Professional Documents
Culture Documents
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
ADVANCING CLOUD COMPUTING:
WHAT TO DO NOW?
PRIORITIES FOR INDUSTRY AND GOVERNMENTS
World Economic Forum
In partnership with Accenture 2011
About this Report
This World Economic Forum report was developed by the Forum's IT Industry Partnership in collaboration with Accenture, with input from a group of experts and a dedicated Steering Board.
World Economic Forum
The World Economic Forum is an independent international organization committed to improving the state of the
world by engaging business, political, academic and other leaders of society to shape global, regional and industry agendas.
Incorporated as a not-for-profit foundation in 1971, and headquartered in Geneva, Switzerland, the Forum is tied to no political, partisan or national interests. (www.weforum.org)
Accenture
Accenture is a global management consulting, technology services and outsourcing company, with more than 215,000 people serving clients in more than 120 countries. Combining unparalleled experience, comprehensive capabilities across all industries and business functions, and extensive research on the world's most successful companies, Accenture collaborates with clients to
help them become high-performance businesses and governments. (www.accenture.com)
About the Forum's Information Technology Industry Partnership
The Information Technology Industry Partnership (IP) programme of the World Economic Forum provides chief executives and senior executives of the world's leading
IT companies with the opportunity to engage with peers to define and address critical industry issues throughout the year. Identifying, developing and acting on these industry issues is fundamental to the Forum's commitment to deliver sustainable social development founded on economic progress.
About the Project
Phase I of the World Economic Forum's Exploring the Future of Cloud Computing project culminated in a report on the benefits of cloud computing entitled Exploring the Future of Cloud Computing: Riding
the Next Wave of Technology-driven Transformation, published in the spring of 2010.
The objective of Phase II was to develop recommendations for actions that governments and industry can take to accelerate the deployment and adoption of public cloud technologies, which resulted in this publication.
The Future of Cloud Computing Steering Board
Guidance was provided by an actively involved steering board of experts, which included representatives from:
• Akamai Technologies (Paul Sagan, Chief Executive
Officer)
• BTGroup
• CA Technologies (Ajei Gopal, Executive Vice-President)
• Google (Nelson Mattos, Vice-President, Engineering, EMEA)
• Microsoft Corporation (Craig Mundie, Chief Research and Strategy Officer)
• Salesforce.com (Marc R. Benioff, Chairman and Chief Executive Officer; and JP Rangaswami, Chief SCientist)
Project Team Contributors From the World Economic Forum:
Joanna Gordon
Associate Director, Information Technology Industry
Chiemi Hayashi
Associate Director, Deputy Head of Risks in Depth, Risk Initiatives
Stephan Mergenthaler
Project Manager, Strategic Risk Foresight
From Accenture:
Dan Elron
Managing Partner, Strategy and Corporate Development
Amelia P. Schaffner
Manager, Strategy and Corporate Development
Bojana Bellamy
Director of Data Privacy
Many individuals contributed ideas to this report through surveys, workshops and interviews. The project team thanks all participants for so generously sharing their time, energy and insiqhts, Without their dedication, guidance and support we would not have been able to develop this report.
World Economic Forum 91-93 route de la Capite CH-1223 Cologny/Geneva Switzerland
Tel.: 41 (0)228691212
Fax: 41 (0)22 786 2744 E-mail: contact@weforum.org www.weforum.org
©2011 World Economic Forum ©2011 Accenture
All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying and recording, or by any information storage and retrieval system.
~LD
EC NOMIC F RUM
Contents
COMMI'ITED TO IMPROVING THE STATE OF THE WORLD
Executive Summary
The Clouds about the Cloud
5
A. Data Governance
B. Security
C. Business Environment
What to Do Now? Eight Action Areas
13
1. Explore and Facilitate the Realization of the Benefits of Cloud
2. Advance Understanding and Management of Cloud-related Risks
3. Promote Service Transparency
4. Clarify and Enhance Accountability across All Relevant Parties
5. Ensure Data Portability
6. Facilitate Interoperability
7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud
8. Provide Sufficient Network Connectivity to Cloud Services
Project Outcomes: What Is Next?
19
About the Research
21
References
24
Executive summary
"Cloud is rapidly changing the world. It is enabling new business models and
The potential benefits of cloud computing include promoting economic growth, creating employment and enabling innovation and collaboration. These were described in
the project's first report, Exploring the Future of Cloud Computing: Riding the Next Wave of Technology-driven
Transformation, published in the spring of 201 O. While recognizing the many benefits of cloud, however, stakeholders also expressed serious concerns about its widespread adoption.
creating tension in the system."
Industry Participant, Washington DC Workshop, November 2010
In the second phase of the project, the Forum and its Partners investigated and prioritized these concerns in further detail. This report presents eight action areas for providers of cloud computing services and government agencies. It is intended to set the agenda for further engagement among all stakeholders, ensuring the healthy future development of the cloud computing industry.
Clouds about the Cloud
Many of the concerns about the public cloud, which are outlined on page 5 of this report, have long been discussed in relation to the Internet without satisfactory resolution. As cloud computing technologies significantly exacerbate these issues, the industry and government must address them at a relatively early
stage in the evolution of cloud services.
"All the infrastructure in the cloud is no
longer under your control: with cloud, there is a shift in
responsibility."
Government Participant, Brussels Workshop, May 2010
Project participants already feel that the current regulatory environment has slowed the progress of cloud technologies (in 2010). Further divergence and fragmentation in how the public cloud evolves could further delay potential benefits.
These issues include difficulties faced by customers in understanding who can access the data that they put in the cloud, how it is protected and how they can be sure
it has been deleted when they want it to be. They also include a growing desire by many national governments to direct the evolution of the digital realm within their physical borders, with major implications for where cloud providers can locate the servers that process data.
Figure 1. Cloud by the numbers
$55 billion (1)
forecasted worldwide revenue from public IT cloud services by 2014
330/0 (2)
of global companies have deployed or are piloting the more mature layer of clouds, SaaS. 23% of high performing IT companies have already deployed SaaS
250/0 (3)
of global companies will be deploying cloud computing for critical applications within 2 years
440/0 (3)
of executives from global companies who believe cloud computing can provide their company with a lasting competitive advantage
300/0 (1)
the rate at which cloud computing will grow in 2011, or more than 5 times the rate of IT industry as a whole
2 3 (4)
• million jobs
the net new jobs created by cloud on a cumulative basis over the period 2010 to 2015 across the top five EU economies
2.1 % (4)
the average improvement in efficiency of an average employee because of cloud
Source: 'IDC [Worldwide and Regional Public IT Cloud Services 2010 - 2014 Forecast, June 2010j.
