~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

ADVANCING CLOUD COMPUTING:

WHAT TO DO NOW?

PRIORITIES FOR INDUSTRY AND GOVERNMENTS

World Economic Forum

In partnership with Accenture 2011

About this Report

This World Economic Forum report was developed by the Forum's IT Industry Partnership in collaboration with Accenture, with input from a group of experts and a dedicated Steering Board.

World Economic Forum

The World Economic Forum is an independent international organization committed to improving the state of the

world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas.

Incorporated as a not-for-profit foundation in 1971, and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests. (www.weforum.org)

Accenture

Accenture is a global management consulting, technology services and outsourcing company, with more than 215,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world's most successful companies, Accenture collaborates with clients to

help them become high-performance businesses and governments. (www.accenture.com)

About the Forum's Information Technology Industry Partnership

The Information Technology Industry Partnership (IP) programme of the World Economic Forum provides chief executives and senior executives of the world's leading

IT companies with the opportunity to engage with peers to define and address critical industry issues throughout the year. Identifying, developing and acting on these industry issues is fundamental to the Forum's commitment to deliver sustainable social development founded on economic progress.

About the Project

Phase I of the World Economic Forum's Exploring the Future of Cloud Computing project culminated in a report on the benefits of cloud computing entitled Exploring the Future of Cloud Computing: Riding

the Next Wave of Technology-driven Transformation, published in the spring of 2010.

The objective of Phase II was to develop recommendations for actions that governments and industry can take to accelerate the deployment and adoption of public cloud technologies, which resulted in this publication.

The Future of Cloud Computing Steering Board

Guidance was provided by an actively involved steering board of experts, which included representatives from:

• Akamai Technologies (Paul Sagan, Chief Executive

Officer)

• BTGroup

• CA Technologies (Ajei Gopal, Executive Vice-President)

• Google (Nelson Mattos, Vice-President, Engineering, EMEA)

• Microsoft Corporation (Craig Mundie, Chief Research and Strategy Officer)

• Salesforce.com (Marc R. Benioff, Chairman and Chief Executive Officer; and JP Rangaswami, Chief SCientist)

Project Team Contributors From the World Economic Forum:

Joanna Gordon

Associate Director, Information Technology Industry

Chiemi Hayashi

Associate Director, Deputy Head of Risks in Depth, Risk Initiatives

Stephan Mergenthaler

Project Manager, Strategic Risk Foresight

From Accenture:

Dan Elron

Managing Partner, Strategy and Corporate Development

Amelia P. Schaffner

Manager, Strategy and Corporate Development

Bojana Bellamy

Director of Data Privacy

Many individuals contributed ideas to this report through surveys, workshops and interviews. The project team thanks all participants for so generously sharing their time, energy and insiqhts, Without their dedication, guidance and support we would not have been able to develop this report.

World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland

Tel.: 41 (0)228691212

Fax: 41 (0)22 786 2744 E-mail: contact@weforum.org www.weforum.org

©2011 World Economic Forum ©2011 Accenture

All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system.

~LD

EC NOMIC F RUM

Contents

COMMI'ITED TO IMPROVING THE STATE OF THE WORLD

Executive Summary

The Clouds about the Cloud

5

A. Data Governance

B. Security

C. Business Environment

What to Do Now? Eight Action Areas

13

1. Explore and Facilitate the Realization of the Benefits of Cloud

2. Advance Understanding and Management of Cloud-related Risks

3. Promote Service Transparency

4. Clarify and Enhance Accountability across All Relevant Parties

5. Ensure Data Portability

6. Facilitate Interoperability

7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud

8. Provide Sufficient Network Connectivity to Cloud Services

Project Outcomes: What Is Next?

19

About the Research

21

References

24

Executive summary

"Cloud is rapidly changing the world. It is enabling new business models and

The potential benefits of cloud computing include promoting economic growth, creating employment and enabling innovation and collaboration. These were described in

the project's first report, Exploring the Future of Cloud Computing: Riding the Next Wave of Technology-driven

Transformation, published in the spring of 201 O. While recognizing the many benefits of cloud, however, stakeholders also expressed serious concerns about its widespread adoption.

creating tension in the system."

Industry Participant, Washington DC Workshop, November 2010

In the second phase of the project, the Forum and its Partners investigated and prioritized these concerns in further detail. This report presents eight action areas for providers of cloud computing services and government agencies. It is intended to set the agenda for further engagement among all stakeholders, ensuring the healthy future development of the cloud computing industry.

Clouds about the Cloud

Many of the concerns about the public cloud, which are outlined on page 5 of this report, have long been discussed in relation to the Internet without satisfactory resolution. As cloud computing technologies significantly exacerbate these issues, the industry and government must address them at a relatively early

stage in the evolution of cloud services.

"All the infrastructure in the cloud is no

longer under your control: with cloud, there is a shift in

responsibility."

Government Participant, Brussels Workshop, May 2010

Project participants already feel that the current regulatory environment has slowed the progress of cloud technologies (in 2010). Further divergence and fragmentation in how the public cloud evolves could further delay potential benefits.

These issues include difficulties faced by customers in understanding who can access the data that they put in the cloud, how it is protected and how they can be sure

it has been deleted when they want it to be. They also include a growing desire by many national governments to direct the evolution of the digital realm within their physical borders, with major implications for where cloud providers can locate the servers that process data.

Figure 1. Cloud by the numbers

$55 billion (1)

forecasted worldwide revenue from public IT cloud services by 2014

330/0 (2)

of global companies have deployed or are piloting the more mature layer of clouds, SaaS. 23% of high performing IT companies have already deployed SaaS

250/0 (3)

of global companies will be deploying cloud computing for critical applications within 2 years

440/0 (3)

of executives from global companies who believe cloud computing can provide their company with a lasting competitive advantage

300/0 (1)

the rate at which cloud computing will grow in 2011, or more than 5 times the rate of IT industry as a whole

2 3 (4)

• million jobs

the net new jobs created by cloud on a cumulative basis over the period 2010 to 2015 across the top five EU economies

2.1 % (4)

the average improvement in efficiency of an average employee because of cloud

Source: 'IDC [Worldwide and Regional Public IT Cloud Services 2010 - 2014 Forecast, June 2010j.

2Accenture ["Mind the Gap - Insights from the 3rd global High Performance IT research study, Nov, 201 OJ. 3Accenture [Cloudrise:

Rewards and Risk at the Dawn of Cloud Computing" Nov, 201 OJ, 'Center for Economics and Business Research [The cloud dividend, Dec, 2010j

~LD

EC NOMIC F RUM

COMMI'ITED TO IMPROVING THE STATE OF THE WORLD

"The global community has come together before to address

key issues and policy considerations in other industries

such as banking, transportation, and telecommunications. We must now do

the same for cloud computing. The journey to cloud computing will not happen overnight, but in the months and years ahead we have the opportunity, as a global community, to shape the future of cloud computing and take the first steps together towards

a new, more interconnected world." Vivek Kundra, first Chief Information Officer (CIO)

of the United States of America, March 2011

Key Opportunities for Multistakeholder Collaboration

In response to these concerns, the Forum and its Partners

have prioritized a set of eight action areas to be addressed by industry and governments, either separately or collaboratively. Through extensive consultations in Europe, the United States

and Asia, the project has sought ways to reconcile the natural conflict between letting an innovative set of technologies mature and the need to protect users and citizens.

