trust in the cloud and reduce the need for further regulation. 14
18 4. Clarify and Enhance Accountability across All Relevant Parties Industry, regulatory bodies and third parties should collaborate to create and implement more consistent and comprehensive approaches to accountability for how cloud services are provided. Complementing greater transparency, greater clarity about accountability would accelerate uptake of cloud computing among potential users, who are currently reluctant to entrust missioncritical services to the cloud. Users want to know who is accountable if service levels are unsatisfactory, if they are unable to access data they put in the cloud or if it is accessed by unauthorized persons or government agencies. In particular, users want clarity about accountability for service delivery in situations where providers leverage sub-contractors, get acquired or go out of business. Efforts to clarify accountability for legal compliance such as the development of data privacy and security compliance programmes by cloud users or providers are hindered by unclear and sometimes inconsistent regulation. It is therefore important to achieve clarity on whether cloud providers are considered data processors or data controllers, what the respective obligations of both parties are, and which country s laws apply to data when a cloud provider has data centres in multiple jurisdictions. Possible technology approaches to the third point include tagging data with a specific jurisdiction code or encrypting all data before it moves to the cloud (although this is expensive and not foolproof). As with transparency, government stakeholders indicate that voluntary industry moves to clarify accountability and establish corporate compliance programmes could reduce the need for regulatory intervention. There is an opportunity for third-party certification schemes to play an important role, and potential for further industry involvement in existing initiatives such as the Data Privacy Accountability Model, Privacy-by-Design and Binding Corporate Rules. Industry players and government stakeholders need to agree on the extent to which it is possible to establish general principles regarding accountability, as some cloud providers expressed the view that accountability needs to be negotiated only with individual clients. 5. Ensure Data Portability Cloud service providers should provide ways for users to easily retrieve data they have input to clouds, without an onerous fee and in a timely manner. The fear of vendor lock-in holds back many potential users of cloud, while many government stakeholders are concerned about maintaining competitiveness in the cloud market. These concerns are lessened if it becomes quicker, easier and cheaper for users to move data, and perhaps applications, between different cloud providers and between user premises and the cloud. Users should be aware, however, that due to economies of scale in the cloud and particular cloud architectures, it may be economically infeasible to roll back from the cloud to an on-premises solution. There is potential to achieve greater consistency and rationalization in the data portability standards currently being advanced by multiple bodies, including the Distributed Management Task Force; over time, the ambition could be to develop minimum portability standards and common approaches for all cloud providers. Governments have a role in minimizing any regulatory barriers that are faced by efforts to standardize portability. Work on facilitating data portability also needs to be aligned with work on common approaches to data ownership and protection, law enforcement access and liability. Providing meta-data and context information, in addition to the actual data entered, can significantly increase the options available to customers. 15
19 Additional Action Areas In addition to the eight action areas detailed in this report, several additional actions were discussed but did not receive sufficiently widespread support to be included in the final list of action areas. These are: Foster education for cloud users Governments, the cloud computing industry (and other industries that can benefit from cloud), academia and institutions of higher education, and small businesses share an interest in fostering education and awareness among potential users of cloud services on ways to leverage cloud technologies. Use cases could illustrate more complex scenarios. Familiarizing labour pools with cloud technologies should enhance national economic competitiveness by ensuring that industries that stand to benefit from the cloud do not fall behind in taking advantage of it. Promote R&D for privacy and security enhancing technologies Providers of cloud services should collaborate with each other and with government stakeholders to invest in research to advance the protection of privacy for users through the reinforcement of existing procedures and creation of new architectures and systems. This applies in particular to identity and access management, data encryption, data deletion, and addressing causes of failure and security loopholes. Improve SLAs By working to evolve clearer and more standardized service level agreements, industry players can address user concerns about being unable to make informed decisions. As governments are also concerned that users of cloud should be able to understand and take responsibility