2Accenture ["Mind the Gap - Insights from the 3rd global High Performance IT research study, Nov, 201 OJ. 3Accenture [Cloudrise:
Rewards and Risk at the Dawn of Cloud Computing" Nov, 201 OJ, 'Center for Economics and Business Research [The cloud dividend, Dec, 2010j
~LD
EC NOMIC F RUM
COMMI'ITED TO IMPROVING THE STATE OF THE WORLD
"The global community has come together before to address
key issues and policy considerations in other industries
such as banking, transportation, and telecommunications. We must now do
the same for cloud computing. The journey to cloud computing will not happen overnight, but in the months and years ahead we have the opportunity, as a global community, to shape the future of cloud computing and take the first steps together towards
a new, more interconnected world." Vivek Kundra, first Chief Information Officer (CIO)
of the United States of America, March 2011
Key Opportunities for Multistakeholder Collaboration
In response to these concerns, the Forum and its Partners
have prioritized a set of eight action areas to be addressed by industry and governments, either separately or collaboratively. Through extensive consultations in Europe, the United States
and Asia, the project has sought ways to reconcile the natural conflict between letting an innovative set of technologies mature and the need to protect users and citizens.
Presented on page 13, the action areas cover topics such as:
• Improving transparency on how services are provided, who has accountability for what, how data is protected and which legislative regimes apply; addressing these topics is seen as a critical step towards the broader need, identified by stakeholders, to build trust in the cloud
• Conducting further research to clarify and spread awareness of the benefits of cloud, and ensure a balanced understanding of the nature of the risks and our current abilities to manage them; this is seen as helpful for enabling informed decision-making by both potential users and regulators
• Facilitating system interoperability, enabling users to customize their own cloud solutions across multiple providers, and data portability to ease user fears of vendor lock-in and government fears about lack of competition
• Guaranteeing sufficient network connectivity so that users who entrust their data to the cloud can be confident of being able to access it on demand
While complex and sometimes contentious, the eight action areas set out in this report received strong and essentially unanimous support from the companies participating in the private session about cloud computing at the World Economic Forum Annual Meeting 2011- including many of the largest cloud providers - and
from several official representatives of governments and supranational organizations.
With the support of leading providers and governments, we encourage individual companies, governments and existing collaborative initiatives to move quickly to further define and implement the necessary actions that will accelerate the ability of cloud technologies to generate the economic and social benefits they promise. In today's turbulent world, these benefits are more critical than ever.
Figure 2. Generating the action areas
Action areas
1 . Explore cloud benefits
2. Understand & manage cloud risks
3. Promote service transparency
4. Clarify & enhance accountability
5. Ensure data portability
6. Faciliate interoperability
7. Adapt & harmonize regulation
8. Provide sufficient connectivity
2
Cloud: The Upside
"People are used to scarce resources, and the idea of virtualization of resources is forcing a change from a paradigm of scarcity to one of abundance. It's like finding a substitute for oil." Industry Participant, Brussels Workshop,
May 2010
The ability to tap into computer applications and other software via the cloud frees organizations, ranging from companies to government institutions and universities, from having to build and manage their own technology infrastructure. The double-digit growth enjoyed by some cloud providers during the recent economic downturn demonstrates that many organizations find this attractive.
According to research conducted by the World Economic Forum and Accenture in 2009 and 2010, the benefits of cloud computing technologies go beyond reducing IT costs - most participants see facilitating innovation as an even more compelling benefit. In the long term, cloud is seen as a way to gain competitive advantage, not only for organizations but also for whole industries and economies.
While empirical evidence is still at an early stage, studies have associated cloud computing with many types of benefits, including:
• Dramatically accelerating the way companies create new products and services, through enabling innovative new business models, faster research, wider information sharing and more effective collaboration between product development professionals around the world
• Helping organizations serve their customers better through mining and analysing data to spot emerging trends, such as changing customer needs and competitors' market moves
• Lowering organizational expenditures on data centres, servers, software licenses and maintenance fees and replacing capital expenses with lower pay-for-use operating expenses
• Enabling innovation and job creation at a macro level, with the playing field between large and small companies being levelled as companies of all sizes gain access to information technology that previously was affordable for only the largest companies
• Helping emerging economies leapfrog to higher levels of technological development by providing more immediate and affordable access to next-generation applications, tools and infrastructure
• Empowering governments and citizens to more effectively address such socio-economic issues as delivering healthcare and education, improving access to financial services (insurance, bank accounts, micro-payments) in emerging economies and disaster management provision
• Reducing the environmental impact of computing as economies of scale lead to less consumption of energy Affirming the benefits described in the project's first report, most participants in the private session about cloud computing during the World Economic Forum Annual Meeting 2011 agreed that cloud computing is likely to have a noticeable impact on GNP growth during the coming five years. Many believe that the impact of cloud computing will equal or exceed the impact of mobile technologies.
3
4
The Clouds about the Cloud
Stakeholders' Issues and Priorities
With the pace of development of the cloud computing industry increasingly raising questions about regulation,
a group of high-level IT industry participants at the World Economic Forum Annual Meeting 2009 mandated the first phase of the Future of Cloud Computing project. Senior decision-makers in the public and private sectors explored the benefits that could be derived from the
use of cloud computing for society, the economy and individual businesses. They also identified barriers to the achievement of such benefits and mandated that the Forum pursue the identification of a series of collaborative actions that could steer the healthy development of cloud computing.'
In response to the output of the project's first phase, industry leaders at the Annual Meeting 2010 mandated the second phase of the project, to identify action areas
in further detail. The scope of the project remains focused on the use of public clouds primarily for businesses and governments, although many of the issues identified apply to the consumer domain as well.
Through a series of initial workshops, surveys, one-toone and group interviews and using a structured "issue tool", multiple issues of concern to key stakeholders from industry, government and academia were identified. They were grouped into three issue areas _ data governance, security and business environment _ and analysed in detail. Figure 3 illustrates the issues associated with each of these three areas.
A. Data Governance
Who owns data, who has the right to access it and under what circumstances? What rules apply to the
use and sharing of data? Such questions tend to be more complicated when
"Given the legal complexity created by cloud environments, industry players are forced to infringe laws all the time."
Industry Participant, London Workshop, December 2010
data is stored in a shared infrastructure managed by a third party. Stakeholders
expressed differing views about the appropriateness and feasibility of regulation alone - as opposed to industry self-regulation - to specify frameworks that govern data and its use in the cloud. The issues raised under the heading of data governance were:
Data location constraints
It is not always clear under which legal jurisdiction data in the cloud falls _ especially if, as many cloud architectures require, the data is split up and stored in multiple locations. In
some cases, it is impossible to determine where a particular piece of data is physically
at a particular moment. Even if this were possible, data often falls under more than one legal jurisdiction, and it is unclear how inconsistencies among those jurisdictions would be resolved.
Figure 3. Key categories of issues identified
1. Data Location constraints
2. Regulatory protection of privacy and confidentiality
3. Clarity about data ownership
4. Ensuring only authorized access (identity mgmt.)
5. Ensuring integrity and availability (& addressing data loss)
6. Ensuring data is destroyed as needed
7. Ensuring Interoperability
8. Ensuring Portability (& avoiding vendor lock-in)
9. Insufficient reliability of cloud
10. Insufficient commitments to service levels
11. Relative immaturity of the cloud ecosystem
5
1. http://www3.weforum.org/docsJWEF _ITTC_FutureCloudComputing_Report_201 O.pdf
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
"No matter how much we invest, data is going to escape internationally; that is just a fact of the Internet."