Presented on page 13, the action areas cover topics such as:

• Improving transparency on how services are provided, who has accountability for what, how data is protected and which legislative regimes apply; addressing these topics is seen as a critical step towards the broader need, identified by stakeholders, to build trust in the cloud

• Conducting further research to clarify and spread awareness of the benefits of cloud, and ensure a balanced understanding of the nature of the risks and our current abilities to manage them; this is seen as helpful for enabling informed decision-making by both potential users and regulators

• Facilitating system interoperability, enabling users to customize their own cloud solutions across multiple providers, and data portability to ease user fears of vendor lock-in and government fears about lack of competition

• Guaranteeing sufficient network connectivity so that users who entrust their data to the cloud can be confident of being able to access it on demand

While complex and sometimes contentious, the eight action areas set out in this report received strong and essentially unanimous support from the companies participating in the private session about cloud computing at the World Economic Forum Annual Meeting 2011- including many of the largest cloud providers - and

from several official representatives of governments and supranational organizations.

With the support of leading providers and governments, we encourage individual companies, governments and existing collaborative initiatives to move quickly to further define and implement the necessary actions that will accelerate the ability of cloud technologies to generate the economic and social benefits they promise. In today's turbulent world, these benefits are more critical than ever.

Figure 2. Generating the action areas

Action areas

1 . Explore cloud benefits

2. Understand & manage cloud risks

3. Promote service transparency

4. Clarify & enhance accountability

5. Ensure data portability

6. Faciliate interoperability

7. Adapt & harmonize regulation

8. Provide sufficient connectivity

2

Cloud: The Upside

"People are used to scarce resources, and the idea of virtualization of resources is forcing a change from a paradigm of scarcity to one of abundance. It's like finding a substitute for oil." Industry Participant, Brussels Workshop,

May 2010

The ability to tap into computer applications and other software via the cloud frees organizations, ranging from companies to government institutions and universities, from having to build and manage their own technology infrastructure. The double-digit growth enjoyed by some cloud providers during the recent economic downturn demonstrates that many organizations find this attractive.

According to research conducted by the World Economic Forum and Accenture in 2009 and 2010, the benefits of cloud computing technologies go beyond reducing IT costs - most participants see facilitating innovation as an even more compelling benefit. In the long term, cloud is seen as a way to gain competitive advantage, not only for organizations but also for whole industries and economies.

While empirical evidence is still at an early stage, studies have associated cloud computing with many types of benefits, including:

• Dramatically accelerating the way companies create new products and services, through enabling innovative new business models, faster research, wider information sharing and more effective collaboration between product development professionals around the world

• Helping organizations serve their customers better through mining and analysing data to spot emerging trends, such as changing customer needs and competitors' market moves

• Lowering organizational expenditures on data centres, servers, software licenses and maintenance fees and replacing capital expenses with lower pay-for-use operating expenses

• Enabling innovation and job creation at a macro level, with the playing field between large and small companies being levelled as companies of all sizes gain access to information technology that previously was affordable for only the largest companies

• Helping emerging economies leapfrog to higher levels of technological development by providing more immediate and affordable access to next-generation applications, tools and infrastructure

• Empowering governments and citizens to more effectively address such socio-economic issues as delivering healthcare and education, improving access to financial services (insurance, bank accounts, micro-payments) in emerging economies and disaster management provision

• Reducing the environmental impact of computing as economies of scale lead to less consumption of energy Affirming the benefits described in the project's first report, most participants in the private session about cloud computing during the World Economic Forum Annual Meeting 2011 agreed that cloud computing is likely to have a noticeable impact on GNP growth during the coming five years. Many believe that the impact of cloud computing will equal or exceed the impact of mobile technologies.

3

4

The Clouds about the Cloud

Stakeholders' Issues and Priorities

With the pace of development of the cloud computing industry increasingly raising questions about regulation,

a group of high-level IT industry participants at the World Economic Forum Annual Meeting 2009 mandated the first phase of the Future of Cloud Computing project. Senior decision-makers in the public and private sectors explored the benefits that could be derived from the

use of cloud computing for society, the economy and individual businesses. They also identified barriers to the achievement of such benefits and mandated that the Forum pursue the identification of a series of collaborative actions that could steer the healthy development of cloud computing.'

In response to the output of the project's first phase, industry leaders at the Annual Meeting 2010 mandated the second phase of the project, to identify action areas

in further detail. The scope of the project remains focused on the use of public clouds primarily for businesses and governments, although many of the issues identified apply to the consumer domain as well.

Through a series of initial workshops, surveys, one-toone and group interviews and using a structured "issue tool", multiple issues of concern to key stakeholders from industry, government and academia were identified. They were grouped into three issue areas _ data governance, security and business environment _ and analysed in detail. Figure 3 illustrates the issues associated with each of these three areas.

A. Data Governance

Who owns data, who has the right to access it and under what circumstances? What rules apply to the

use and sharing of data? Such questions tend to be more complicated when

"Given the legal complexity created by cloud environments, industry players are forced to infringe laws all the time."

Industry Participant, London Workshop, December 2010

data is stored in a shared infrastructure managed by a third party. Stakeholders

expressed differing views about the appropriateness and feasibility of regulation alone - as opposed to industry self-regulation - to specify frameworks that govern data and its use in the cloud. The issues raised under the heading of data governance were:

Data location constraints

It is not always clear under which legal jurisdiction data in the cloud falls _ especially if, as many cloud architectures require, the data is split up and stored in multiple locations. In

some cases, it is impossible to determine where a particular piece of data is physically

at a particular moment. Even if this were possible, data often falls under more than one legal jurisdiction, and it is unclear how inconsistencies among those jurisdictions would be resolved.

Figure 3. Key categories of issues identified

1. Data Location constraints

2. Regulatory protection of privacy and confidentiality

3. Clarity about data ownership

4. Ensuring only authorized access (identity mgmt.)

5. Ensuring integrity and availability (& addressing data loss)

6. Ensuring data is destroyed as needed

7. Ensuring Interoperability

8. Ensuring Portability (& avoiding vendor lock-in)

9. Insufficient reliability of cloud

10. Insufficient commitments to service levels

11. Relative immaturity of the cloud ecosystem

5

1. http://www3.weforum.org/docsJWEF _ITTC_FutureCloudComputing_Report_201 O.pdf

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

"No matter how much we invest, data is going to escape internationally; that is just a fact of the Internet."

Industry Participant, Washington DC Workshop, November 2010

Users are concerned about

the potential for foreign governments to demand access to their data. Governments worry about losing the legal ability to "oversee" data in the cloud and apply their laws to the cloud. These concerns can result

in data location constraints

being imposed - for example, requiring cloud providers to locate data within national borders, or subjecting transfers of data outside a given jurisdiction to additional legal hurdles and authorizations. Some stakeholders, however, see these concerns as thinly veiled excuses for protectionism.

