Session description: This main-room session was aimed at introducing an overview of cloud computing from both the policy and the technical perspectives of the area in order to identify its possible Internet governance implications. Panelists introduced three sub-themes, and after each there was a discussion led by participants from earlier feeder workshops and open to other comments from all participants interested in contributing ideas. Subthemes included: What is ‘cloud’ and why is it emerging Infrastructure, hardware, and environment. Privacy, integrity, confidence in the cloud, public policy, regulation. Moderators were Patick Faltstrom and Katitza Rodriguez.
Defining "the cloud" and
September 17, 2010 - Frank-Charles Osafo, founder of Vericloud, introduced the contrasting views of cloud computing. “To some people, cloud is a new computing paradigm,” he noted. ”Some believe it's more of the same old same old. To some people Yahoo!, Hotmail, Gmail and others like them are cloud computing services. Others disagree strongly. And vehemently.
“The cloud characteristics I’m going to give you: information technology - from infrastructure to applications - is delivered and consumed as a service over the network. Services operate consistently, regardless of the underlying systems. A good cloud should operate almost like a black box. It should work.”
He pointed out that the IGF is using Cisco’s WebEx – a cloud-based service for teleconferencing – to allow people in remote locations to participate in the forum.
Luis Magalhaes of the Ministry of Science, Technology and Higher Education in Portugal, talked about the benefits, challenges and enabling framework of cloud computing. “Cloud computing decreases the barrier to entry for new businesses, so it can speed innovation and enable innovative enterprise in locations where there is an insufficient supply of human resources with the necessary qualifications – IF there is sufficient and reliable broadband,” he said.
He added that cloud computing reduces IT costs. He used the power company analogy – a century ago electricity began to be offered as a utility, so each enterprise did not have to build its own power plant to operate. “The idea is you can just plug into a utility and be provided with services without having to have to run them in your own enterprise,” he explained.
He said positives must always be balanced with negatives: “Like any enabling technology, this one brings new problems, and in this case with a considerable complexity due to the global nature of the Internet.” He presented the challenges introduced by the adoption of cloud computing as a series of questions.
• Does cloud computing’s offer of IT services as a utility offer opportunities for innovation as it favors large-scale services with some sort of standardization?
• Will cloud computing contribute to the generic nature of the Internet which together with the computer was responsible for incredibly dynamic user-driven innovation in the past 30 years? Or will it actually reduce Internet activity?
• What are the facts of cloud computing regarding digital divide questions? As cloud computing services require broadband of considerable speed, will we move to a situation where the main factor of digital divide will become the lack of high-speed broadband infrastructure? What would be the consequences for developing countries and other deprived regions? What policies could mitigate the negative effects? What policies can foster broadband infrastructure and cloud computing capacity in developing countries and the most deprived regions?
Magalhaes said there is also a need for appropriate policy and security frameworks. “Requirements of data and applications portability between different providers and the consumer needs in case of bankruptcy or other reasons for the business to stop providing services,” he listed. ”Assurance of confidentiality and secrecy and the associated needs of encryption; the capacity of control over data by its owners, including transfer and deletion of data; and, finally, the one thing without which none of the above could be assured: efficient, independent auditing systems.”
Mobile devices are driving applications to cloud-only format
Susana Sargento of the University of Aveiro in Portugal noted that the mobile revolution is a primary driving force behind the quick ascent of cloud computing. Billions of people own one or more such devices, from smartphones to iPads and other mobile terminals and devices, thus mobile cloud computing – anywhere, anytime secure data access, access to applications and services – is taking center stage.
“Security and privacy issues are even more challenging than they were before,” she said. “How do we reach a balance in security and usability?”
Sargento noted that the telephone industry in now more active in the cloud world. “It didn’t start with them, but they are trying to enter this world,” she said. “And they are trying to provide new services and business models … The problems of network as a service or even communication as a service are just the extension of a well-proven model in the telecoms area. Telcos could go even further. They could extend the data centers from the core to the operator networks. For example, to the access networks that are closer to the users, with the most-accessed services and data.
“This could greatly increase the speeds to access the service, and this could move toward the vision of distributed clouds and computer clouds. This could be a good step to take the cloud closer to the users. This could be used to move developing countries into?the cloud world and decrease this gap that we have nowadays in the developing world.”
Osafo said that because of the mobile revolution most applications being developed today are only available through the cloud.
“Ladies and gentlemen,” he said, “welcome to the world of the cloud. In the future, you'll have no choice because the cloud, like application development, is in the hands of the application developers. If the application is one-of-a-kind and is only developed and delivered through the cloud environment, if it is the only way you can use that service, you will have to find a way to connect to the cloud. So the application developers, ladies and gentlemen, will be the drivers of what goes to the cloud. If you want the application, you have to get access to it.”
