INTERNET GOVERNANCE FORUM 2010
16 SEPTEMBER 2010
IMPLICATIONS OF CLOUD COMPUTING
Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.
>> HERBERT HEITMANN: Good morning, good afternoon. I'm the Chair of the Commission for e-business IT and telecommunications of the ICC. And I'm pleased with the government of Kenya to be the host today for this workshop here. This is the official workshop on Cloud computing, I've seen and heard that many others touched this topic, which is just an indication that there is a lot of interest. Some people say a lot of hype.
I will try to structure the workshop in the following way. After I introduce my distinguished panelists here, I would like to provide one definition of Cloud computing, so that at least for this session here we all operate under the same definition and assumption here. Then focus on the differences between what is really different in Cloud computing compared to what we have experienced before. In business, on the governance side here.
Then look into the opportunities that this offers for businesses, for the developing countries. As well certainl also into the issues here.
The intent after we have done a round here with the panel to quickly open the floor to you here in the hall, or to those who follow us via remote participation. So please, this is meant to be highly interactive. With we here on the panel we had a last minute change, but I'm please that had Michael Katundu from the telecommunications Commission of Kenya is joining us here as a host for the workshop but most importantly for the IGF next year.
Also with me, I have Vikram Kumar on the very left here. He is the Chief Executive of international New Zealand and in this capacity has been an is an advisor to the New Zealand government here.
From the academic world, but closely in touch with business, since he has done this several times himself, created a business, but also worked as an editor, Pablo Molina. He is the CIO and the assistant Vice President and professor of Georgetown University.
And then to my two colleagues, Christiaan van der Valk, the CEO of TrustWeaver, and in his role is in the SEC, the co-chair on the tax force of security and authentication, and the co-chair of the IBBT Commission.
And Joseph Alhadeff is the Vice President for Global Public Policy and chief privacy for Oracle.
The gender is imbalanced, we apologize for this. But with that, let me try to share with you in the most simplistic terms what I think the best definition is for Cloud computing. It's an on demand network access to a shared pool of configurable resources, that refers to network, to service, to storage, application, services. That can be rapidly provisioned and released with a minimum effort for the service provider as well as for those who are managing this and consuming this.
There are three service models. The software as a service. The platform as a service and the infrastructure as a service. And certainly they are all applicable to a different extent here, and the deployment models, distinguished between the private Cloud, the community Cloud, the public Cloud, and a hybrid of all of this.
So, with this definition and in light of all that we have experienced here, maybe I bring the first Question to Joe to give us from a technical perspective an idea of what really is different with the included compared to before. And maybe you can indicate where you see evolutionary development here and where is it revolutionary.
>> JOSEPH ALHADEFF: Thank you, Herbert. Well, I think when we look at Cloud, we can start thinking about things like shared mainframe access that happened in the 1960 s as part of the way this model was thought of. And you can think of the evolution that went into client/server, that went into hosted service, that been into global sourcing. All of these are the building blocks of Cloud and Cloud becomes an a mall gum of these things. In that case, the Cloud is evolutionary, because it's the compendium of technology that has been existence for a while that is offered and used as a service in a different perhaps business model but not in a technologically revolutionary fashion. When you look at how Cloud is used, that is where the revolution does come in. While many opportunities were available to enterprise, at least in developed countries, they really were never available to individuals.
The concept of what you can do now as an individual in terms of renting a data centre for what is a diminimus cost for a period of time, the fact of how you can actually create content, distribute content, produce applications and share applications was possible in a minimum way previously, shareware and other things, for example, really has expanded in a way that is somewhat a revolutionary and part of the revolutionary aspect of Cloud really is its facilitation of consumer to consumer contact and the interactions in a way that they didn't happen before. So while a Cloud is a factor of complexity in terms of the scope and scale that it's now deployed when it comes to industry, it's more revolution in terms of the consumer interactive space and now we are beginning to see the innovation that can occur in that space.
Over time we will see that.
As you think about the evolution of censure based computing and the concept of ubiquitous or computer environments, the concept of how Cloud services will be deployed and used in those environments may change the nature and shape of the way that we consider Cloud. But in many ways, we are not dealing with new technology, but we are perhaps at the outset of a new era.
>> HERBERT HEITMANN: I remember that, I think it was you who said the one big difference is that the only thing we don't know these days with Cloud is where our data resides. The rest is more or less similar to what we had before.
>> JOSEPH ALHADEFF: Well, that's a quote out of context. What I think we have is that while we know where data centres are and we know where the data is in those data centre, the fact that information may be virtualized across a grid of computer, may mean that you know longer are saying that I know that my data is on that specific computer. You may virtual otherwise over multiple data centres and you may have to think that there are multiple places where your data is. Your back up may be a different location than your primary space. All of these add to the complexity of where data is. That being said in managed clouds, I don't think the problem is knowing that data exists in someplace or another, I think where you get into some of the applications where you may not have as much control over the application. So, if I'm using a Facebook application, I may not exactly know who is providing the application and perhaps where the data of that application may be, because I may have less information related to that.