For their part, some cloud providers indicate that, if countries insist on data being stored within national boundaries, they will be unwilling to build new data centres in smaller markets. They point out that the freedom to move data across borders helps to achieve the economies of scale that are a key benefit of cloud computing, as there is a significant cost involved in using architectures that keep a customer's data in a particular country or geographical block, potentially giving the largest providers an unfair advantage.

Data Privacy and Confidentiality

Many users say that concerns about data privacy and confidentiality restrict their willingness to use cloud services for sensitive data. In the cloud, data is stored on remote machines that are shared with other users. This makes many users concerned about the potential for business competitors or government authorities to access their data in the cloud without their awareness or consent.

Governments would like to mandate and apply national legal requirements for data stored in the cloud, and many already have. Given the cross-border nature of the cloud, though, national measures to protect data privacy and confidentiality have only limited capacity to reassure users.

There is a desire for greater global consistency in

data privacy requirements applying to the cloud -

but government stakeholders note that fundamental differences in their approaches make comprehensive international agreements less likely. For example,

the United States has a stricter regulatory regime for specific sectors, such as healthcare, where privacy and confidentiality issues are especially sensitive, while the European Union has blanket data privacy laws covering all data.

Some stakeholders feel that, given these regulatory challenges, users concerned about data privacy and confidentiality will ultimately have to rely on market mechanisms to assess the trustworthiness of providers in the cloud. Nonetheless, there is no guarantee that adequate market mechanisms will emerge in a timely fashion.

Clarity about Data Ownership

When a user moves data to the cloud, it is not always clear what rights the cloud service provider gains to access, modify or distribute that data. Some users are concerned that certain types of legal protection associated with data they entrust to the cloud will be compromised if data is moved through the cloud to other jurisdictions - for example, they may be exposed to insufficient or conflicting regimes with regard to their intellectual property.

Ownership of meta-data is often raised as a concern. Meta-data is created from connections between separate individual items of data, or from the context of when and how those individual items of data were provided. Metadata can be extremely sensitive and valuable, even when the individual items of data are not. Who should have what rights to use meta-data and capture the value that arises?

There is a lack of agreement on these issues, and regulation is not always conclusive. EU data privacy laws, for example, distinguish between data controllers and data processors - but, in the cloud, it is not always obvious what the respective roles and responsibilities are. There are scenarios in which users and providers could find themselves in a legal limbo, where the law provides no clear answer as to who is responsible for the data if, for example, security is breached or a provider fails.

While regulators say they would like to improve both regulations and user awareness of the issues surrounding data ownership, industry stakeholders express concern that over-regulation of data ownership at this point in the cloud's evolution could prevent them from meeting user needs and improving services.

6

Building a Secure Cloud without Undue Points of Control

By Jonathan L. Zittrain, Professor of Law and Professor of Computer Science at Harvard University and Member of the Project Working Group

In 2010, cloud provider Amazon.com elected to shut down its hosted version of the WikiLeaks website. Amazon,

like many such vendors, offers hosting to all comers but under terms of service that give it broad latitude in deciding ultimately whom to serve. Given the public controversy over WikiLeaks, Amazon's action crystallized something already known about cloud computing: when one's data or software is hosted far away and under the care of a third party, there are new risks and complications that can offset the ways such hosting can make life simpler and safer.

Some of these risks can be managed: businesses can shop carefully for an enterprise-level cloud provider, and

pay more for those that can persuasively claim more reliable service, or for contracts that penalize unanticipated or unjustified takedowns or interruptions. (For consumers, who plan and bargain less, the equation can be particularly dangerous: a lifetime's worth of e-mail or photos, or a social network comprising hundreds or thousands of hard-won relationships, can have its rules changed, or even evaporate, in an instant.)

However, not all risks can be easily mitigated. For example, network trouble or government-mandated filtering can come between a business and its cloud processes. And, as events in Egypt and Libya demonstrated, there are occasions in which an entire nation's Internet access can be threatened. The solution is not likely to involve retreat to one's own basement servers. Basements aren't fail-safe either, and another marker thrown down by the WikiLeaks episode is the prevalence and power of denial of service attacks: all but the most bunkerized homes for data and code are vulnerable to compromise or attack.

We do not want to see the move to cloud computing, which can offer so many benefits, slowed if the fears brought into focus by the WikiLeaks episode remain unaddressed. Yet we also do not want to find ourselves continuing a march to cloud computing that entails clustering under only a handful of powerful umbrella service providers, leading to limited competition and a handful of points of control.

Solutions may lie not as much in centralization as in its opposite: creating protocols and processes by which data

is voluntarily mirrored among otherwise-independent sites. Then if one is disrupted, other copies remain. And at the network's physical layer, we may see projects such as mesh networking -- creating connectivity without relying upon Internet service providers -- move from the interesting to the downright vital. While the approaches and examples can vary, answers to these very new problems may be inspired from the oldest of human instincts and political organization: mutual aid.

As cloud computing accelerates, our creativity and sociability will be tested as we seek to realize its gains without creating undue vulnerabilities.

7

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

B. Security

"No-one will unequivocally declare that cloud is 100% safe - just as no one will declare airplanes are 100% safe. Let not security become the bogey that'll stop the whole thing - be pragmatic, solve the problems as they come along, and be open."

Academia Participant, New Delhi Workshop, November 2010

Users want to be confident that their services and data are secure in the cloud - that is, always available to them and never available

to unauthorized others. They also demand recourse mechanisms if something goes wrong. Industry stakeholders point out that greater security involves trade-ofts with cost and usability, and that technical solutions can never fully

protect against security breaches originating from users themselves.

Security-related issues raised by stakeholders include:

Ensuring Only Authorized Access

Users are concerned that data in the cloud is more susceptible to cyber-attacks, as aggregating multiple users' data and services

on a single platform makes

it a more attractive target. Providers point out that no security mechanisms are foolproof, and all come with trade-offs: using encryption can be expensive, and using "hypervisors" to virtually isolate a user's applications and data can still leave vulnerabilities.

More broadly, both industry and government stakeholders expressed concern that technical security mechanisms such as encryption could give users a false sense of security. Encryption is only as effective as the user's control of who has the key, and does not solve the problems of a "malicious insider" or of users being manipulated into giving access. These concerns are bound up with wider questions of how to manage and verify identities.

Ensuring Integrity and Availability (and Addressing Data Loss)

When users store their data on their premises, it is clear who is accountable if the data is corrupted, lost or temporarily inaccessible. This is not necessarily the case when the data is stored in the cloud. When it is unclear whether a problem lies with the cloud provider or with

the networks the user is using to access the cloud, users are concerned that they will be unable to establish who is liable, and to seek redress.

As many users' data may be shared on one machine, users are concerned about the possibility of problems with one user's services affecting another's. Government stakeholders express concern about the resilience of cloud providers to distributed denial-of-service (OOoS) attacks, and note there is an inherent disincentive for providers to report on breaches and problems. Some industry stakeholders, however, believe they are already being transparent enough, especially given that a great majority of client agreements require the service provider to notify the client of any breaches or data loss.

