European Cloud Computing Strategy

Dr Ken Ducatel DG CONNECT

What is at stake?
Cloud as a growth engine
Business creation: Boosts productivity and efficiency:

Boost GDP :

940 bn cumulative impact for 2015-2020 250bn in 2020

400.000 new SMEs

2/4/2014

Up to 90% of cost savings for public administrations and private companies

Potential for job creation:

3.8 million cloud-related jobs

Almost all users see cost savings peaking at 10-20%

30% 25%

Cost Savings

20%
15% 10% 5%

0%

1% to 4%

5% to 9%

2/4/2014

10% to 20% to 30% to 50% or We have Too 19% 29% 49% more seen (or early to expect tell to see) a cost increase

Don't know
3

But.... Need for Trust, Regulatory Certainty and Openness

Legal jurisdiction Security and data protection Trust Data Acces and Portability

4 2/4/2014

Barriers Analysis: Clustering

Indicator 1 - Assessment of cloud relevance
Data Jurisdiction /location Security/ Trust

Average Impact Indicator*

0.72 0.58 0.70 0.70

Legal Jurisdiction Data location Security& data protection Trust

1.00 0.71 0.93 0.86

Interoperability and Tech Transparency

Data Access and Portability Change control Ownership of customisation

Local support

0.79 0.45
0.36 0.54 0.27 0.09 0.18 0.00

0.66 0.33
0.61 0.42 0.84 0.45 0.17 0.22
5

Business

Evaluation of Usefulness Local language

Industrial policy
IDC 2012
IDC

Slow Internet Connection Tax incentives on capital spending

* Average Impact Indicator: Average of Indicators 2, 3, 5, 6. Indicator 4 included in indicator 5.Feb-14

Cloud computing services: public sector drivers and draggers

New demands: Mobility, BYOD, etc Cost caps Scalability Technology Standards

Budgeting & costs

Capital caps Audit

Drivers Draggers

Interoperability Reversability

Security worries
Data location

Contracts Legacy apps, etc

Legal compliance

The Cloud Computing Strategy

Cloud strategy's key actions

Groups working on implementing the strategy

ETSI: Cloud Standards Coordination
Launched on 4-5/12/2012

The European Commission's strategy 'Unleashing the potential of cloud computing in Europe'
Adopted on 27 September 2012, it is designed to speed up and increase the use of cloud computing across the economy

Cutting through the jungle of technical standards

The Cloud Select Industry Group on Certification Schemes Launched on

21/02/2013

Development of model 'safe and fair' contract terms and conditions A European Cloud Partnership to drive innovation and growth from the public sector.

The Cloud Select Industry Group on Launched on Code of Conduct

10/04/2013

The Cloud Select Industry Group on Service Level Agreements Launched on

21/02/2013

The Cloud Computing Contract Group

Steering Board

Launched on 19/11/2013

Launched on 19/11/2012

The European Cloud Partnership

Cloud for Europe
To be launched In 11/ 2013

Progress

Key action 1: Standards mapping by ETSI Cloud Standards Coordination Conference Brussels 11/12/2013 List of certification schemes ENISA list and meta-framework mid 2014 Pilots 2014 Key action 2: Cloud Service Level Agreements - Draft Templates mid 2014 Code of conduct (data protection) Stable draft Feb 2014, to Art 29 WP, endorsement during this Commission Cloud Contract Group first results mid 2014 Key action 3 Cloud 4 Europe project Official launch 14 November 2013 Pre-notice April, tender early summer 2014 2/4/2014

Cloud Standards Mapping

Launched in December 2012 Workshop in Cannes, co-organized by EC, 200+ participants Definition of work structure: 3 TGs, a coordination group (reference) TG1 for definition of Roles and TG2 for collection of Use Cases TG3 in charge of Use Case Analysis and Production of the Report

ETSI Support: Laurent Vreck

ETSI @ CSC Workshop 10/12/12013

Identified EXISTING Certification schemes

Cloud Security Alliance Open Certification Schema

Initial Evaluation
Data security: recognized standards/schemes, but only few fit for cloud purpose Data protection: no recognized standards/schemes yet Lack of transparency about some schemes (recognition, scope, added value, etc.) No one-stop shop in EU

SOC / ISAE 3402 / SSAE16

ISO 27001 LeetSecurity Rating ISACA - COBIT Europrise Eurocloud Star Audit TV Rheinland ISO 20000 / ITIL PCI-C

Cloud Industry Forum Code of Practice

Fisma

Solutions
Listing certification schemes
Anything can get on the list Characteristics that can be objectively assessed/discussed Who governs the scheme, who audits, what is the standard A process for adding/updating schemes
Meta-framework to be developed by ENISA Part of ENISAs WP for 2014 High level security objectives Detailed auditable security measures Security measures divided in levels Mapping to existing schemes Close collaboration with CERT-SIG First draft due mid 2014 Pilots ECP?