Michael Nelson, a visiting professor at Georgetown University in Washington, D.C., was a remote participant who shared some comments that were read aloud during the session. He pointed out that access to reliable broadband is necessary for people to function in the cloud environment, and that is not always the case, even in most-developed countries.
“That’s why we need ubiquitous broadband,” Cisco global policy leader Bob Pepper said, “because without that you won't have access, if you're a small-business owner or individuals or schools, to the services, the applications, the software that are going to be available over the Internet from data centers in what we're calling cloud service. It's the reason we absolutely need ubiquitous broadband, because without that you're not going to be able to participate.”
Concerns were raised about the cost of cloud-based services, to users and to the environment.
Data fragmentation and expansion of divide are concerns
Pepper spoke about ways in which governments can use cloud-based services to control IT costs and operating costs to share information and operate more efficiently. He noted that this can also allow open access to information for citizens, to enable better governance and transparency. He added that the per-user energy costs are generally decreased by this use of computing power on demand. Another earlier workshop hosted a discussion of “leaner and greener data centers,” with panelists sharing ideas about reducing the environmental impact of data centers.
“If we're going to add the billions of people we want to be added to the Net, we need to do it in a smart way, we need to do it in a very efficient way,” he said. “One of the challenges - there's good news, bad news, is that data centers are seen as the next generation entry into the IT business and investment by every country, province and city.
Everybody wants to attract their own data center. The problem is, if you do that, you fragment the data, the opportunities and the efficiencies of scale of data centers. You don't get the efficiencies. You increase the monetary cost and you increase, for?example, the energy cost…
“We need scale. We need the efficiency. But we also still want?diversity, we want competition, we want the distribution of these new resources globally so that they close the digital divide, not expand it. These are difficult questions. And that's what the discussion's going to be about. But it's not either/or. It has to be a balance, and we have to do this in a very smart way.”
Nelson noted that cloud computing is important to the Internet of Things – billions of sensors and other devices on the network, and said, “If we end up disconnected with separate national clouds we will not realize the full benefit of cloud computing.”
Users’ rights are still being negotiated; there are territorial issues
Kristina Irion of Central European University in Germany noted that cloud computing is a “disruptive technology” that is challenging existing legal paradigms as it changes the way we process information.
“Records stored in the clouds require adequate, effective and enforceable protection in order to generate the confidence for users to take up these services,” she urged. ”Cloud service providers have to be transparent?and accountable for their services, including modification requirements?and independent data security audits.
“Regulation or no regulation? This has been very controversial in the workshops. The answer to this question is do something as a minimum about security, privacy, interoperability, openness and competition.
“An important security concern relates to the lower threshold of protection for undisclosed personal data in the cloud against, for example, access [to private data in the cloud] by law enforcement, which pervades in a number of European countries and in the United States. Because the data is stored by a third party, law enforcement has the means to access it. It is important to change this paradigm because data in the cloud should be protected by the same safeguards against public and private interference as is data today on our desktops or on our hard drive.”
Irion also pointed out that data portability and interoperability for users who wish to move from one cloud services provider to another are key issues. She said unfair commercial practices include cloud services providers’ alteration of terms and conditions of contracts and said liability should not simply be waived for the service provider.
She pointed out that some popular services automatically assume consumer consent to secondary use of their personal data and the remote hosting of the files is not available on a stand-alone basis, without the consumer’s commitment to share data.
“Indeed, regulation and common standards for these important issues will be needed,” she said.
Irion noted that – in order to have success – the cloud providers must locate their data centers, also referred to as “server farms,” in regions of the world that are politically stable. Security is important, as is a positive regulatory atmosphere. So “countries that are doing good have a competitive advantage.”
What recourse is there for lost data?
Michael Katundu, the communications commissioner for Kenya, summed up an earlier workshop, “Implications of Cloud Computing,” that assessed positives and negatives. Workshop participants had discussed a number of the issues already raised in this main session.
Katundu said there’s a question as to what recourse people have when their data is “lost” in the cloud. “Where do you go?” he asked. “Do you go to your local laws or international laws for litigation? How do you choose a cloud computing provider? Issues of trust again were related. How do you change from one cloud to another? How do you trust a company with your data?
“In conclusion, it was felt that there's a need for continuous?sharing of best practices on cloud computing issues, and IGF is very good for this.”
He said one idea proposed in the workshop was that “countries interested in the cloud services of others could negotiate a bilateral memo of understanding.” He added that it was the general consensus of participants in the workshop that lawmakers should not presume the need for new laws because “cloud” is a new phrase.