Ensuring that Data Is Destroyed as Needed

Most computer users are aware that even when they delete data, it can still be recovered from their hard drives - additional steps are needed to make sure data can never be retrieved. True data deletion is more challenging in the cloud, because cloud providers are the only ones with access to the physical infrastructure on which users' data is stored, and often data may be mirrored on multiple machines. Without any way of verifying if their data has been destroyed, users have no option but to trust the provider.

Government stakeholders are especially concerned that sensitive data, such as healthcare records, should not

be recoverable once deleted. Industry stakeholders note, however, the significant technical difficulties involved in guaranteeing data deletion.

Overall, many cloud providers are keen to stress that the above concerns about security in the cloud should not be overstated. By their nature, cloud solutions aggregate the security requirements of many clients, often to the highest standard, and they are frequently monitored and stringently audited. As a result, security protections in the cloud are more extensive than in many, perhaps most, private data centres.

8

Cloud Computing in India and Emerging Markets

"The change created by the cloud ecosystem will be manifested 20% in the realm of technology and the remainder through social change."

The World Economic Forum held a workshop in New Delhi on 23 November 2010, convening over 30 leading Indian decision-makers, including service providers, users, government representatives and academia. The goals of the workshop were to

identify the potential benefits and opportunities of cloud computing in India and other emerging economies; address the unique challenges to its implementation in emerging markets; and explore in which areas emerging markets could take the lead in cloud development.

Market Potential

Small and medium-sized companies with limited resources and access to IT are expected to be the greatest beneficiaries in India from the efficiency gains promised by cloud computing. For these companies, participants expect cloud to facilitate more efficient delivery of services to "bottom of the pyramid" consumers - one of the key future market potentials in emerging economies.

Industry Participant, New Delhi Workshop, November 2010

Similar efficiency gains could also improve public services in India. Some government representatives argued that cloud service models could, in fact, be the only means of delivering certain essential services (such as microtransaction banking, micro-insurance and healthcare) given the vastness of the country, with large remote and poor populations. Other areas of public service that could benefit from the cloud include disaster management and the agricultural sector.

More broadly, providing access to data and computing power to people who would normally be deprived of such resources could unleash significant new innovation.

Specific Challenges in India

The lack of economic returns represents one of the key challenges for the development of the domestic cloud market in India. While many IT companies are engaged in the cloud business, they feel that currently there are insufficient incentives to offer economically sensible cloud models and services to the domestic market, particularly those targeting micro, small and medium-sized enterprises. Hurdles to the adoption of cloud include the limited availability of digitized data and the need to deal with requirements of 28 different states.

In addition, limited and/or unreliable wired and wireless broadband infrastructure hinders access to, and hence development of, cloud services in India. This calls for greater engagement from the government to provide a fertile environment for domestic cloud markets and to engage in public-private partnerships on cloud development.

In terms of regulation, while privacy and personal data protection are not widely established in Indian law, IT companies that export services are keen to have Indian regulation align with European and US data protection frameworks. The development of such a framework in India would assist the industry in competing on an international scale.

Additional implications for Emerging Markets

Overcoming connectivity challenges is critical. The development of mobile-based access in India and other emerging markets will drive the adoption and growth of cloud computing.

Access management is another area in which India is developing promising initiatives. Given the large population base and the huge number of potential cloud users, identification and access management poses unique challenges. India's Unique Identification Card (UID Card) project, which relies on cloud technologies, could be seen as a model case.

9

~LD

EC NOMIC F RUM

C. Business Environment

COMMITTED TO IMPROVING THE STATE OF THE WORLD

Cloud services and business models are still at an early stage of development, but several areas have been identified that are of concern to key stakeholders. They include:

Ensuring Interoperability Interoperability is the ability

of different systems to seamlessly communicate

with each other. Users favour greater interoperability as it allows them to customise their

own solutions by purchasing "best of breed" services from multiple cloud providers and

to move more easily between providers. Governments also favour interoperability as a way of driving competition and increasing the resilience of the cloud system as a whole, especially where the market consists of only a few providers.

However, industry stakeholders are concerned that a premature focus on standardization to promote interoperability could hold back innovation and the evolution of better solutions.

Ensuring Data Portability

Closely related to interoperability is the question of data portability - that is, users being able to move data (or

even complete application stacks) easily among cloud providers. Many users express the fear of being "locked

in" to a single cloud provider if it turns out to be inefficient, time consuming, expensive or impossible to transfer data to a different cloud, or back to their premises. Government stakeholders are also concerned about portability from

the perspective of encouraging competition and building systemic resilience.

However, as with interoperability, industry stakeholders are concerned that an excessive focus on ensuring data portability will limit their incentive to innovate by making it harder for them to differentiate themselves through different architectures and offerings. Concerns about meta-data also complicate efforts to ensure data portability.

Insufficient Reliability of Cloud

Many users perceive that the reliability of cloud solutions

is not yet sufficient for them to trust the cloud with their mission-critical needs. They are concerned about being alerted to planned downtime and having accurate reports about unplanned downtime; having access to their

data slowed by other users creating contention for the provider's resources; and the need for backup strategies in the event of unanticipated crises or a provider going out of business.

Industry stakeholders generally feel that, as the cloud matures, market mechanisms will evolve that allow users to assess providers' reputation and reliability. Nonetheless, there is no consensus among cloud providers on how much information about their reliability they are willing to disclose, and government agencies are not satisfied with the status quo.

Insufficient Commitments to Service Levels

Related to reliability concerns, users note that the kind

of SLAs (service level agreements) they rely on from providers of their on-premises IT solutions do not tend

to be offered by cloud providers, or that what is offered

is insufficient for important applications. Potential users of cloud computing are held back by the lack of clear commitments from providers on such issues as uptime, response times, bandwidth, reliability and security - or by the lack of stipulated penalties if these commitments are not met.

Users also note that the lack of standardized SLAs makes it difficult for them to compare competing services. There were, however, mixed views among industry stakeholders on the feasibility of working towards standardized SLAs, given the great diversity of architectures and users' needs and circumstances.

Relative Maturity of the Cloud Ecosystem

While cloud services are evolving rapidly, many stakeholders express concern about the speed at which other necessary aspects of the ecosystem in which public clouds operate are evolving. Common concerns include:

• The still-widespread lack of understanding about cloud, as potential users do not feel sufficiently informed about the risks and benefits and are nervous about committing to relatively new business models such as pay-as-you-go access to IT

• Future speed, reliability and global availability of the network access required to use public clouds

• Availability of expertise, as there are still relatively few IT professionals globally who are trained to architect cloud solutions

• Current underdevelopment of insurance solutions, which could protect users against problems with the cloud

• Threats to intellectual property from using cloud solutions outside a firewall, as more information and approaches to running a business are externally exposed

10

The Cloud in Context: Geopolitics and Economics

Some of the fundamental issues identified by the project illustrate how sensitive and complex cloud technologies have become at this relatively early stage in their development.

Many stakeholders are concerned by the current dominance of cloud providers based in the United States, because of the potential loss of competitiveness and decreased ability to influence how the cloud operates. This may explain the development of individual clouds in countries such as China.