for their choices, industry action could pre-empt regulatory intervention. More stringent SLAs will also allay user concerns about entrusting mission-critical solutions to the cloud. Adopt Cloud Governments can continue to support the use of public cloud and play a significant role in the general adoption of cloud by driving the need for industry to create government-ready solutions. The adoption of cloud by governments also increases user confidence and may facilitate regulatory processes and harmonization. For example, US Federal Chief Information Officer Vivek Kundra has released the Federal Cloud Computing Strategy in 2011, which calls for about one-quarter of federal IT spending, or US$ 20 billion, to be committed to cloud systems. Additionally, under the US Cloud First programme, agencies will be required to move three services to the cloud within 18 months; adopt a cloud model wherever feasible; and evaluate cloud options before making investments. Pursue new approaches to regulatory harmonization Additional suggestions mentioned in this context that did not achieve broad agreement, included: Adapt WTO frameworks to create a cloud trade body to address data policies and help stakeholders formulate and agree upon policies needed for digital services Create a broader, voluntary safe harbour programme with the understanding that, once a company commits to it, the commitment will be legally binding Create a Cyberpol or world court that would act as a central, global body to pursue non-compliant providers, criminals and, possibly, rogue states 16
20 6. Facilitate Interoperability 7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud Industry players should pursue the evolution of cloud offerings with the goal of facilitating interoperability among multiple (private and public) clouds. This will accelerate the growth of the overall cloud ecosystem. There has been notable progress recently in developing offerings that allow users to customize their own solutions by simultaneously using services from multiple cloud providers. As with data portability, every step towards greater interoperability helps to address stakeholder concerns about competitiveness and lock-in. It may also accelerate innovation and help address challenges related to data privacy and security. As the cloud industry matures over the coming years, interoperability will need to be accompanied by the evolution of clear accountability frameworks, commitments to commonly defined service levels and broad adoption of standards. Large industry players, including savvy and demanding customers such as governments, can help accelerate this maturation process for example, through encouraging visible research and pilot projects. Fostering cloud interoperability will also likely extend to a broad range of ecosystem players, including providers of connectivity and application developers, who will need to adopt relevant architectures and provide enabling services such as highly reliable cross-cloud connectivity. Governments worldwide should adapt and harmonize regulations relevant to cloud with the aim of improving their applicability and reducing divergence across jurisdictions, while considering the maturity of the overall industry. There is widespread frustration among stakeholders about the regulatory environment for cloud computing, especially in the areas of data privacy and security. Regulations are often inconsistent, conflicting and difficult to apply for users and providers operating globally. This holds back users from moving to the cloud, as they fear regulatory provisions are insufficient to protect their data from being unduly accessed by law enforcement or retained by providers. And when regulations effectively force data to remain within national borders either directly by imposing restrictions on data transfers outside the jurisdiction, or indirectly through a lack of cross-jurisdictional alignment they hold back cloud providers from realizing improvements that come from achieving scale through multiple locations. As a long-term goal, governments may wish to explore a macro-regulatory framework that will be more adept at keeping pace with rapid technological change. Options include a co-regulation approach, whereby industry takes the lead in identifying necessary provisions and governments take a policy and oversight role. This would imply Industry could take the initiative for a cloud code of conduct and regulators could then review it. Government Representative, World Economic Forum Annual Meeting 2011 achieving a harmonized approach to the underlying principles that guide regulation, which currently differ among jurisdictions notably through the US s sectoral approach to data privacy regulation and the EU s more universal one. Minimum regulatory standards are not a solution they are often not sufficient to reduce complexity, as they do not stop countries from introducing additional provisions. 17 As a step in this direction, governments should continue to dialogue with providers to better understand the impact of regulatory interventions. Data protection authorities can play an important role in interpreting and harmonizing legal frameworks to more effectively meet user and provider needs for clearly understandable and authoritative guidance about their respective responsibilities, the protections accorded to them, and the recourse available in the event of breaches.