Cloud-based Public Administration
Can we aim at the creation of a shared EU public administration hosted in the Cloud?
While the economic benefits could be evident in terms of cost saving and less bureaucracy, how can we estimate, if any, the security risks of a Cloud-based Public Administration?
Group audience:
Comments
Unfortunately, the security
Unfortunately, the security risks are there and for many consist the main disadvantage of such a transition.
The basic key security and privacy issues that must be addressed are Trust, Identity and Access Management, Data Protection - Privacy, Availability and last but not least Incident Response.
National Institute of Standards and Technology (US Department of Commerce) has already published a set of guidelines on Security and Privacy in Public Cloud Computing.
It would be interesting and enlightening to get the prospective from industry, regarding security risks.
I'm no expert on this but
I'm no expert on this but guess that the risks are similar to those of any organisation putting data in the cloud: data being lost or stolen. Then, I don't know about exisitng estimations and if the cases where things go wrong are reported or rather hidden. It would be interesting if one of such cases had gone public and the impact and implications had been analysed. I ignore it.
Good evening to everybody.
Good evening to everybody. This is quite an interesting idea, though we will have to define the "service offering" before start talking about security.
Let me explain myself: as I see it, Michele may be proposing an extension of what is currently known as governmental cloud; this will be something for all EU citizens, where information will be provided for almost everything; jobs, public insurance, and so on, much like the europa website (?). Then, in this cloud, apart from the service of presenting information, will EU offer advanced services in terms of personal information being used (for example, password renewals, an expatriate requiring legal documentation from the country of his/her origin, etc)? If so, the model completely changes, as is the risk. As Miguel proposed, the risks would be similar to those presented in public clouds; however, in this case, we will need to assess risks posed by personal information being used and the adoption of controls for preserving their C.I.A. according to the EU data protection directive, and so on...the list could go on as we all understand.
Nevertheless, I believe that the benefits of such an idea merit strong consideration, appropriate strategy, design, risk assessment and the willingness to set the proper basis for its materialization.
To also enhance prokopas comment, ENISA and the Cloud Security Alliance are very active in defining aspects of cloud infrastructure risks and controls; and, if memory serves well, the latter has already been engaged with ISO in developing a new standard.
I am sorry for the long comment, I though particularly like Michele's idea.
Layered security approach, i
Layered security approach, i.e. adapt protection to the sensitivity of the information to be secured. That's what I understand from your commeent and it makes all sense to me. I guess it would be useful for (public) organisations that consider or start putting info on the cloud to have some guidance on what the security options are for their particular needs.
Thank you all for your
Thank you all for your comments and important pieces of information.
I believe that a EU Cloud where Public Administration works on a EU level would be a powerful tool of integration that can also be easily perceived by citizens: easily moving my residence, my health coverage, renewing my driving license, showing my academic records to a university abroad, paying the same taxes in each of the EU countries. these are all concrete examples where data stored in an EU Cloud and easily accessible from any PA, University, Police Station, Tax Office will help citizens to feel at home everywhere in the Union.
And when it comes to security, Cloud is already much safer than bureaucratic and dusty warehouses.
Moreover, as mentioned by Theodoros in one of the comments above, both ENISA and the Cloud Security Alliance are working on risks and controls on cloud. I just want to conclude this comment with a mention of the Cloud Trust Protocol as presented by the Cloud Security Alliance. This protocol aims at generating evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described. From that on, they start to define the concept of digital trust, which is probably still missing in the public audience. more info can be found on their site.
Great question Michele
Great question Michele
1) Research says that over 60-80% of security threats come from inside and as such the cloud maybe even more secure
2) We won't post our Social Security Number or the Banking PIN on Facebook and as such we won't put any critical data in an area we are not comfortable with, whether this is Cloud or anything else.
3) Most administrative processes, requests, complains or anything like that start today on Twitter already and simply need to get a response there - no security issue.
4) I guess if we create a very carefully scaled and gradual development plan to move processes piece by piece into the social web (cloud) we may get the most out of it.