Some officials are worried that jobs may be lost in private data centres as companies move to the cloud, although most stakeholders agree that, in the longer term, the cloud's net effect on jobs is likely to be positive. The skills issue also comes into play - a country's capacity for innovation could be compromised if its citizens are not sufficiently aware of how to utilize cloud technologies, especially if no local cloud providers exist and if local R&D is limited.

There are also questions about whether national identities, autonomy and sovereignty could be compromised if firms increasingly rely on the same few foreign cloud providers. This reliance is seen by some as potentially a new form of "colonization" .

Finally, it is still far from clear how principles of free trade should be applied in the cloud - whether countries that host cloud data centres have an obligation to provide open access to these centres to customers from other countries, under what terms and with what protections.

Figure 4. Key topics that emerged at the 2010 workshops

Brussels

• Economic and social impacts of cloud

• Interoperability and vendor lock-in

• 3rd party validation & certification

• Secure access & network security

• Industry-led standardization

• Growth-enhancing initiatives

• Clarify (roles, relationships, data location and ownership of data)

• Clarification on application of regulation

• Data privacy & confidentiality

Wahsington, DC

• Education & awareness raising

• Government access to data

• Interoperability & portability

• "Privacy by Design"

• R&D needs

• Quantifying ROI

• Harmonization & Transparency

• Addressing risk

India

• Economically sensible cloud models

• Government-Industry partnersbip

• Government incentive

• Enabling cost (e.g. Infrastructure, utility) of delivery in

emerging markets

• Compliance with int'l regulations on data

• Social change

• India's youth

• Lower concerns about data sensitivity

• Focus on small, micro businesses

11

,

U.K.

• Macro-regulatory framework

• Transparency & trust

• Co-regulation model

• Integrity & reliability

• Accountability

• Concrete security measures

• Interoperability & portability

• Number of actors

What to Do Now? Eight Action Areas

Working from the major issues described in the previous section, the project set out to develop recommendations and identify actions that governments and industry can undertake to accelerate the deployment and adoption of public cloud technologies. While the underlying issues are complex and contentious, eight critical action areas were selected by government representatives and companies - including many of the largest cloud providers and regulators from Europe and North America - and then confirmed in the private session about cloud computing held during the World Economic Forum Annual Meeting 2011 .

1. Explore and facilitate the realization of the benefits of cloud

2. Advance understanding and management of cloudrelated risks

3. Promote service transparency

4. Clarify and enhance accountability across all relevant

parties

6. Ensure data portability

6. Facilitate interoperability

7. Accelerate adaptation and harmonization of regulatory frameworks related to cloud

8. Provide sufficient network connectivity to cloud services As described below, these action areas are put forward as a charter for further engagement among key stakeholders. They are intended to form a cohesive agenda, bringing together several areas in which there are existing but disparate initiatives. We hope this step will lead to industry and government collaboration to further define and implement the necessary actions to move the agenda forward and accelerate the uptake of cloud technologies.

13

1. Explore and Facilitate the Realization of the Benefits of Cloud

Cloud ecosystem participants should dedicate additional resources to understanding the benefits of cloud and accelerating the adoption of innovative applications of cloud technology. Topics include product and process innovation and job creation, collaboration, broad delivery of IP, government effectiveness and efficiency, and other economic benefits.

Underlying many of the issues discussed in the previous section is a sense that the benefits of cloud computing

- beyond those related to

IT efficiencies - are not well understood. This manifests itself as a problem in two

main ways. First, users may be held back from moving to the cloud if they perceive the risks more clearly than the benefits. Second, regulators find it hard to make balanced decisions that are in line with the European legal principle of proportionality if they lack a clear sense of how their decisions could potentially impact the macroeconomic and societal benefits of the cloud as well as the risks. The principle of proportionality argues, among other provisions, that regulation should detract as little as possible from the benefits of what is being regulated.

It is normal enough for any new technology that independent, objective research on its benefits is difficult to find. However, a balanced view of the potential benefits is especially necessary for cloud, given the unique concerns it raises. It would be useful, for example, to have independent and objective research into the potential for cloud computing to facilitate collaboration among multiple and diverse participants in industries such as healthcare, education and complex supply chains, or to deliver cross-border protection of intellectual property rights. In particular, it has been expected for some time that cloud would significantly advance healthcare and education,

and it is important to understand why this has not yet happened.

During the past decade, there has been extensive research on the benefits of broadband, particularly its ability to accelerate GNP growth. This may provide

a model for similar research into the cloud, given its complementarity with broadband access. Such research should focus on the potential for job creation (and loss), looking especially at how small and medium-sized businesses could benefit from access to "best in class" computing solutions.

2. Advance Understanding and Management of Cloud-related Risks

Relevant stakeholders (providers and government) should encourage research into the unique risk drivers in cloud computing and identify potential solutions.

The flipside of clearly understanding the potential benefits of cloud is ensuring that perceptions of risk are also grounded in reality. It

is arguable that several of the stakeholder concerns described in the previous

section apply just as much to the public Internet as to the cloud, where data centres may be protected by security mechanisms that are so sophisticated they actually reduce risk rather than exacerbate it. If concerns are indeed overstated, the development of the cloud would be needlessly held back.

"For the moment, there is very little information on what is going on behind

the scenes in terms of

However, authoritative research is lacking on how serious the risks are for different types of applications and data; how well they

can be managed; and how

security management they relate to broader global

in the cloud." risks such as political issues affecting the movement of information across borders. Collaboration among industry

and regulators on conducting and publicizing such research could educate and reassure users, and help to ensure that government regulation is appropriately targeted.

Industry Participant, London Workshop, December 2010

Risk mitigation strategies need to address the different risk profiles of different types of data, such as personal data and trade secrets. Innovative approaches to managing

risk could include industry players developing codes

of conduct and mutual assistance schemes whereby providers agree to assume responsibility for each other's service commitments in the event of outages or breaches. A better understanding of risks would also facilitate the development of nascent cloud insurance models to offer compensation to customers in the event of losses caused by the cloud.

3. Promote Service Transparency

Providers of cloud services should make available to customers information about how their services are provided and how they perform. This includes letting customers know how data is secured, where data

is stored and/or what jurisdictional provisions apply, how and by whom it can be accessed, and how it can be deleted.

In addition to further research into the benefits and risks, greater transparency (Le. public disclosure) about cloud computing would go a long way towards addressing many of the stakeholder issues detailed above - notably

privacy and confidentiality,

data ownership, security, liability and reliability. Clearer and more easily accessible information about cloud service delivery models and

offers would accelerate the development of the market by improving levels of user trust and facilitating the creation of aggregated services provided by multiple providers.

Greater transparency should

also reduce the risk of excessive regulation that could hinder the industry's evolution. Government stakeholders indicate that as more consistent and comparable information on cloud performance and security becomes available to customers, the less they will

be concerned about the need

to protect less-sophisticated customers through regulation.

"There is a need

to be transparent with regard to roles, relationships, locations and ownership of data." Industry Participant, Brussels Workshop, May 2010

There is an opportunity for cloud providers to take the lead on transparency through developing codes based on shared good practices. Efforts to improve

and standardize reporting are underway, and there is scope

for them to be consolidated. Voluntary certification schemes could also playa role, with cloud

providers asking a third party agency to audit, certify or rate them. Such a move could help to build trust in the cloud and reduce the need for further regulation.