Industry Participant, Washington DC Workshop, November 2010
Users are concerned about
the potential for foreign governments to demand access to their data. Governments worry about losing the legal ability to "oversee" data in the cloud and apply their laws to the cloud. These concerns can result
in data location constraints
being imposed - for example, requiring cloud providers to locate data within national borders, or subjecting transfers of data outside a given jurisdiction to additional legal hurdles and authorizations. Some stakeholders, however, see these concerns as thinly veiled excuses for protectionism.
For their part, some cloud providers indicate that, if countries insist on data being stored within national boundaries, they will be unwilling to build new data centres in smaller markets. They point out that the freedom to move data across borders helps to achieve the economies of scale that are a key benefit of cloud computing, as there is a significant cost involved in using architectures that keep a customer's data in a particular country or geographical block, potentially giving the largest providers an unfair advantage.
Data Privacy and Confidentiality
Many users say that concerns about data privacy and confidentiality restrict their willingness to use cloud services for sensitive data. In the cloud, data is stored on remote machines that are shared with other users. This makes many users concerned about the potential for business competitors or government authorities to access their data in the cloud without their awareness or consent.
Governments would like to mandate and apply national legal requirements for data stored in the cloud, and many already have. Given the cross-border nature of the cloud, though, national measures to protect data privacy and confidentiality have only limited capacity to reassure users.
There is a desire for greater global consistency in
data privacy requirements applying to the cloud -
but government stakeholders note that fundamental differences in their approaches make comprehensive international agreements less likely. For example,
the United States has a stricter regulatory regime for specific sectors, such as healthcare, where privacy and confidentiality issues are especially sensitive, while the European Union has blanket data privacy laws covering all data.
Some stakeholders feel that, given these regulatory challenges, users concerned about data privacy and confidentiality will ultimately have to rely on market mechanisms to assess the trustworthiness of providers in the cloud. Nonetheless, there is no guarantee that adequate market mechanisms will emerge in a timely fashion.
Clarity about Data Ownership
When a user moves data to the cloud, it is not always clear what rights the cloud service provider gains to access, modify or distribute that data. Some users are concerned that certain types of legal protection associated with data they entrust to the cloud will be compromised if data is moved through the cloud to other jurisdictions - for example, they may be exposed to insufficient or conflicting regimes with regard to their intellectual property.
Ownership of meta-data is often raised as a concern. Meta-data is created from connections between separate individual items of data, or from the context of when and how those individual items of data were provided. Metadata can be extremely sensitive and valuable, even when the individual items of data are not. Who should have what rights to use meta-data and capture the value that arises?
There is a lack of agreement on these issues, and regulation is not always conclusive. EU data privacy laws, for example, distinguish between data controllers and data processors - but, in the cloud, it is not always obvious what the respective roles and responsibilities are. There are scenarios in which users and providers could find themselves in a legal limbo, where the law provides no clear answer as to who is responsible for the data if, for example, security is breached or a provider fails.
While regulators say they would like to improve both regulations and user awareness of the issues surrounding data ownership, industry stakeholders express concern that over-regulation of data ownership at this point in the cloud's evolution could prevent them from meeting user needs and improving services.
6
Building a Secure Cloud without Undue Points of Control
By Jonathan L. Zittrain, Professor of Law and Professor of Computer Science at Harvard University and Member of the Project Working Group
In 2010, cloud provider Amazon.com elected to shut down its hosted version of the WikiLeaks website. Amazon,
like many such vendors, offers hosting to all comers but under terms of service that give it broad latitude in deciding ultimately whom to serve. Given the public controversy over WikiLeaks, Amazon's action crystallized something already known about cloud computing: when one's data or software is hosted far away and under the care of a third party, there are new risks and complications that can offset the ways such hosting can make life simpler and safer.
Some of these risks can be managed: businesses can shop carefully for an enterprise-level cloud provider, and
pay more for those that can persuasively claim more reliable service, or for contracts that penalize unanticipated or unjustified takedowns or interruptions. (For consumers, who plan and bargain less, the equation can be particularly dangerous: a lifetime's worth of e-mail or photos, or a social network comprising hundreds or thousands of hard-won relationships, can have its rules changed, or even evaporate, in an instant.)
However, not all risks can be easily mitigated. For example, network trouble or government-mandated filtering can come between a business and its cloud processes. And, as events in Egypt and Libya demonstrated, there are occasions in which an entire nation's Internet access can be threatened. The solution is not likely to involve retreat to one's own basement servers. Basements aren't fail-safe either, and another marker thrown down by the WikiLeaks episode is the prevalence and power of denial of service attacks: all but the most bunkerized homes for data and code are vulnerable to compromise or attack.
We do not want to see the move to cloud computing, which can offer so many benefits, slowed if the fears brought into focus by the WikiLeaks episode remain unaddressed. Yet we also do not want to find ourselves continuing a march to cloud computing that entails clustering under only a handful of powerful umbrella service providers, leading to limited competition and a handful of points of control.
Solutions may lie not as much in centralization as in its opposite: creating protocols and processes by which data
is voluntarily mirrored among otherwise-independent sites. Then if one is disrupted, other copies remain. And at the network's physical layer, we may see projects such as mesh networking -- creating connectivity without relying upon Internet service providers -- move from the interesting to the downright vital. While the approaches and examples can vary, answers to these very new problems may be inspired from the oldest of human instincts and political organization: mutual aid.
As cloud computing accelerates, our creativity and sociability will be tested as we seek to realize its gains without creating undue vulnerabilities.
7
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
B. Security
"No-one will unequivocally declare that cloud is 100% safe - just as no one will declare airplanes are 100% safe. Let not security become the bogey that'll stop the whole thing - be pragmatic, solve the problems as they come along, and be open."
Academia Participant, New Delhi Workshop, November 2010
Users want to be confident that their services and data are secure in the cloud - that is, always available to them and never available
to unauthorized others. They also demand recourse mechanisms if something goes wrong. Industry stakeholders point out that greater security involves trade-ofts with cost and usability, and that technical solutions can never fully
protect against security breaches originating from users themselves.
Security-related issues raised by stakeholders include:
Ensuring Only Authorized Access
Users are concerned that data in the cloud is more susceptible to cyber-attacks, as aggregating multiple users' data and services
on a single platform makes
it a more attractive target. Providers point out that no security mechanisms are foolproof, and all come with trade-offs: using encryption can be expensive, and using "hypervisors" to virtually isolate a user's applications and data can still leave vulnerabilities.
More broadly, both industry and government stakeholders expressed concern that technical security mechanisms such as encryption could give users a false sense of security. Encryption is only as effective as the user's control of who has the key, and does not solve the problems of a "malicious insider" or of users being manipulated into giving access. These concerns are bound up with wider questions of how to manage and verify identities.
Ensuring Integrity and Availability (and Addressing Data Loss)
When users store their data on their premises, it is clear who is accountable if the data is corrupted, lost or temporarily inaccessible. This is not necessarily the case when the data is stored in the cloud. When it is unclear whether a problem lies with the cloud provider or with
the networks the user is using to access the cloud, users are concerned that they will be unable to establish who is liable, and to seek redress.
As many users' data may be shared on one machine, users are concerned about the possibility of problems with one user's services affecting another's. Government stakeholders express concern about the resilience of cloud providers to distributed denial-of-service (OOoS) attacks, and note there is an inherent disincentive for providers to report on breaches and problems. Some industry stakeholders, however, believe they are already being transparent enough, especially given that a great majority of client agreements require the service provider to notify the client of any breaches or data loss.
