Using the cloud to build computer infrastructures has tremendous advantages that have already been seized on by leading U.S. companies like Amazon, Microsoft and Google. Financial analysts at UBS describe Amazon’s cloud business as a unit with high profit margins, and add that cloud computing revenue growth will outpace Amazon’s total e-retail sales growth.
But European companies still seem to struggle to gain a global market position in this lucrative sector. How to remedy this? Some say it’s all about trust, but what exactly is trust for citizens, for businesses and for public agencies?
Citizens and businesses will trust cloud providers that have a proven track record, that they’ve had experience with, or that come recommended. In the public sector, there are also formal requirements that have to be met. Is it totally unthinkable, though, to store public data in the cloud? Citizens and public agency managers are concerned about cloud security, and it’s important to remember that data security entails more than confidentiality. Data integrity and authenticity (which essentially means that data should be correct at all times), and above all data availability are as important, not to say crucial at times. Imagine being involved in a serious car accident. The medics desperately need information about your blood type, allergies and so on to save your life. They must get it there and then. The cloud is a perfect solution, offering instant access to correct data in a secure manner, which means that the medics have proper authorisation to get your data and that it shouldn’t “leak” to anybody else.
How can we ensure this? Risk assessment is key, because there’s no such thing as complete security. We get the security we pay for, and in practical terms that means keeping the risk of something going wrong at a level you or a responsible manager can live with. Risk assessment is embedded in many European countries’ legislation, so it shouldn’t be all that difficult for public agencies to purchase cloud services that can offer the level of security required by risk assessment.
That, in turn, raises the question of how can we evaluate that? Using certification schemes might be a good idea, but we have to make sure we don’t put up barriers to market entry for smaller cloud service providers. Certification schemes have the added benefit of serving as information and as a guarantee for citizens and businesses, thus lowering the threshold for choosing the cloud.
A somewhat simpler solution is a list of standard requirements that service providers should comply with. The requirements should be based as far as possible on internationally recognised standards. Nordic countries’ experience when discussing cloud computing is that data protection laws and regulations, although quite similar, are interpreted differently. We have tried to work out a common legal guide to procuring cloud services. That isn’t a list of standard requirements – for that we lacked sufficient synergies between the various ways of applying the law. The guide does, however, promote a risk-based approach: different types of personal data require different levels of security.
Even though the Nordic countries have found it difficult to create common guidelines, there is nevertheless a need for a common European approach. We need to clarify the law and remove unnecessary legal barriers, and to stimulate and support standardisation. We also need to raise awareness; educated choices by citizens sometimes work better than legislative precautions that are not properly implemented.
The market for cloud services is global, and users, whether they be SMEs, large enterprises or public entities, will want stable, secure and cost-effective services. The consumer market for cloud computing may already be lost for European cloud service suppliers, but there are still huge opportunities in the corporate markets and in the public sector.