"Transparency is

one of the key requirements: we need to learn to trust cloud services." Industry Participant, London Workshop, December 2010

14

4. Clarify and Enhance Accountability across All Relevant Parties

Industry, regulatory bodies and third parties should collaborate to create and implement more consistent and comprehensive approaches to accountability for how cloud services are provided.

Complementing greater transparency, greater clarity about accountability would accelerate uptake of cloud computing among potential users, who are currently reluctant to entrust mission-

critical services to the cloud. Users want to know who is accountable if service levels are unsatisfactory, if they

are unable to access data they put in the cloud or if it

is accessed by unauthorized persons or government agencies. In particular, users want clarity about accountability for service delivery in situations where providers leverage sub-contractors, get acquired or go out of business.

Efforts to clarify accountability for legal compliance -

such as the development of data privacy and security compliance programmes by cloud users or providers

- are hindered by unclear and sometimes inconsistent regulation. It is therefore important to achieve clarity on whether cloud providers are considered data processors or data controllers, what the respective obligations of both parties are, and which country's laws apply to data when a cloud provider has data centres in multiple jurisdictions. Possible technology approaches to the third point include tagging data with a specific jurisdiction code or encrypting all data before it moves to the cloud (although this is expensive and not foolproof),

As with transparency, government stakeholders indicate that voluntary industry moves to clarify accountability

and establish corporate compliance programmes could reduce the need for regulatory intervention. There is

an opportunity for third-party certification schemes to play an important role, and potential for further industry involvement in existing initiatives such as the Data Privacy Accountability Model, Privacy-by-Design and Binding Corporate Rules. Industry players and government stakeholders need to agree on the extent to which it

is possible to establish general principles regarding accountability, as some cloud providers expressed the view that accountability needs to be negotiated only with individual clients.

15

5. Ensure Data Portability

Cloud service providers should provide ways for users to easily retrieve data they have input to clouds, without an onerous fee and in a timely manner.

The fear of vendor lock-in holds

back many potential users of cloud, while many government stakeholders are concerned about maintaining competitiveness in the cloud market. These concerns are lessened if

it becomes quicker, easier and cheaper for users to move data,

and perhaps applications, between different cloud providers and between user premises and the cloud. Users should be aware, however, that due

to economies of scale in the cloud and particular cloud architectures, it may be economically infeasible to roll back from the cloud to an on-premises solution.

There is potential to achieve greater consistency

and rationalization in the data portability standards currently being advanced by multiple bodies, including the Distributed Management Task Force; over time,

the ambition could be to develop minimum portability standards and common approaches for all cloud providers. Governments have a role in minimizing any regulatory barriers that are faced by efforts to standardize portability.

Work on facilitating data portability also needs to be aligned with work on common approaches to data ownership and protection, law enforcement access and liability. Providing meta-data and context information,

in addition to the actual data entered, can significantly increase the options available to customers.

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

Additional Action Areas

In addition to the eight action areas detailed in this report, several additional actions were discussed but did not receive sufficiently widespread support to be included in the final list of action areas. These are:

Foster education for cloud users

Governments, the cloud computing industry (and other industries that can benefit from cloud), academia and institutions of higher education, and small businesses share an interest in fostering education and awareness among potential users of cloud services on ways to leverage cloud technologies. "Use cases" could illustrate more complex scenarios. Familiarizing labour pools with cloud technologies should enhance national economic competitiveness by ensuring that industries that stand to benefit from the cloud do not fall behind in taking advantage of it.

Promote R&D for privacy and security enhancing technologies

Providers of cloud services should collaborate with each other and with government stakeholders to invest in research to advance the protection of privacy for users through the reinforcement of existing procedures and creation of new architectures and systems. This applies in particular to identity and access management, data encryption, data deletion, and addressing causes of failure and security loopholes.

Improve SLAs

By working to evolve clearer and more standardized service level agreements, industry players can address user concerns about being unable to make informed decisions. As governments are also concerned that users of cloud should be able to understand and take responsibility for their choices, industry action could pre-empt regulatory intervention. More stringent SLAs will also allay user concerns about entrusting mission-critical solutions to the cloud.

Adopt Cloud

Governments can continue to support the use of public cloud and playa significant role in the general adoption of cloud by driving the need for industry to create government-ready solutions. The adoption of cloud by governments also increases user confidence and may facilitate regulatory processes and harmonization. For example, US Federal Chief Information Officer Vivek Kundra has released the Federal Cloud Computing Strategy in 2011 , which calls for about one-quarter of federal IT spending, or US$ 20 billion, to be committed to cloud systems. Additionally, under the US Cloud First programme, agencies will be required to move three services to the cloud within 18 months; adopt a cloud model wherever feasible; and evaluate cloud options before making investments.

Pursue new approaches to regulatory harmonization

Additional suggestions mentioned in this context that did not achieve broad agreement, included:

• Adapt WTO frameworks to create a cloud "trade body" to address data policies and help stakeholders formulate and agree upon policies needed for digital services

• Create a broader, voluntary "safe harbour" programme with the understanding that, once a company commits to it, the commitment will be legally binding

• Create a "Cyberpol" or world court that would act as a central, global body to pursue non-compliant providers, criminals and, possibly, rogue states

16

6. Facilitate Interoperability

Industry players should pursue the evolution of cloud offerings with the goal of facilitating interoperability among multiple (private and public) clouds. This

will accelerate the growth of the overall cloud ecosystem.

There has been notable progress recently in developing offerings that allow users

to customize their own solutions by simultaneously using services from multiple cloud providers. As with data portability, every step towards greater interoperability helps to address stakeholder concerns about competitiveness and

lock-in. It may also accelerate innovation and help address challenges related to data privacy and security.

As the cloud industry matures over the coming years, interoperability will need to be accompanied by the evolution of clear accountability frameworks, commitments to commonly defined service levels and broad adoption

of standards. Large industry players, including savvy and demanding customers such as governments, can help accelerate this maturation process - for example, through encouraging visible research and pilot projects.

Fostering cloud interoperability will also likely extend to a broad range of ecosystem players, including providers of connectivity and application developers, who will need to adopt relevant architectures and provide enabling services such as highly reliable cross-cloud connectivity.

17

7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud

Governments worldwide should adapt and harmonize regulations relevant to cloud with the aim of improving their applicability and reducing divergence across jurisdictions, while considering the maturity of the overall industry.

There is widespread frustration among stakeholders about the regulatory environment for cloud computing, especially in the areas of data privacy and security. Regulations are often inconsistent, conflicting and difficult to apply for users and providers operating

globally. This holds back users from moving to the cloud, as they fear regulatory provisions are insufficient to protect their data from being unduly accessed by law enforcement or retained by providers. And when regulations effectively force data to remain within national borders - either directly by imposing restrictions on data transfers outside the jurisdiction,

or indirectly through a lack of cross-jurisdictional

alignment - they hold back cloud providers from realizing improvements that come from achieving scale through multiple locations.