Ensuring that Data Is Destroyed as Needed
Most computer users are aware that even when they delete data, it can still be recovered from their hard drives - additional steps are needed to make sure data can never be retrieved. True data deletion is more challenging in the cloud, because cloud providers are the only ones with access to the physical infrastructure on which users' data is stored, and often data may be mirrored on multiple machines. Without any way of verifying if their data has been destroyed, users have no option but to trust the provider.
Government stakeholders are especially concerned that sensitive data, such as healthcare records, should not
be recoverable once deleted. Industry stakeholders note, however, the significant technical difficulties involved in guaranteeing data deletion.
Overall, many cloud providers are keen to stress that the above concerns about security in the cloud should not be overstated. By their nature, cloud solutions aggregate the security requirements of many clients, often to the highest standard, and they are frequently monitored and stringently audited. As a result, security protections in the cloud are more extensive than in many, perhaps most, private data centres.
8
Cloud Computing in India and Emerging Markets
"The change created by the cloud ecosystem will be manifested 20% in the realm of technology and the remainder through social change."
The World Economic Forum held a workshop in New Delhi on 23 November 2010, convening over 30 leading Indian decision-makers, including service providers, users, government representatives and academia. The goals of the workshop were to
identify the potential benefits and opportunities of cloud computing in India and other emerging economies; address the unique challenges to its implementation in emerging markets; and explore in which areas emerging markets could take the lead in cloud development.
Market Potential
Small and medium-sized companies with limited resources and access to IT are expected to be the greatest beneficiaries in India from the efficiency gains promised by cloud computing. For these companies, participants expect cloud to facilitate more efficient delivery of services to "bottom of the pyramid" consumers - one of the key future market potentials in emerging economies.
Industry Participant, New Delhi Workshop, November 2010
Similar efficiency gains could also improve public services in India. Some government representatives argued that cloud service models could, in fact, be the only means of delivering certain essential services (such as microtransaction banking, micro-insurance and healthcare) given the vastness of the country, with large remote and poor populations. Other areas of public service that could benefit from the cloud include disaster management and the agricultural sector.
More broadly, providing access to data and computing power to people who would normally be deprived of such resources could unleash significant new innovation.
Specific Challenges in India
The lack of economic returns represents one of the key challenges for the development of the domestic cloud market in India. While many IT companies are engaged in the cloud business, they feel that currently there are insufficient incentives to offer economically sensible cloud models and services to the domestic market, particularly those targeting micro, small and medium-sized enterprises. Hurdles to the adoption of cloud include the limited availability of digitized data and the need to deal with requirements of 28 different states.
In addition, limited and/or unreliable wired and wireless broadband infrastructure hinders access to, and hence development of, cloud services in India. This calls for greater engagement from the government to provide a fertile environment for domestic cloud markets and to engage in public-private partnerships on cloud development.
In terms of regulation, while privacy and personal data protection are not widely established in Indian law, IT companies that export services are keen to have Indian regulation align with European and US data protection frameworks. The development of such a framework in India would assist the industry in competing on an international scale.
Additional implications for Emerging Markets
Overcoming connectivity challenges is critical. The development of mobile-based access in India and other emerging markets will drive the adoption and growth of cloud computing.
Access management is another area in which India is developing promising initiatives. Given the large population base and the huge number of potential cloud users, identification and access management poses unique challenges. India's Unique Identification Card (UID Card) project, which relies on cloud technologies, could be seen as a model case.
9
~LD
EC NOMIC F RUM
C. Business Environment
COMMITTED TO IMPROVING THE STATE OF THE WORLD
Cloud services and business models are still at an early stage of development, but several areas have been identified that are of concern to key stakeholders. They include:
Ensuring Interoperability Interoperability is the ability
of different systems to seamlessly communicate
with each other. Users favour greater interoperability as it allows them to customise their
own solutions by purchasing "best of breed" services from multiple cloud providers and
to move more easily between providers. Governments also favour interoperability as a way of driving competition and increasing the resilience of the cloud system as a whole, especially where the market consists of only a few providers.
However, industry stakeholders are concerned that a premature focus on standardization to promote interoperability could hold back innovation and the evolution of better solutions.
Ensuring Data Portability
Closely related to interoperability is the question of data portability - that is, users being able to move data (or
even complete application stacks) easily among cloud providers. Many users express the fear of being "locked
in" to a single cloud provider if it turns out to be inefficient, time consuming, expensive or impossible to transfer data to a different cloud, or back to their premises. Government stakeholders are also concerned about portability from
the perspective of encouraging competition and building systemic resilience.
However, as with interoperability, industry stakeholders are concerned that an excessive focus on ensuring data portability will limit their incentive to innovate by making it harder for them to differentiate themselves through different architectures and offerings. Concerns about meta-data also complicate efforts to ensure data portability.
Insufficient Reliability of Cloud
Many users perceive that the reliability of cloud solutions
is not yet sufficient for them to trust the cloud with their mission-critical needs. They are concerned about being alerted to planned downtime and having accurate reports about unplanned downtime; having access to their
data slowed by other users creating contention for the provider's resources; and the need for backup strategies in the event of unanticipated crises or a provider going out of business.
Industry stakeholders generally feel that, as the cloud matures, market mechanisms will evolve that allow users to assess providers' reputation and reliability. Nonetheless, there is no consensus among cloud providers on how much information about their reliability they are willing to disclose, and government agencies are not satisfied with the status quo.
Insufficient Commitments to Service Levels
Related to reliability concerns, users note that the kind
of SLAs (service level agreements) they rely on from providers of their on-premises IT solutions do not tend
to be offered by cloud providers, or that what is offered
is insufficient for important applications. Potential users of cloud computing are held back by the lack of clear commitments from providers on such issues as uptime, response times, bandwidth, reliability and security - or by the lack of stipulated penalties if these commitments are not met.
Users also note that the lack of standardized SLAs makes it difficult for them to compare competing services. There were, however, mixed views among industry stakeholders on the feasibility of working towards standardized SLAs, given the great diversity of architectures and users' needs and circumstances.
Relative Maturity of the Cloud Ecosystem
While cloud services are evolving rapidly, many stakeholders express concern about the speed at which other necessary aspects of the ecosystem in which public clouds operate are evolving. Common concerns include:
• The still-widespread lack of understanding about cloud, as potential users do not feel sufficiently informed about the risks and benefits and are nervous about committing to relatively new business models such as pay-as-you-go access to IT
• Future speed, reliability and global availability of the network access required to use public clouds
• Availability of expertise, as there are still relatively few IT professionals globally who are trained to architect cloud solutions
• Current underdevelopment of insurance solutions, which could protect users against problems with the cloud
• Threats to intellectual property from using cloud solutions outside a firewall, as more information and approaches to running a business are externally exposed
10
The Cloud in Context: Geopolitics and Economics
Some of the fundamental issues identified by the project illustrate how sensitive and complex cloud technologies have become at this relatively early stage in their development.
Many stakeholders are concerned by the current dominance of cloud providers based in the United States, because of the potential loss of competitiveness and decreased ability to influence how the cloud operates. This may explain the development of individual clouds in countries such as China.
