EuroCloud Europe. Key success factors for trustworthy Cloud Adoption in the EU. 16-JUNE-2015 Riga Andreas Weiss. Trust in Cloud

Transcription

1 EuroCloud Europe a.s.b.l EuroCloud Deutschland_eco e.v. EuroCloud Europe Key success factors for trustworthy Cloud Adoption in the EU 16-JUNE-2015 Riga Andreas Weiss

2 European Activities Expert Groups in EuroCloud countries Special local law and regulation per country Quality Assessment (ECSA) Digital Agenda Cloud Select Industry Group SLA Code of Conduct Certification Cloud Certification Cloud Risk assessments Cloud Security Guide for SMEs Cloud Resilience Cloud Standards Interoperability SLA

3 How to meet expectations? Targeting the SME market Transparency of Cloud Services (Security, Data Privacy and Compliance) Assessment of trustworthy Cloud Services

4 Luise / pixelio.de SarahC. / pixelio.de The impact of Cloud Computing Cloud Computing is a game changer Cloud Computing addresses a global market A huge shift from on premise to outsourced services Key expectations... and affects all business lines in terms of: application portfolio IT resourcing IT and Service Management Mobile workforces delivery channels customer interaction new opportunities massive international outreach connects digital markets incubates innovation in various sectors dominated by global players with large investments for infrastructure development and applications business processes analytics modernisation business process optimisation cost reduction being competitive new markets flexible workplaces

5 What is the real Cloud adoption rate? We see a great variety of adoption rates. The key questions is: who, how many and what we are asking! Using mail services in the cloud is not a real indicator.to get insight in digital readyness, we have to establish a maturity model! (Nov 2014)

6 The Cloud Status Quo in Europe Major concerns about data privacy and data security in cloud based services No single digital market (data privacy, tax, ) In fact we are talking about the next level of digital enterprises but the base concept is not understood yet! EU initiatives not harmonized with national initiatives The majority of European SMEs needs support to define their go to cloud and go to market strategy

7 Digital Single Market Strategy 3.4 Reinforcing trust and security in digital services and in the handling of personal data 2.5. Reducing VAT related burdens and obstacles when selling across borders 4.1 Building a data economy 5.Delivering the digital single market 4. Maximising the growth potential of the digital economy

8 Gerhard Giebener / pixelio.de The SME market SMEs are concerned to keep control of their business and their data They do not see sufficient evidence on the effectiveness of Cloud Computing in their business Demand: No trust due to lack of transparency; the terminology is unclear and not understood. Supply: They have to comply with local regulation, whereas global suppliers have various options to pass by.

9 Five key issues EU providers are bound to local regulations whereas global players can pass by Lack of transparency Adequate data privacy and data protection and overall security Vendor Lock In same rules for everybody in the European Market vendor listings with appropriate assessment of the full service chain certification for cloud services with appropriate scope portability strategies and standardisation 5 Legal compliance clear rules for a digital single European market

10 Establish Trust» Despite the obvious advantages of Cloud Computing technology, many companies and institutions retain a wait and see attitude as potential customers and users» If people as a result of too much complexity are no longer capable of making a real verification, they fall back on symbolic implications like certification, success stories, reputation,

11 A joined European approach Form a group of stakeholders to establish appropriate trust mechanism Define requirements to be awarded as Trusted Cloud Service Provider Rise awareness and provide show cases and best practices Build an eco system of Consultants and Trainers to educate and support the market with tools and services.

12 The German approach as a sample Trusted Cloud Initiative by the Federal Ministry of Economic Affairs and Energy Trusted Cloud Competence Network as joined force build by associations (provider and user), governmental organisations and interested parties Trusted Cloud requirements (Legal, DPA, Security, ) Control Framework (based on EuroCloud Star Audit) National specific requirements I am using cloud to be agile be competitive be attractive I want to scope on my core business access new markets reach new clients Train supply and demand side on relevant aspects of cloud computing and provide ongoing guidance

13 The seal Trusted Cloud will promote the use of cloud services Promoting the use of cloud services with focus on SME sector through transparency and legal certainty Improving the competitive position of cloud service providers Starting in Germany but considering existing initiatives in other countries in order to build a blueprint for a pan-european seal

14 Draft Trusted Cloud Seal Management Cloud- Service User Cloud Services Catalogue Information to sealed services Management of Seals Application processing Approval processing Self-test Online Application Seal Approval Cloud- Service Provider Help, FAQ Sealed Cloud Services Seal Trusted Cloud Criteria Knowledge Base Help, FAQ Process of Accreditation Accreditation Accredited Control Orgs Application processing Application brokerage Cloud-Service Control organizations