As a long-term goal, governments "Industry could

may wish to explore a "macro- take the initiative

regulatory framework" that will

be more adept at keeping pace with rapid technological change. Options include a "co-regulation" approach, whereby industry takes the lead in identifying necessary provisions and governments

take a policy and oversight role. This would imply achieving a harmonized approach to the

underlying principles that guide regulation, which currently differ among jurisdictions - notably through the US's sectoral approach to data privacy regulation and the EU's more universal one. Minimum regulatory standards are not a solution - they are often not sufficient to reduce complexity, as they do not stop countries from introducing additional provisions.

for a cloud 'code

of conduct' and regulators could then review it."

Government

Representative,

World Economic Forum Annual Meeting 2011

As a step in this direction, governments should continue to dialogue with providers to better understand the impact of regulatory interventions. Data protection authorities

can play an important role in interpreting and harmonizing legal frameworks to more effectively meet user and provider needs for clearly understandable and authoritative guidance about their respective responsibilities, the protections accorded to them, and the recourse available in the event of breaches.

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

8. Provide Sufficient Network Connectivity to Cloud Services

Industry, government and relevant agencies should identify connectivity requirements for cloud services (wired and wireless) and promote the commensurate deployment of networks across the world.

To be able to use

cloud computing with confidence, users

need easy access to the cloud. They need guarantees about the speed, reliability and robustness of networks, both fixed and mobile. In particular, in an

environment where market needs maybe moving faster than the technology, users need to be confident that current telecom investments will be sufficient to support future services.

Governments have a role in promoting better connectivity in all markets, especially in emerging and developing countries where the issue may be more acute. Policy initiatives that could serve as examples include the Europe 2020 broadband targets and the European Commission's Digital Agenda pillar on ultra-fast broadband.

"Large businesses

do not have a

strong grasp of

their dependence

on Internet-based services, which will increase with cloud. Many of the issues around access to

the cloud relate to maintaining continuity of the network." Industry Participant, Washington DC Workshop, November 2010

Given that cloud computing uses data centres that need

to be able to handle massive amounts of traffic, the planning of networks and data centres needs to be coordinated. Developing a framework describing what services can be provided with various levels of connectivity could also help national governments promote and prioritize investments

that will sustain future growth opportunities. Not much research currently exists on this topic.

18

Project Outcomes: What Is Next?

Cloud computing is at a

pivotal point of development. As it becomes a critical element of the IT landscape, there is much expectation

that its potential economic

and social benefits could

rival those of the Internet or mobile technologies, but also much uncertainty. Experience of previous waves of technological change suggests that now is the window of opportunity for industry and policy-makers to collaborate, encourage business adoption and find ways to reconcile

the natural conflict between letting an innovative set of technologies mature and protecting users and citizens.

This report set out to identify the issues that need

to be addressed to move the agenda forward and

areas of action that all agree could enable the healthy development of cloud technologies. While valuable

work is underway on many of these issues (such as standards and security) the project aims to address

more cohesively the bigger picture and the possibility

for a broader common agenda. To do this, the project

has brought together key stakeholders from industry, governments, international organizations and academia to prioritize their concerns and explore potential solutions.

"After two years of intensive work on cloud issues, the World Economic Forum has done

a great job in bringing together a lot of expertise and experience. And it is a timely exercise indeed."

Neelie Kroes, VicePresident of the European Commission responsible for the Digital Agenda Towards a European

Cloud Computing Strategy, World Economic Forum Annual Meeting 2011

"Stakeholders' willingness to overcome the barriers depends on their assessment of cloud-

The eight action areas described in this report encompass broadening awareness and understanding of the benefits and risks of cloud, promoting service transparency, harmonizing regulatory frameworks, clarifying accountability, facilitating system interoperability

and data portability, and ensuring sufficient network connectivity. They received broad support from industry and government leaders taking part in a private session on cloud computing at the World Economic Forum Annual Meeting 2011 .

related benefits."

Industry Participant, London Workshop, December 2010

Figure 5. Action areas

1. Explore cloud benefits
2. Understand & manage cloud risks
3. Promote service transparency
4. Clarify & enhance accountability
5. Ensure data portability
6. Faciliate interoperability
7. Adapt & harmonize regulation
8. Provide sufficient connectivity The aim of these action areas is not to offer prescriptive solutions, but to suggest a charter for further engagement among industry and governments. The eight action areas are already being used as the basis for multistakeholder collaboration in multiple contexts, such as feeding into a series of meetings between industry leaders and EU Commissioner for the Digital Agenda Neelie Kroes on cloud regulation and harmonization, announced at the Forum's Annual Meeting.2

An especially promising avenue for government-industry collaboration could be the initiation of experimental

pilot deployment programmes to generate and document empirical evidence on the positive social and economic impacts of the cloud. Such studies could

help counterbalance concerns about cloud computing, which are magnified by their overlap with broader contemporary worries such as national sovereignty, cybersecurity and the health of the Internet.

Other potential collaborative actions could include: • Industry investing in research into systemic security risks and costs and how to

collaborate on areas such as encryption

• Service providers reaching agreement on common best practices for transparency

• Telecoms providers working to identify connectivity requirements and investment needs by geography

Cloud computing is set for rapid acceleration around

the world. We hope that the framework described in this report has provided a common language and a shared set of priorities for industry and governments to continue to address common issues in a constructive way, leading to a wider and more effective uptake of cloud solutions.

19

2. http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/50

About the Research

Project Background

This report is part of the World Economic Forum's research study, Exploring the Future of Cloud Computing. It was mandated by the IT Governors at the World Economic Forum Annual Meeting 2009 in Davos-Klosters, Switzerland.

Two objectives for the research were defined:

• Develop an understanding of what is needed to steer the healthy development of both public and private cloud computing environments

• Develop a set of industry and public policy action areas that could help mitigate the uncertainties and accelerate the benefits of cloud computing

Consequently, the project was divided into two phases:

I. The first phase focused on consulting with a wide range of relevant stakeholders (IT industry, corporate buyers

of IT, government regulators, investors, academics, journalists and others) through workshops, surveys and interviews to obtain their views on the potential impacts of cloud computing - on business, society and the global economy. A key research tool was an extensive survey that Accenture designed and developed on cloud computing. Collecting a wide range of highly informed views enabled us to identify the key drivers, enablers and barriers in cloud computing.

Phase I outcomes:

Report: http://tinyurl.com/wef-2010report Video: http://tinyurl.com/wef-201Ovideo

II. Based on the findings of the phase I report, phase

II focused on developing action areas and identifying actions that governments and industry can undertake to accelerate the deployment and adoption of public cloud technologies (this report).