Some officials are worried that jobs may be lost in private data centres as companies move to the cloud, although most stakeholders agree that, in the longer term, the cloud's net effect on jobs is likely to be positive. The skills issue also comes into play - a country's capacity for innovation could be compromised if its citizens are not sufficiently aware of how to utilize cloud technologies, especially if no local cloud providers exist and if local R&D is limited.
There are also questions about whether national identities, autonomy and sovereignty could be compromised if firms increasingly rely on the same few foreign cloud providers. This reliance is seen by some as potentially a new form of "colonization" .
Finally, it is still far from clear how principles of free trade should be applied in the cloud - whether countries that host cloud data centres have an obligation to provide open access to these centres to customers from other countries, under what terms and with what protections.
Figure 4. Key topics that emerged at the 2010 workshops
Brussels
• Economic and social impacts of cloud
• Interoperability and vendor lock-in
• 3rd party validation & certification
• Secure access & network security
• Industry-led standardization
• Growth-enhancing initiatives
• Clarify (roles, relationships, data location and ownership of data)
• Clarification on application of regulation
• Data privacy & confidentiality
Wahsington, DC
• Education & awareness raising
• Government access to data
• Interoperability & portability
• "Privacy by Design"
• R&D needs
• Quantifying ROI
• Harmonization & Transparency
• Addressing risk
India
• Economically sensible cloud models
• Government-Industry partnersbip
• Government incentive
• Enabling cost (e.g. Infrastructure, utility) of delivery in
emerging markets
• Compliance with int'l regulations on data
• Social change
• India's youth
• Lower concerns about data sensitivity
• Focus on small, micro businesses
11
,
U.K.
• Macro-regulatory framework
• Transparency & trust
• Co-regulation model
• Integrity & reliability
• Accountability
• Concrete security measures
• Interoperability & portability
• Number of actors
What to Do Now? Eight Action Areas
Working from the major issues described in the previous section, the project set out to develop recommendations and identify actions that governments and industry can undertake to accelerate the deployment and adoption of public cloud technologies. While the underlying issues are complex and contentious, eight critical action areas were selected by government representatives and companies - including many of the largest cloud providers and regulators from Europe and North America - and then confirmed in the private session about cloud computing held during the World Economic Forum Annual Meeting 2011 .
1. Explore and facilitate the realization of the benefits of cloud
2. Advance understanding and management of cloudrelated risks
3. Promote service transparency
4. Clarify and enhance accountability across all relevant
parties
6. Ensure data portability
6. Facilitate interoperability
7. Accelerate adaptation and harmonization of regulatory frameworks related to cloud
8. Provide sufficient network connectivity to cloud services As described below, these action areas are put forward as a charter for further engagement among key stakeholders. They are intended to form a cohesive agenda, bringing together several areas in which there are existing but disparate initiatives. We hope this step will lead to industry and government collaboration to further define and implement the necessary actions to move the agenda forward and accelerate the uptake of cloud technologies.
13
1. Explore and Facilitate the Realization of the Benefits of Cloud
Cloud ecosystem participants should dedicate additional resources to understanding the benefits of cloud and accelerating the adoption of innovative applications of cloud technology. Topics include product and process innovation and job creation, collaboration, broad delivery of IP, government effectiveness and efficiency, and other economic benefits.
Underlying many of the issues discussed in the previous section is a sense that the benefits of cloud computing
- beyond those related to
IT efficiencies - are not well understood. This manifests itself as a problem in two
main ways. First, users may be held back from moving to the cloud if they perceive the risks more clearly than the benefits. Second, regulators find it hard to make balanced decisions that are in line with the European legal principle of proportionality if they lack a clear sense of how their decisions could potentially impact the macroeconomic and societal benefits of the cloud as well as the risks. The principle of proportionality argues, among other provisions, that regulation should detract as little as possible from the benefits of what is being regulated.
It is normal enough for any new technology that independent, objective research on its benefits is difficult to find. However, a balanced view of the potential benefits is especially necessary for cloud, given the unique concerns it raises. It would be useful, for example, to have independent and objective research into the potential for cloud computing to facilitate collaboration among multiple and diverse participants in industries such as healthcare, education and complex supply chains, or to deliver cross-border protection of intellectual property rights. In particular, it has been expected for some time that cloud would significantly advance healthcare and education,
and it is important to understand why this has not yet happened.
During the past decade, there has been extensive research on the benefits of broadband, particularly its ability to accelerate GNP growth. This may provide
a model for similar research into the cloud, given its complementarity with broadband access. Such research should focus on the potential for job creation (and loss), looking especially at how small and medium-sized businesses could benefit from access to "best in class" computing solutions.
2. Advance Understanding and Management of Cloud-related Risks
Relevant stakeholders (providers and government) should encourage research into the unique risk drivers in cloud computing and identify potential solutions.
The flipside of clearly understanding the potential benefits of cloud is ensuring that perceptions of risk are also grounded in reality. It
is arguable that several of the stakeholder concerns described in the previous
section apply just as much to the public Internet as to the cloud, where data centres may be protected by security mechanisms that are so sophisticated they actually reduce risk rather than exacerbate it. If concerns are indeed overstated, the development of the cloud would be needlessly held back.
"For the moment, there is very little information on what is going on behind
the scenes in terms of
However, authoritative research is lacking on how serious the risks are for different types of applications and data; how well they
can be managed; and how
security management they relate to broader global
in the cloud." risks such as political issues affecting the movement of information across borders. Collaboration among industry
and regulators on conducting and publicizing such research could educate and reassure users, and help to ensure that government regulation is appropriately targeted.
Industry Participant, London Workshop, December 2010
Risk mitigation strategies need to address the different risk profiles of different types of data, such as personal data and trade secrets. Innovative approaches to managing
risk could include industry players developing codes
of conduct and mutual assistance schemes whereby providers agree to assume responsibility for each other's service commitments in the event of outages or breaches. A better understanding of risks would also facilitate the development of nascent cloud insurance models to offer compensation to customers in the event of losses caused by the cloud.
3. Promote Service Transparency
Providers of cloud services should make available to customers information about how their services are provided and how they perform. This includes letting customers know how data is secured, where data
is stored and/or what jurisdictional provisions apply, how and by whom it can be accessed, and how it can be deleted.
In addition to further research into the benefits and risks, greater transparency (Le. public disclosure) about cloud computing would go a long way towards addressing many of the stakeholder issues detailed above - notably
privacy and confidentiality,
data ownership, security, liability and reliability. Clearer and more easily accessible information about cloud service delivery models and
offers would accelerate the development of the market by improving levels of user trust and facilitating the creation of aggregated services provided by multiple providers.
Greater transparency should
also reduce the risk of excessive regulation that could hinder the industry's evolution. Government stakeholders indicate that as more consistent and comparable information on cloud performance and security becomes available to customers, the less they will
be concerned about the need
to protect less-sophisticated customers through regulation.