Nice discussion.
Nice discussion.
My two cents with a fresh article on Public-sector cloud
http://www.networkworld.com/news/2012/050912-public-sector-cloud-computi...
So, it seems that the Cloud moderator has to pay a visit the neighbour topic to find further food for tought and discussion... Is that Converged Cloud? :-D
Michele and Theodoros, we welcome your interesting ideas and comments on the next door group as well!
HI Carmela,
HI Carmela,
thanks for paying visit to the Security group and for your comment. Indeed, I am sure there are many discussions which could be developed under security and cloud group all together.
I already paid visit to the cloud group this morning with a comment.
All this discussion is fine -
All this discussion is fine - one thing is systemically ignored - you cannot secure cloud in cloud as we are building on untrustworthy ground. You can never have any reasonable expectation that keys and data in cloud are safe and therefore have to design assuming they are not.
No "standard" or marketing rethoric can change this - and we get a lot of that - also in the above.
Cloud security depend on logical isolation of transactions OUTSIDE cloud.
I tend to disagree with the
I tend to disagree with the comment above that we have lot of marketing rhetoric in the discussion. Although I am aware that no data will ever be 100% safe, this does not stop the discussion from considering how to be safer.
Data protection was important before we got to the cloud, it was important when it was paper documents stored in a safe.
Cloud gives us a brand new approach on how to manage our information, and the idea of a cloud-based public administration wanted to bring to the attention what the benefits of it can be.
Security is always an issue and it is important to bring it up here and discuss how to minimize the risk.
You cannot make data safer in
You cannot make data safer in cloud - that it marketing rethoric.
You can however make applications safer so you can utiilse cloud - that is reality.
But the cloud providers don't want to wait, because profits is bigger if you move and concentrate unsafe applications into unsafe environments and tereby dramtically esacalting risks, service provider access to data and lock-ins (as the applications are not cloud-ready in any way).
And the long list of supporters wanting to profit are eager to talk problems away instead of dealing with them.
It is somewhat like considering the use of nucrealer pwer plants in former eastern europe. The bigger the problems, the more likely necesary precautions are ignored - the consequences are not potential risks but determinstic effects.
Cloud represents a massive threat to critical infrastructure protection and the economy as such but is sold as an easy solution.
Hello all,
Hello all,
I have read all that discussion above. Thank you Michele for your opening of interesting topic.
Well, if man could not make a decision, let's use the comparations. You can see the kind of "cloud" even if you do not use digital data. I mean, there are big commercial storage farms and silos maintaining the internal documentation of companies, which do not have enough space to keep it in-house for the long time. And financial (12 years in my country), personal (forever) or customer-needs based (years) information needs to be stored for a long time.
So, companies are using a "physical cloud" to store their paper data. They rely to provider's claims of security. It is ok, it is business, it is about offer, needs and acceptable conditions. Fine. Clear.
If we are talking about public cloud in nowaday's terms, it is about the same. The difference is that you can use less space and more air-condition to keep customer's data out of the house.
But government and matters around is a bit different. Why? Because there is a doubt about management. In commercial sphere, there is a clear target - to make business and thus money. Everyone involved is highly motivated to do his best to earn a valuable reward. That's why the business works. And that's why governmental institutes don't.
The topic so far did not reflect all life cycle of this matter. The security is not only about safe infrastructure, responsibility of personnel managing the service, but also about how the data are proceed. Who will maintain? A private company for a rent or governmental IT department? It is much easier to steal electronic data than paper in general. So ask the recruitment specialists, if the government (an employer) could motivate their cloud managers enough against fraud. Against fraud of ALL THAT information. It is about one big data covered by one big scaled service.
On the other hand, I saw how the data are proceed in governmental institutes nowadays and I believe that if EU will do anything, it would be better than the chaos today :-).
EU, show me the methodology of your risk management. Compare the risks to benefits and losses and say if the risks are acceptable and manageable enough.
And do not let confuse by fashion of cloud too easily!
I can participate.