Figure 6. Project timeline

2011 Annual Meeting, Davos

Industry/ government consultation

Slough (UK) workshop

Washington DC workshop

New Delhi workshop

Industry! government consultation & issue tool

Europe Summit, Brussels workshop

2010 Annual Meeting, Davos

Cross-government call

~o

EC NOMIC F RUM

Brussels workshop

EXPLORING 111E FUTlJRE OF CLOUD COMPUTING:

RIDING nlE NEXT WAVE OF TECHNOLOGY·DRIVEN TRANSFORMATION

IES New Delhi workshop

AMNC Dalian workshop

Tokyo workshop

San Francisco workshop

2009 Annual Meeting, Davos

21

Phase 1 - Phase 2 -

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

Figure 7. Project process and outcome

Input

Phase I Input and Report, Cloud Constraints and Barriers

Initial Prioritization Issues That Affect Cloud Deployment In The Next 3 Years

Issue Tool Collation of Skateholder Priority Issues

Analysis & Solution Development Draft Action Areas

Davos Governors Gession

Output

Action Areas and World Economic Forum Report

Definition of Cloud Computing

There are probably as many definitions of cloud computing as there are opinions about its future. To date, there is

no definition that is agreed upon in most quarters. The definition we used in this project came from the University of California at Berkeley: "Cloud computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the data centres that provide those services."

Clarifications: Access to the cloud can be provided via multiple technologies (Internet or other) and services can include processing, storage, access to applications and business processes.

Deployment models relevant to this project:

• Public cloud - sold to the public, mega-scale infrastructure (e.g. Amazon, Google)

• Hybrid cloud - composition of two or more clouds where one might abstract applications or services through a combination of in-house infrastructure and/or reaching out to multiple clouds

• Community cloud - a shared infrastructure for a specific community (e.g. healthcare)

Note: Private clouds (ones that an enterprise owns or leases) are not included in the scope of phase II of our project

Examples of types of cloud cornputinq:"

• Process/Industry clouds

• Application clouds (SaaS)

• Platform clouds (PaaS)

• Infrastructure clouds (laaS)

Figure 8. A possible hierarchy of cloudbased offerings

..

..

..

..

..

..

..

..

Characteristics of Cloud Computing

In the absence of a commonly accepted definition of cloud computing, enumerating some characterlstlcs' often associated with cloud computing may help to clarify how the term is commonly used and understood:

• On-demand self-service

• Broad network access

• Resource pooling

• Rapid elasticity

• Measured service

• Massive scale

• Virtualization

• Resilient computing

• Low-cost software

• Geographic distribution covering multiple jurisdictions

• Multiple accountabilities

• Service orientation

• Advanced security technologies

3. "Cloudrise: Rewards and Risks at the Dawn of Cloud Computing", Accenture, Jeanne G. Harris and Allan E. Alter, November 2011

4. "The NIST Definition of Cloud Computing", Peter Mell and Tim Grance, October 2009

22

Acknowledgments: Partners and Contributing Organizations

Industry Accenture

Akamai Alcatel Lucent

Telefonica Tibco Wipro

EMC

Governments and Agencies European Commission

European Data Protection Supervisor (EDPS) European Network and Information

Security Agency (ENISA)

Confederation of Indian Industry (CII)

French Data Protection Authority (CNIL) German Ministry of Economics and Technology German Ministry of the Interior

Indian Department of Information Technology Indian Department of Micro, Small

and Medium Enterprises

NASSCOM India

Japan Ministry of Internal Affairs and Communications Organisation for Economic Co-operation

and Development (OECD)

UK Cabinet Office

UK Department for Business, Innovation and Skills (BIS) UK Office of Cyber Security and Information Assurance US Department of Commerce

US Federal Communications Commission US Federal Trade Commission

US General Service Administration

US Office of Management and Budget

AT&T

Bitcurrent BMC Software BTGroup

CA Technologies Capgemini Cisco

Colt

ComScore

CSC

Cyber Risk Partners Dell

Deutsche Telekom

Forrester Fujitsu Google

HCL Technologies HP

Huawei Technologies Infosys Technologies Intel

Juniper

Kudelski

Lenovo

Lockheed Martin McAfee

Mahindra Satyam Microsoft

Academia

Berkman Center for Internet and Society, Harvard University, USA

Brookings Institution, USA

Centre for Commercial Law Studies, Queen Mary, University of London

Centre of Excellence in Information and Communication Technologies, Belgium

Complutense University of Madrid, Spain Georgetown University, USA

International Institute of Information Technology Bangalore Rand Europe

Research Center on IT and Law, FUNDP Namur, Belgium An additional thank you goes to the Accenture Australia creative services team, to the Forum editing team and to the writer, Andrew Wright.

Nasdaq NCR Corp. Nivio

Orange Business Services Polycom

Salesforce.com

SAP SAS

23

References

~LD

EC NOMIC F RUM

COMMITTED TO IMPROVING THE STATE OF THE WORLD

1. "Above the Clouds: A Berkeley View of Cloud Computing", authored by 11 members of UC Berkeley's division of Electrical Engineering and Computer Sciences, February 2009

2. "Exploring the Future of Cloud Computing", World Economic Forum, May 2010

3. "Worldwide and Regional Public IT Cloud Services, 2010-2014 Forecast", IDC, June 2010

4. "Mind the Gap - Insights from Accenture's Third Global High Performance IT Research Study, November 2010

5. "Cloud rise: Rewards and Risks at the Dawn of Cloud Computing", Accenture, Jeanne G. Harris and Allan E. Alter, November 2011

6. "Where the Cloud Meets Reality: Operationally Enabling the Growth of New Business Models", Accenture, March 2011

7. "The Cloud Dividend", Center for Economics and Business Research, December 2010

8. "Information Assurance Framework", ENISA, November 2009

9. "Cloud Computing Security Risk Assessment", ENISA, November 2009

10. "Towards a European Cloud Computing Strategy", Neelie Kroes, Vice-President and Commissioner for the Digital Agenda of the European Commission, speaking at the World Economic Forum Annual Meeting 2011 , January 2011

11 . "Federal Cloud Computing Strategy", Vivek Kundra, February 2011

12. "The Terms They Are A-Changin' ... Watching Cloud Contracts Take Shape", Simon Bradshaw, Christopher Millard and Ian Walden, The Brookings Institution, March 2011

13. "A Digital Agenda for Europe", European Commission, May 2010

14. EU Data Protection Directive 95/46/EC, October 1995

15. Article 29 Data Protection Working Party of the EU Directive

16. Unique Identification Authority of India (UIDAI) Volunteer Guidelines, 2009

17. "Digital Japan Creation Project (ICT Hatoyama Pian)", Ministry of Internal Affairs and Communications of Japan, March 2009

18. "Privacy and Security in Cloud Computing", Allan A.

Friedman and Darrell M. West, Center for Technology Innovation at Brookings, October 2010

19. "The Economic Impact of Cloud Computing on Business Creation, Employment and Output in Europe", Prof. Federico Etro, Review of Business and Economics, June 2009, Vol. 54, 2, pp. 179-208.

20. "The Economics of Cloud Computing", IUP Journal of Managerial Economics, February 2011, Vol. IX, 2, pp. 1-16

21. "The NIST Definition of Cloud Computing", Peter Mell and Tim Grance, October 2009

24

COMMITTED TO IMPROVING THE STATE OF THE WORLD

The World Economic Forum is an independent international organization committed to improving the state of the world by engaging leaders in partnerships to shape global, regional and industry agendas.

Incorporated as a foundation in 1971, and based in Geneva, Switzerland, the World Economic Forum is impartial and not-for-profit; it is tied to no political, partisan or national interests. (www.weforum.org)