"There is a need
to be transparent with regard to roles, relationships, locations and ownership of data." Industry Participant, Brussels Workshop, May 2010
There is an opportunity for cloud providers to take the lead on transparency through developing codes based on shared good practices. Efforts to improve
and standardize reporting are underway, and there is scope
for them to be consolidated. Voluntary certification schemes could also playa role, with cloud
providers asking a third party agency to audit, certify or rate them. Such a move could help to build trust in the cloud and reduce the need for further regulation.
"Transparency is
one of the key requirements: we need to learn to trust cloud services." Industry Participant, London Workshop, December 2010
14
4. Clarify and Enhance Accountability across All Relevant Parties
Industry, regulatory bodies and third parties should collaborate to create and implement more consistent and comprehensive approaches to accountability for how cloud services are provided.
Complementing greater transparency, greater clarity about accountability would accelerate uptake of cloud computing among potential users, who are currently reluctant to entrust mission-
critical services to the cloud. Users want to know who is accountable if service levels are unsatisfactory, if they
are unable to access data they put in the cloud or if it
is accessed by unauthorized persons or government agencies. In particular, users want clarity about accountability for service delivery in situations where providers leverage sub-contractors, get acquired or go out of business.
Efforts to clarify accountability for legal compliance -
such as the development of data privacy and security compliance programmes by cloud users or providers
- are hindered by unclear and sometimes inconsistent regulation. It is therefore important to achieve clarity on whether cloud providers are considered data processors or data controllers, what the respective obligations of both parties are, and which country's laws apply to data when a cloud provider has data centres in multiple jurisdictions. Possible technology approaches to the third point include tagging data with a specific jurisdiction code or encrypting all data before it moves to the cloud (although this is expensive and not foolproof),
As with transparency, government stakeholders indicate that voluntary industry moves to clarify accountability
and establish corporate compliance programmes could reduce the need for regulatory intervention. There is
an opportunity for third-party certification schemes to play an important role, and potential for further industry involvement in existing initiatives such as the Data Privacy Accountability Model, Privacy-by-Design and Binding Corporate Rules. Industry players and government stakeholders need to agree on the extent to which it
is possible to establish general principles regarding accountability, as some cloud providers expressed the view that accountability needs to be negotiated only with individual clients.
15
5. Ensure Data Portability
Cloud service providers should provide ways for users to easily retrieve data they have input to clouds, without an onerous fee and in a timely manner.
The fear of vendor lock-in holds
back many potential users of cloud, while many government stakeholders are concerned about maintaining competitiveness in the cloud market. These concerns are lessened if
it becomes quicker, easier and cheaper for users to move data,
and perhaps applications, between different cloud providers and between user premises and the cloud. Users should be aware, however, that due
to economies of scale in the cloud and particular cloud architectures, it may be economically infeasible to roll back from the cloud to an on-premises solution.
There is potential to achieve greater consistency
and rationalization in the data portability standards currently being advanced by multiple bodies, including the Distributed Management Task Force; over time,
the ambition could be to develop minimum portability standards and common approaches for all cloud providers. Governments have a role in minimizing any regulatory barriers that are faced by efforts to standardize portability.
Work on facilitating data portability also needs to be aligned with work on common approaches to data ownership and protection, law enforcement access and liability. Providing meta-data and context information,
in addition to the actual data entered, can significantly increase the options available to customers.
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
Additional Action Areas
In addition to the eight action areas detailed in this report, several additional actions were discussed but did not receive sufficiently widespread support to be included in the final list of action areas. These are:
Foster education for cloud users
Governments, the cloud computing industry (and other industries that can benefit from cloud), academia and institutions of higher education, and small businesses share an interest in fostering education and awareness among potential users of cloud services on ways to leverage cloud technologies. "Use cases" could illustrate more complex scenarios. Familiarizing labour pools with cloud technologies should enhance national economic competitiveness by ensuring that industries that stand to benefit from the cloud do not fall behind in taking advantage of it.
Promote R&D for privacy and security enhancing technologies
Providers of cloud services should collaborate with each other and with government stakeholders to invest in research to advance the protection of privacy for users through the reinforcement of existing procedures and creation of new architectures and systems. This applies in particular to identity and access management, data encryption, data deletion, and addressing causes of failure and security loopholes.
Improve SLAs
By working to evolve clearer and more standardized service level agreements, industry players can address user concerns about being unable to make informed decisions. As governments are also concerned that users of cloud should be able to understand and take responsibility for their choices, industry action could pre-empt regulatory intervention. More stringent SLAs will also allay user concerns about entrusting mission-critical solutions to the cloud.
Adopt Cloud
Governments can continue to support the use of public cloud and playa significant role in the general adoption of cloud by driving the need for industry to create government-ready solutions. The adoption of cloud by governments also increases user confidence and may facilitate regulatory processes and harmonization. For example, US Federal Chief Information Officer Vivek Kundra has released the Federal Cloud Computing Strategy in 2011 , which calls for about one-quarter of federal IT spending, or US$ 20 billion, to be committed to cloud systems. Additionally, under the US Cloud First programme, agencies will be required to move three services to the cloud within 18 months; adopt a cloud model wherever feasible; and evaluate cloud options before making investments.
Pursue new approaches to regulatory harmonization
Additional suggestions mentioned in this context that did not achieve broad agreement, included:
• Adapt WTO frameworks to create a cloud "trade body" to address data policies and help stakeholders formulate and agree upon policies needed for digital services
• Create a broader, voluntary "safe harbour" programme with the understanding that, once a company commits to it, the commitment will be legally binding
• Create a "Cyberpol" or world court that would act as a central, global body to pursue non-compliant providers, criminals and, possibly, rogue states
16
6. Facilitate Interoperability
Industry players should pursue the evolution of cloud offerings with the goal of facilitating interoperability among multiple (private and public) clouds. This
will accelerate the growth of the overall cloud ecosystem.
There has been notable progress recently in developing offerings that allow users
to customize their own solutions by simultaneously using services from multiple cloud providers. As with data portability, every step towards greater interoperability helps to address stakeholder concerns about competitiveness and
lock-in. It may also accelerate innovation and help address challenges related to data privacy and security.
As the cloud industry matures over the coming years, interoperability will need to be accompanied by the evolution of clear accountability frameworks, commitments to commonly defined service levels and broad adoption
of standards. Large industry players, including savvy and demanding customers such as governments, can help accelerate this maturation process - for example, through encouraging visible research and pilot projects.
Fostering cloud interoperability will also likely extend to a broad range of ecosystem players, including providers of connectivity and application developers, who will need to adopt relevant architectures and provide enabling services such as highly reliable cross-cloud connectivity.
17
7. Accelerate Adaptation and Harmonization of Regulatory Frameworks Related to Cloud
Governments worldwide should adapt and harmonize regulations relevant to cloud with the aim of improving their applicability and reducing divergence across jurisdictions, while considering the maturity of the overall industry.
There is widespread frustration among stakeholders about the regulatory environment for cloud computing, especially in the areas of data privacy and security. Regulations are often inconsistent, conflicting and difficult to apply for users and providers operating
globally. This holds back users from moving to the cloud, as they fear regulatory provisions are insufficient to protect their data from being unduly accessed by law enforcement or retained by providers. And when regulations effectively force data to remain within national borders - either directly by imposing restrictions on data transfers outside the jurisdiction,
or indirectly through a lack of cross-jurisdictional
alignment - they hold back cloud providers from realizing improvements that come from achieving scale through multiple locations.