15 TiC (trustincloud.org) Web and print Campaign Use cases and best practices

16 ECSA (eurocloud-staraudit.eu) Training package Control catalogue Further guidance Academy for consultants and trainers Self assessment service, 3rd party audit certification

17 Key areas to be addressed Provider Service description Juridical contractor and ownership structure Owner and locations of the data centers Contract Applicable law Transparency about all contracts Data protection requirements Data Control Regulations in case of service interruption or insolvency Subcontractor involvement

18 ... selection of cloud services and their providers Privacy and Security Implementation of the technical and organizational measures for data protection Implementation of security against unauthorized data access Protection against cyber attacks Datacenter Security of supplies Area Security and access control Emergency plans Operational Processes Service quality Capability for SLA fullfilment Services specific checks IaaS,PaaS, SaaS Isolation of services and data Support services Portability

19 What next for cloud security? Audit & Certification? Audit? Audit Years

20 Dynamic Certification of Cloud Services Hypotheses: It is possible to evaluate critical requirements of a certificate automatically. A completely automatic certification for dedicated test steps is possible. Automatic test steps can help to prove fulfilling requirements regarding quality, data protection and data security ensuring legal compliance. Certificate requirements (checklist) Results & Reports (e.g. Dashboard) Checklists (requirements of all certificates) Automatically verifiable technical requirements Detection rule set Analyse & Validate (e.g. CEP) Metric 1 (with threshold) Metric N Monitoring System Technical requirements but not automatically verifiable User, Auditor

21 Security in the cloud age a perimeter security concept does not help anymore cyber threads are growing very fast BYODevice and BYOService are introducing unknown risks IT Security must be pro active, not reactive Hybrid IT and dynamic audit each critical system and data storage has to be secured individually ongoing large investments against attacks like malware, DDoS, establish policies and measurements to identify risks ongoing monitoring and detection of abnormal behavior integrated monitoring of On Premise and Cloud IT

22 Security in and by cloud Professional Cloud Services are much more secure than the majority of On Premise IT Raising security effectiveness due to cloud services Security in the cloud: It is the key business of a cloud service provider to secure the systems and the data. Security by Cloud: The prevention against DDOS and Malware is most effective by cumulated cloud based intelligence and IT/communication ressources.

23 Conclusion Establish Trust is the key challenge and it will not happen without a clear action plan The establishment of joined trusted stakeholder groups who are capable of taking care of all the complex questions is highly relevant Transparency and comparability We all have to work towards a European Digital single market with respect to the European values, data privacy is a fundamental right and not protectionism of cloud provisioning is a primary goal

24 Thanks for your attention! Andreas Weiss Managing Director EuroCloud Europe Director EuroCloud Deutschland_eco e.v Wir gestalten das Internet

25 About EuroCloud 21 Countries +various Candidates Network of cloud specialist More than 1000 members companies throughout Europe Targeting the entire Cloud eco System (Cloud Service Provider and Customer) Areas of activities for Users Standards and Interoperability Single European digital market Link the European Cloud Industry Research and Innovation Start Up incubation and ISV transformation

26 Key areas to be addressed Area Control Goal Provider Contract Service description Juridical contractor and ownership structure Owner and locations of the data centers Applicable law Transparency of all contracts Data protection requirements Data Control Regulations with service interruption or insolvency Subcontractor Clarify the functional requirements related to the company's needs Examination of the possible influence by controlling shareholders Clarification of data locations and involved subcontractors Examination of location as legal entity in case of possible dispute Contracts are available in full in advance and changes in the current contract are subjects to approval Compliance with the prescribed by the BDSG formal requirements Utilisation rights of data are held exclusively by the customer. There are clear rules that guarantee an adequate repatriation of data at any time Naming all the subcontractors and agreements at change during the term involved in the service provision and their commitment to the privacy regulations

27 ... Selection of cloud services and their providers Area Control Goal Privacy and Security Implementation of the technical and organizational measures for data protection Implementation of security against unauthorized data access Protection against cyber attacks The specifications according to local DPA contractually regulated and implemented proven Safety recommendations according to ECSA, CSA, ISO Safety recommendations according to ECSA and ENISA Datacenter Security of supply Areal Security Redundancy for power, cooling, network connectivity Adequate controls against unauthorized system access Operational processes Service quality Services specific tests IaaS, PaaS, SaaS Isolation Proven implementation of service-related business processes (ITIL) and SLA compliance Measures to delimitation of areas for clients dedicated technical infrastructure and data areas