Trust and sovereignty issues loom large
Wilfred Gromen, general manager in central and eastern Europe for Microsoft, shared notes from the workshop on “Engendering Confidence in the Cloud,” a look at trust issues and impacts of cloud computing adoption in the developing world. “There are regulatory issues to cope with and the biggest one is solving the sovereignty discussion around cloud computing - which jurisdiction will rule in cases of disputes or digital crime?” he asked.
He said panelists discussed strong deterrents and civil enforcement with meaningful penalties and remedies and a legal framework that supports information sharing between public and private sectors. One stumbling block is the inability of law enforcement in different jurisdictions to team up and exchange information globally.
Workshop participants noted that there are and will probably continue to be inconsistent rules governing access to and jurisdiction over user data and data from nation to nation.
”How to solve that?” he asked. “Maybe an international trade agreement, a treaty of some sort that maybe only focuses on the cloud computing issue and not on data privacy in general - so this was a concrete take away, panelists for the IGF may be facilitating this framework … Can governments show the necessary political will to reach international agreements like on this jurisdiction? And will governments allow their sensitive data to be stored outside their countries?”
He noted that industry could possibly self-regulate after consulting with various stakeholders. “From a user's perspective, you could summarize the call for transparency and security and privacy,” he said. “Privacy and security practices of cloud providers often are not transparent. Ensure that users get better information about how their data will be stored, processed and made available. Cloud providers should engage with other relevant stakeholders such as consumer groups and data-protection regulators about how to educate users on privacy and security.”
Bertrand de La Chapelle, French diplomat and longtime Internet governance leader, noted that the same issues being discussed about the challenges raised by social networks are shared in the discussion of cloud computing – rights related to private data, transparent terms of service, control over data, control over access to data and data portability.
"What I sense here is the emergence of the notion of virtual territories,” he said “What is happening is that if you are a cloud service provider, you have data centers in very different places, and if we try to address the problem of transported data flows from the territorial base, we have a problem. If we go at it the other way around and start with the cloud operator then it becomes a virtual territory and you define the framework in this way.”
Pepper said many cloud issues tie into the tension between sovereignty and interoperability and conformity.
“There's an existing framework that does not necessarily map to a world where things are online,” he said of the agreements already in place in regard to privacy and other issues. “That's the challenge. There's a framework and a process, and it may not be that we need something radically new, but we just need to be aware of where the differences are and then try to make these more consistent.”
Open standards and interoperability urged by panel
Pranesh Prakash of the Centre for Internet and Society in India introduced participants in the main session to a few of the concepts that were covered in an earlier workshop titled “Data in the Cloud: Where Do Open Standards Fit In?”
“The core function of standards is to ensure interoperability,” he said. “Open standards ensure that they are developed through a participatory process and that they're openly available to everyone to implement, without discrimination. Cloud platforms should offer developers choice in software development tools, languages and run times.
“This is what we must move towards, but such standards start as protocols from the ground up, and that's a reality we must face, and before we move towards standards, we still need to work our way through many difficult issues … Clouds should be able to talk to one another. This is a place where open standards become crucial.”
“Additionally one has to also deal with questions while thinking about this, about what my data really are. While my own profile information and status posts et cetera clearly are my data, what about the data about my friends that I have been granted access to? We have to keep in mind, while clouds allow for distributed storage and computing, we have software now that allows for peer-to-peer distribution of the storage and computing as well. Having standards encourages increased user and developer control over data.”
He said present-day cloud models guarantee users very little control or freedom. “And we have to address questions of distributed computing and the need for redundancy and the continuity of societal memory in a sense, without compromising on privacy and end user control,” he added. ”And that is the challenge that we currently face.”
The discussion moved back to the definition of and evolution of cloud computing. Jonathan Zuck of the Association for Competitive Technology said, “It’s the pairing of data with processing power on servers that is really the critical aspect of these discussions,” he said. “And it's the storage of this data and the distributed storage of that data that raises nearly all of the public policy questions surrounding cloud computing.
“Cloud computing is a marketing term. Technically speaking, the real issue from a public policy standpoint stands in the storage of personal and corporate encrypted data.”
Pepper noted that the reasons for the trend to storing and processing data in large data centers is driven by need, and he listed the primary motivations.
“The ability for individual users and small business to share resources on a pay-for-it-as-you-use-it basis, avoiding high startup costs, there's a whole set of reasons why there's this trend to having large, shared facilities for computing and storage,” he said. ”There are business models being developed around this, including for example in the entertainment industry to bring movies and other ?entertainment content, sports, et cetera, closer to end users.
“So in the context of the Internet Governance Forum, what we're here for, it is balancing these benefits that are huge. That's the trend, and then as policy issues arise, let's think about them in a smart way and address them going forward, not after the fact.”
The UN's official transcript of the CIR event can be found at this link:
- Video recorded from a remote location, captured