As a long-term goal, governments "Industry could
may wish to explore a "macro- take the initiative
regulatory framework" that will
be more adept at keeping pace with rapid technological change. Options include a "co-regulation" approach, whereby industry takes the lead in identifying necessary provisions and governments
take a policy and oversight role. This would imply achieving a harmonized approach to the
underlying principles that guide regulation, which currently differ among jurisdictions - notably through the US's sectoral approach to data privacy regulation and the EU's more universal one. Minimum regulatory standards are not a solution - they are often not sufficient to reduce complexity, as they do not stop countries from introducing additional provisions.
for a cloud 'code
of conduct' and regulators could then review it."
Government
Representative,
World Economic Forum Annual Meeting 2011
As a step in this direction, governments should continue to dialogue with providers to better understand the impact of regulatory interventions. Data protection authorities
can play an important role in interpreting and harmonizing legal frameworks to more effectively meet user and provider needs for clearly understandable and authoritative guidance about their respective responsibilities, the protections accorded to them, and the recourse available in the event of breaches.
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
8. Provide Sufficient Network Connectivity to Cloud Services
Industry, government and relevant agencies should identify connectivity requirements for cloud services (wired and wireless) and promote the commensurate deployment of networks across the world.
To be able to use
cloud computing with confidence, users
need easy access to the cloud. They need guarantees about the speed, reliability and robustness of networks, both fixed and mobile. In particular, in an
environment where market needs maybe moving faster than the technology, users need to be confident that current telecom investments will be sufficient to support future services.
Governments have a role in promoting better connectivity in all markets, especially in emerging and developing countries where the issue may be more acute. Policy initiatives that could serve as examples include the Europe 2020 broadband targets and the European Commission's Digital Agenda pillar on ultra-fast broadband.
"Large businesses
do not have a
strong grasp of
their dependence
on Internet-based services, which will increase with cloud. Many of the issues around access to
the cloud relate to maintaining continuity of the network." Industry Participant, Washington DC Workshop, November 2010
Given that cloud computing uses data centres that need
to be able to handle massive amounts of traffic, the planning of networks and data centres needs to be coordinated. Developing a framework describing what services can be provided with various levels of connectivity could also help national governments promote and prioritize investments
that will sustain future growth opportunities. Not much research currently exists on this topic.
18
Project Outcomes: What Is Next?
Cloud computing is at a
pivotal point of development. As it becomes a critical element of the IT landscape, there is much expectation
that its potential economic
and social benefits could
rival those of the Internet or mobile technologies, but also much uncertainty. Experience of previous waves of technological change suggests that now is the window of opportunity for industry and policy-makers to collaborate, encourage business adoption and find ways to reconcile
the natural conflict between letting an innovative set of technologies mature and protecting users and citizens.
This report set out to identify the issues that need
to be addressed to move the agenda forward and
areas of action that all agree could enable the healthy development of cloud technologies. While valuable
work is underway on many of these issues (such as standards and security) the project aims to address
more cohesively the bigger picture and the possibility
for a broader common agenda. To do this, the project
has brought together key stakeholders from industry, governments, international organizations and academia to prioritize their concerns and explore potential solutions.
"After two years of intensive work on cloud issues, the World Economic Forum has done
a great job in bringing together a lot of expertise and experience. And it is a timely exercise indeed."
Neelie Kroes, VicePresident of the European Commission responsible for the Digital Agenda Towards a European
Cloud Computing Strategy, World Economic Forum Annual Meeting 2011
"Stakeholders' willingness to overcome the barriers depends on their assessment of cloud-
The eight action areas described in this report encompass broadening awareness and understanding of the benefits and risks of cloud, promoting service transparency, harmonizing regulatory frameworks, clarifying accountability, facilitating system interoperability
and data portability, and ensuring sufficient network connectivity. They received broad support from industry and government leaders taking part in a private session on cloud computing at the World Economic Forum Annual Meeting 2011 .
related benefits."
Industry Participant, London Workshop, December 2010
Figure 5. Action areas
1. Explore cloud benefits
2. Understand & manage cloud risks
3. Promote service transparency
4. Clarify & enhance accountability
5. Ensure data portability
6. Faciliate interoperability
7. Adapt & harmonize regulation
8. Provide sufficient connectivity The aim of these action areas is not to offer prescriptive solutions, but to suggest a charter for further engagement among industry and governments. The eight action areas are already being used as the basis for multistakeholder collaboration in multiple contexts, such as feeding into a series of meetings between industry leaders and EU Commissioner for the Digital Agenda Neelie Kroes on cloud regulation and harmonization, announced at the Forum's Annual Meeting.2
An especially promising avenue for government-industry collaboration could be the initiation of experimental
pilot deployment programmes to generate and document empirical evidence on the positive social and economic impacts of the cloud. Such studies could
help counterbalance concerns about cloud computing, which are magnified by their overlap with broader contemporary worries such as national sovereignty, cybersecurity and the health of the Internet.
Other potential collaborative actions could include: • Industry investing in research into systemic security risks and costs and how to
collaborate on areas such as encryption
• Service providers reaching agreement on common best practices for transparency
• Telecoms providers working to identify connectivity requirements and investment needs by geography
Cloud computing is set for rapid acceleration around
the world. We hope that the framework described in this report has provided a common language and a shared set of priorities for industry and governments to continue to address common issues in a constructive way, leading to a wider and more effective uptake of cloud solutions.
19
2. http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/50
About the Research
Project Background
This report is part of the World Economic Forum's research study, Exploring the Future of Cloud Computing. It was mandated by the IT Governors at the World Economic Forum Annual Meeting 2009 in Davos-Klosters, Switzerland.
Two objectives for the research were defined:
• Develop an understanding of what is needed to steer the healthy development of both public and private cloud computing environments
• Develop a set of industry and public policy action areas that could help mitigate the uncertainties and accelerate the benefits of cloud computing
Consequently, the project was divided into two phases:
I. The first phase focused on consulting with a wide range of relevant stakeholders (IT industry, corporate buyers
of IT, government regulators, investors, academics, journalists and others) through workshops, surveys and interviews to obtain their views on the potential impacts of cloud computing - on business, society and the global economy. A key research tool was an extensive survey that Accenture designed and developed on cloud computing. Collecting a wide range of highly informed views enabled us to identify the key drivers, enablers and barriers in cloud computing.
Phase I outcomes:
Report: http://tinyurl.com/wef-2010report Video: http://tinyurl.com/wef-201Ovideo
II. Based on the findings of the phase I report, phase
II focused on developing action areas and identifying actions that governments and industry can undertake to accelerate the deployment and adoption of public cloud technologies (this report).
