IGF 2010 - Day 3 - #IGF10 #WS136

I started my third day at the IGF with a workshop on cloud computing and security problems in cloud computing applications.

The debate started with an overall presentation of what cloud computing is and how it works. The definition given was that cloud computing means moving a computing or storage function away from locally controlled components onto someone else’s servers (that is, in the cloud).

Then the discussion moved to the benefits brought by cloud computing to the end users (be they companies, governments or individual users). For example, it was mentioned that the cloud provides resources very rapidly deployed and easily scaled. Another speaker mentioned that the cloud offers businesses the possibility of saving money while improving reliability of their stored data. Also, cloud computing allows start up companies to compete with much larger companies. Other reasons for choosing cloud computing services would be: reduce costs, faster deployment time, increased efficiency, increased flexibility and choice, enhanced security and

better customer services.

At the same time, it was outlined that, while users can benefit from the cloud computing, there are also risks (e.g. to privacy, to free speech) that have to be taken into account. Some questions were raised in this respect: What privacy laws apply to the cloud? Where is the users’ data located? Who can have access to such data? All these questions suggest that cloud computing is perceived as lowering security and that, in users’ view, the cloud computing provider is the most responsible for security.

Answering to a question on whether cloud computing resources are evaluated for security prior to deployment, one speaker pointed out that there are no standards for assessing security for cloud providers.

One solution to these privacy concerns would be for governments to enact strong(er) privacy rules, so that users can have confidence in cloud computing services, knowing that their data will not be accessed arbitrarily/unlawfully. But national/international regulation is hardly enough; public-private cooperation is needed for enhancing security in the cloud. As privacy and security practices of cloud computing services providers often are not transparent to the users, these providers should cooperate with other relevant stakeholders (consumer groups, data protection authorities) on how to educate users on privacy and security matters.

There was consensus among speakers on the fact that there is a need for a harmonized and coherent legal regime to govern the flow of data. Also, the sovereignty issues in the cloud must be resolved through common approaches to jurisdiction; thus, it was outlined that there is a need for a multilateral framework to deal with the

cloud sovereignty issues. Though I am having some difficulties in imagining how such a multilateral framework would be agreed upon, I think such a debate would be at least interesting (should it ever really start).

A great concept brought into discussion during the workshop was that of “data portability”: ensuring the fact that users do not have to be locked with one cloud computing provider, but be free to move their data to another provider, anytime they want, with minimum costs/implications.

Another issue raised was that many Internet users do not have a basic understanding of what cloud computing is. This reality was illustrated by one of the speakers with the example of Yahoo Mail and GMail: if you ask users whether they use these e-mail clients, they would most probably answer “yes”, but when you ask them what cloud computing is, they say they have no idea.

One interesting question coming from the audience was whether it is realistic to believe that governments would agree for their records to go into a cloud located outside the country. The answer was that when services are provided to governments, they expect that their data is to be located in the country. However, the problem would not reside in the location of the data stored, but rather in the services used for securing the data.

The conclusion was that the biggest challenges for cloud computing is ensuring the availability, integrity and confidentiality of data.

I kept for the final of this post two quotes from the speakers:

“If the mobile phone has succeeded, why wouldn’t cloud computing?”

“There is no reason why cloud computing is less secure and less private than other Internet services. Less secure compared to what?”