The Eurosceptic guide to cloud

Opinion Davey Winder Nov 20, 2013

European initiatives on cloud will come to nothing - security is not to be sorted out by bureaucrats

When politicians and techies got together last week in Berlin to talk about the future of some kind of European cloud strategy, there was little doubting that security would be at the top of the agenda. Where the S-word appears the T-word surely follows, and hot on the tails of 'trust' in any cloudy-political conversation you will find talk of standardisation and regulation.

 It's not that I'm anti-regulation when it comes to the cloud per se, but you can stand me in the Euroscepticism camp as far as where the enterprise focus should be in matters of data privacy and security; and it sure ain't Brussels, or Berlin for that matter.

During the Cloud for Europe Conference (and the meeting of the European Cloud Partnership Steering Board) a whole bunch of politicians and techies got together and asked the question "how can we provide security and build trust in cloud technologies in the face of the current spying scandals" and unsurprisingly the consensus was anti-centralisation and pro-federalist with local, national and regional initiatives being pushed.

Neelie Kroes, Vice President of the European Commission, insisted that we "need trust if we want to build an open cloud market that does not stop at regional or national borders" while the chair of the European Cloud Partnership Steering Board (and President of Estonia) Toomas Hendrik Ilves argued EU member states need to "ensure a safe system for the citizen that can fend off any kind of malevolent attacks, protect everyone's online identity and ensure data integrity." The usual mix of political rhetoric and some buzzwords thrown in by special advisors who may actually know something about IT (or may not).  You may think; nothing to worry about here, it's more of the same old same old. Which it was, and which is precisely why it *is* a cause for concern in my never humble opinion. In fact, my concern can be summed up after listening to the words of State Secretary Cornelia Rogall-Grothe, IT commissioner of the German Federal Government, who banged the 'internationally accepted and agreed cloud security standards' drum again.

At the start of the year, Cloud Pro explained how cloud service providers are pretty happy with the status quo, considering themselves to primarily be what the tin says they are: providers of access to the cloud along with application processing and storage functionality. Security is part of this package, which should really go without saying as should the fact that this alone does not make your average CSP a data security specialist any more than selling books makes Mr Bookshop Owner an accomplished author or being briefed by a pen-pusher makes a Euro-MP an IT Security guru.

The usual mix of political rhetoric and some buzzwords thrown in by special advisors who may actually know something about IT (or may not).  

If you re-read Adrian Bridgewaters' excellent article Cloud security: Are we living the certification dream? the muddled message of Euro-standardisation is as true now as it was then. EU-wide certification schemes for trustworthy cloud computing remain fragmented, with what the  European Telecommunication Standards Institute (ETSI) has described as a jungle of standards to navigate through. Bridgewater concluded that "there is a real sense that things are getting crowded with no visible signs of accord and solidarity" and I see neither any reason to argue with him nor any reason to think this is anything that will lead to a mass nervous breakdown amongst CIOs and CISOs.

I made my position regarding cross-border cloud regulation pretty clear also. I unhappily admit that the hotch-potch of national legal frameworks that undoubtedly exists is equally undoubtedly confusing and maybe would even go as far as to say is more aptly described as being on the slightly suffocating rather than healthily embracing side as far as the cloud is concerned. Here comes the but you were all waiting for: but this same lack of international, cross-border, one-for-all approach to regulation has hardly failed when applied to the Internet business model. Am I wrong? Has e-commerce really been held back to the point of stagnation over the last two decades? It's OK, you don't need to embarrass yourself with an answer, the question is clearly rhetorical. As is, of course, 'so will it really kibosh the cloud?'

Here's the thing, the elephant in this particular room if you will: certification, standards and regulation are not the key to trustworthy cloud computing. They are doors that probably need unlocking if we are to move further down the corridor of cloud dominance, but the key to trust is an acceptance within the enterprise at all levels that security is your own responsibility. Be that through a Bring Your Own Security provider or internally,for those with an already well-established operation, a Bring Your Own Key policy  with you it will do just nicely. Whatever the security solution the basic need to encrypt remains, as does the need to separate keys from data.

Key security and management, I would argue, therefore is at the very heart of the cloud trust issue. Worry more about getting that right, whilst remaining sceptical about the ongoing Euro-regulatory policy political positioning, and you, your data and the cloud should do just fine. Trust me...

Disqus - noscript

The writer has a lot more trust in the NSA and their poodle GCHQ than I have. Surreptitious evesdropping for years. Bring on a European cloud - they have experienced state spying with the gestapo and Stasi. It is suffocating.

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.