SLAs: Creating A Common Vocabulary of Understanding

Purchasers Dilemma Cloud Contracts are not comparable and use different definitions I dont know which Cloud Delivery Options are right for my specific need I dont know if I have considered the most important aspects for this contract SIG SLA Support Template SLAs and Terms and Conditions Cloud Decision Flowchart

Cloud Contract Checklist

Code of Conduct on DP: Background

Directive 95/46/EC art 27 encourages adoption of codes of conduct and their endorsement by art 29 Working Party

EC Cloud Computing Strategy of 29-09-2012

Work with industry to agree a code of conduct for cloud computing providers to support a uniform application of data protection rules which may be submitted to the Article 29 Working Party for endorsement in order to ensure legal certainty and coherence between the code of conduct and EU law.
14 Oct 2013 CSIG Plenary

Data Protection Code of Conduct

Code of Conduct Working Group 1st meeting 10 April 2013 Under DG Connects Cloud Select Industry Group Continuous drafting until end of August Work progress WP29 Technology subgroup presentation on Sept 5th, Observation of WP29 TS on Sept on principles for the CoC on Sept 17th Cloud-Select Industry Group plenary on Oct 14th CoC group plenary session on Oct 21st Set up drafting team to produce second draft by end of year Stable draft for February 2014 for presentation to WP29 in March Aim for endorsement before end of this Commission
CSIG Plenary

14 Oct 2013

 Key action 3 European Cloud Partnership

European Cloud Partnership Steering Board Cloud 4 Europe project

2/4/2014

15

EU approaches to Public sector cloud adoption: 3 main emerging Models

Country Procurement and marketplace Model Resource Pooling Model Standalone applications Model Yes Yes Yes (marginal) Yes Yes

UK Italy Germany Denmark France Netherlands Portugal Spain Belgium Austria

Yes

Abandoned
Yes (but limited) Yes Yes Yes (project) Yes Yes Yes (long-term future)

Yes (future) Yes Abandoned

Yes (future)
16

Public sector & policy barriers

Privacy and security are common barriers addressed but stressed at different levels Other: Regulatory issues (e.g. requirements for sharing data between administration in Italy - rigidity in EU procurement law (G-cloud)) Technical issues (e.g. lack of maturity of technologies) Financial issues (e.g. assessing real costs of cloud deployment) Adapting SLAs to cloud and public sector Changes in process and ways of working are, if not a barrier, a main challenge in implementing cloud initiative in the public sector: Cloud requires adjustment in ICT management processes, automation of tasks and changes in skills requirements for staff, pulling resources together between administrations used to manage their own bespoke ICT solutions, etc.
17

2/4/2014

ECP Steering Board Membership

Toomas Hendrik Ilves, Chair of Steering Board, President of Estonia Lo Apotheker, former CEO of SAP AG and HP Werner Vogels, Vice President and Chief Technology Officer of Amazon.com Katarina de Brisis, Norwegian Ministry of Government Administration and Reform, Deputy Director General of the Department of ICT policy and public sector reform

Thierry Breton, Chairman and CEO of ATOS

Bernard Charls, President and CEO of Dassault Systmes Aitor Cubo Contreras, Deputy Director General of Programs, Studies and Promotion of Electronic Administration, Spanish Kate Craig-Wood, Managing Director of Memset Ministry of Finance and Public Administrations Christian Fredrikson, President and CEO of F-Secure Jacques Marzin, ICT Corporate Director for France, Direction Corporation interministrielle des systmes d'information et de communication de ltat Michael Gorriz, CIO of Daimler AG and President of EuroCIO Michael Hange, President of the German Federal Office for Information Security Jim Hagemann-Snabe, Co-CEO of SAP AG Vivek Dev, CEO Digital Services, Telefonica Digital Pierre Nanterme, CEO of Accenture Karl-Heinz Streibich, CEO, Chairman of the Management Board and Group Executive Board of Software AG Hans Vestberg, President and CEO of Ericsson Maarten Hillenaar, Government CIO and Director of the central government ICT-policy department, Dutch Ministry of the Interior and Kingdom Relations Reinhard Posch, CIO and Chair of the Austrian e-Government DIGITAL:AUSTRIA, Austrian Federal Government Andrzej Rgowski, Vice-Minister, Polish Ministry of Administration and Digital Affairs 18

Cloud-for-Europe main characteristics PREPARE

RELIABLE, COST-EFFECTIVE CC SERVICES, AND AVOIDING LOCK-IN.
PUBLIC SECTOR FOR PROCURING SECURE,

Funded thru RTD programme. Umbrella initiative: adding to and building on national initiatives best of breed. Inclusive: vehicle for getting a wide range of interested countries on-board through consultation, dissemination, awareness raising and training. Cooperation public sector-industry through precommercial procurement.
2/4/2014 19