Figure 6. Project timeline
2011 Annual Meeting, Davos
Industry/ government consultation
Slough (UK) workshop
Washington DC workshop
New Delhi workshop
Industry! government consultation & issue tool
Europe Summit, Brussels workshop
2010 Annual Meeting, Davos
Cross-government call
~o
EC NOMIC F RUM
Brussels workshop
EXPLORING 111E FUTlJRE OF CLOUD COMPUTING:
RIDING nlE NEXT WAVE OF TECHNOLOGY·DRIVEN TRANSFORMATION
IES New Delhi workshop
AMNC Dalian workshop
Tokyo workshop
San Francisco workshop
2009 Annual Meeting, Davos
21
Phase 1 - Phase 2 -
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
Figure 7. Project process and outcome
Input
Phase I Input and Report, Cloud Constraints and Barriers
Initial Prioritization Issues That Affect Cloud Deployment In The Next 3 Years
Issue Tool Collation of Skateholder Priority Issues
Analysis & Solution Development Draft Action Areas
Davos Governors Gession
Output
Action Areas and World Economic Forum Report
Definition of Cloud Computing
There are probably as many definitions of cloud computing as there are opinions about its future. To date, there is
no definition that is agreed upon in most quarters. The definition we used in this project came from the University of California at Berkeley: "Cloud computing refers to both the applications delivered as services over the Internet and the hardware and systems software in the data centres that provide those services."
Clarifications: Access to the cloud can be provided via multiple technologies (Internet or other) and services can include processing, storage, access to applications and business processes.
Deployment models relevant to this project:
• Public cloud - sold to the public, mega-scale infrastructure (e.g. Amazon, Google)
• Hybrid cloud - composition of two or more clouds where one might abstract applications or services through a combination of in-house infrastructure and/or reaching out to multiple clouds
• Community cloud - a shared infrastructure for a specific community (e.g. healthcare)
Note: Private clouds (ones that an enterprise owns or leases) are not included in the scope of phase II of our project
Examples of types of cloud cornputinq:"
• Process/Industry clouds
• Application clouds (SaaS)
• Platform clouds (PaaS)
• Infrastructure clouds (laaS)
Figure 8. A possible hierarchy of cloudbased offerings
..
..
..
..
..
..
..
..
Characteristics of Cloud Computing
In the absence of a commonly accepted definition of cloud computing, enumerating some characterlstlcs' often associated with cloud computing may help to clarify how the term is commonly used and understood:
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
• Massive scale
• Virtualization
• Resilient computing
• Low-cost software
• Geographic distribution covering multiple jurisdictions
• Multiple accountabilities
• Service orientation
• Advanced security technologies
3. "Cloudrise: Rewards and Risks at the Dawn of Cloud Computing", Accenture, Jeanne G. Harris and Allan E. Alter, November 2011
4. "The NIST Definition of Cloud Computing", Peter Mell and Tim Grance, October 2009
22
Acknowledgments: Partners and Contributing Organizations
Industry Accenture
Akamai Alcatel Lucent
Telefonica Tibco Wipro
EMC
Governments and Agencies European Commission
European Data Protection Supervisor (EDPS) European Network and Information
Security Agency (ENISA)
Confederation of Indian Industry (CII)
French Data Protection Authority (CNIL) German Ministry of Economics and Technology German Ministry of the Interior
Indian Department of Information Technology Indian Department of Micro, Small
and Medium Enterprises
NASSCOM India
Japan Ministry of Internal Affairs and Communications Organisation for Economic Co-operation
and Development (OECD)
UK Cabinet Office
UK Department for Business, Innovation and Skills (BIS) UK Office of Cyber Security and Information Assurance US Department of Commerce
US Federal Communications Commission US Federal Trade Commission
US General Service Administration
US Office of Management and Budget
AT&T
Bitcurrent BMC Software BTGroup
CA Technologies Capgemini Cisco
Colt
ComScore
CSC
Cyber Risk Partners Dell
Deutsche Telekom
Forrester Fujitsu Google
HCL Technologies HP
Huawei Technologies Infosys Technologies Intel
Juniper
Kudelski
Lenovo
Lockheed Martin McAfee
Mahindra Satyam Microsoft
Academia
Berkman Center for Internet and Society, Harvard University, USA
Brookings Institution, USA
Centre for Commercial Law Studies, Queen Mary, University of London
Centre of Excellence in Information and Communication Technologies, Belgium
Complutense University of Madrid, Spain Georgetown University, USA
International Institute of Information Technology Bangalore Rand Europe
Research Center on IT and Law, FUNDP Namur, Belgium An additional thank you goes to the Accenture Australia creative services team, to the Forum editing team and to the writer, Andrew Wright.
Nasdaq NCR Corp. Nivio
Orange Business Services Polycom
Salesforce.com
SAP SAS
23
References
~LD
EC NOMIC F RUM
COMMITTED TO IMPROVING THE STATE OF THE WORLD
1. "Above the Clouds: A Berkeley View of Cloud Computing", authored by 11 members of UC Berkeley's division of Electrical Engineering and Computer Sciences, February 2009
2. "Exploring the Future of Cloud Computing", World Economic Forum, May 2010
3. "Worldwide and Regional Public IT Cloud Services, 2010-2014 Forecast", IDC, June 2010
4. "Mind the Gap - Insights from Accenture's Third Global High Performance IT Research Study, November 2010
5. "Cloud rise: Rewards and Risks at the Dawn of Cloud Computing", Accenture, Jeanne G. Harris and Allan E. Alter, November 2011
6. "Where the Cloud Meets Reality: Operationally Enabling the Growth of New Business Models", Accenture, March 2011
7. "The Cloud Dividend", Center for Economics and Business Research, December 2010
8. "Information Assurance Framework", ENISA, November 2009
9. "Cloud Computing Security Risk Assessment", ENISA, November 2009
10. "Towards a European Cloud Computing Strategy", Neelie Kroes, Vice-President and Commissioner for the Digital Agenda of the European Commission, speaking at the World Economic Forum Annual Meeting 2011 , January 2011
11 . "Federal Cloud Computing Strategy", Vivek Kundra, February 2011
12. "The Terms They Are A-Changin' ... Watching Cloud Contracts Take Shape", Simon Bradshaw, Christopher Millard and Ian Walden, The Brookings Institution, March 2011
13. "A Digital Agenda for Europe", European Commission, May 2010
14. EU Data Protection Directive 95/46/EC, October 1995
15. Article 29 Data Protection Working Party of the EU Directive
16. Unique Identification Authority of India (UIDAI) Volunteer Guidelines, 2009
17. "Digital Japan Creation Project (ICT Hatoyama Pian)", Ministry of Internal Affairs and Communications of Japan, March 2009
18. "Privacy and Security in Cloud Computing", Allan A.
Friedman and Darrell M. West, Center for Technology Innovation at Brookings, October 2010
19. "The Economic Impact of Cloud Computing on Business Creation, Employment and Output in Europe", Prof. Federico Etro, Review of Business and Economics, June 2009, Vol. 54, 2, pp. 179-208.
20. "The Economics of Cloud Computing", IUP Journal of Managerial Economics, February 2011, Vol. IX, 2, pp. 1-16
21. "The NIST Definition of Cloud Computing", Peter Mell and Tim Grance, October 2009
24
COMMITTED TO IMPROVING THE STATE OF THE WORLD
The World Economic Forum is an independent international organization committed to improving the state of the world by engaging leaders in partnerships to shape global, regional and industry agendas.
Incorporated as a foundation in 1971, and based in Geneva, Switzerland, the World Economic Forum is impartial and not-for-profit; it is tied to no political, partisan or national interests. (www.weforum.org)