So, the concept of how you identify and how you identify providers and how you evaluate providers is an evolving topic that the Cloud will post challenges on. I think we will see more and more new provider, or providers mediated by platform, where the platform may be known but the provider may not be known. And those are the places where we have to figure out ways in which people understand how and where their information is being hosted and what level of responsibility associated with that information and compliance may bring to bear. So I think there we may have some of those issues cropping up.
But there is occasionally this concept where someone says Cloud computing and you see the person looking up in the sky as somehow the data is there somewhere. And there is no concept where it is. And I think while that makes great cartoons, it's not a reflection of reality.
>> HERBERT HEITMANN: I'd like to move over to Michael Katundu to ask him when the Cloud showed up over Kenya. Is it a promising sign or was it an area that created concern? What is the difference for the government -- for the ICT Department of The government as a result of the occurrence of the Cloud?
>> MICHAEL KATUNDU: Thank you, Chair. My name is Michael, Michael Katundu, from Kenya.
Very good Question. Yes, there is a lot of talk of the Cloud as opposed to IT people being able to supervise the encryptments in their reach, being able to upgrade their software, and then the contracts within and they have control of their software and they inspect them every more than, and see whether the hardware is functioning, plus a look at the client/server, clients with the servers and so forth. But now with the occurrence of the new technologies of Cloud computing, we are look at a different perspective. We are starting to ask ourselves, our policies, our laws, our framework, does it accommodate Cloud computing or is there something that we need to do with this? Areas of security, privacy, and so forth.
There are areas which now we have to study and we are asking ourselves does that take into consideration the aspects of Cloud computing? And developing countries, of course, we know we are going to take up ICTs in a broad perspective. And here the Cloud computing, lack of computers at some levels in some areas, lack of connectivity and so forth, and here Cloud computing comes onboard. So how do we take up all of these technologies and in a phased approach be able to be in tandem with development. Thank you so much. I'll come back with more comments.
>> HERBERT HEITMANN: After we heard from Kenya, I want to turn to Vikram. In your capactiy of working with the New Zealand government, where do you see the opportunities, how do you segment the different elements to get the most of it for New Zealand?
>> VIKRAM KUMAR: I think like many of us here, we hear so much about Cloud computing and how there is so much marketing hype around it that you tend to go into it with a bit of a defensive, a little bit of a mindset that this is just too much hype, there is no substance here.
As Joe said, it was an evolution of trends that were occurring in any case. But when I had a look at this two or three years ago, the thing that struck me was that while it is evolutionary in terms of the concept, I came away with a strong impression that this will prove to be a very disruptive technology. And I'll go into a bit more detail of why I came to that conclusion.
But, like many, I'm sure like many of you here, I went into this with a little bit of: This is just marketing hype. Every vendor wants to demonstrate how they provide a Cloud offering. And what is really happened here in my mind, and these are examples that have been used quite well in the industry, and I think they are really valid.
Think about electricity and how in the early days a lot of factors and a lot of homes had their own source of electricity. They produced the power themselves.
And when it got to a point where the technology had advanced, where it had become mature enough, we had power stations. And the focus shifted from generation of electricity by individuals to consumption of electricity. But that was just a one to one substitution of who is producing the power in the first place. What was much more important was the impact that it had on how people started thinking about how they can use electricity and not having to worry about how they can consume electricity.
If you take an example of roads or transport, if you think about cars replacing, for example, horses, in the first instance you think of it as quicker, faster, cheaper transport. But, that is just a one to one substitution, what is far more important is that in the long-term, it allows society and people to do things with transportation that a horse would never allow.
And that is the kind of disruption I think that the Cloud will provide in the long-term. However, in the short-term, I don't think that the Cloud at the moment is ready for prime time use by large corporations or large governments for core business operations or for mission critical operations.
I think that it is certainly ready for use in areas which is noncritical or noncore at the moment. And just like many disruptive technologies, I think we under estimate the long-term impact of Cloud computing, but over estimate its short-term impact.
I'll just leave it at that.
>> HERBERT HEITMANN: That's an interesting point, under estimating the long-term and over estimating the short-term and I would like to use this to hand the mic over to Pablo, I wonder if this kind of quicker, faster, cheaper deployment and utilization is something that universities, which are often not known for having the biggest budgets, that you can take advantage of as of today. But more from the academic side here is when you look at the hype that is paraded around Cloud computing, that means it includes a lot of promises for what will come next, what the future of this will be. From an academic angle, do you see where the next step is? Where are the sobering effects and then where will some substance shine through?
>> PABLO MOLINA: I can say that the weather forecast for Vilnius today is Cloudy.
And the forecast for the Internet in the next ten years is Cloudy as well. When it comes to new technology, it's not clear what the uses of those technologies are in the near future, as Vikram mentioned and Joe brought up. To quote the words of of a United States Judge, who issued an appeal in 2006, regarding a case regarding misuse of computers. He wrote that no invention in humankind can get you faster into problems than computers. With a notable exception of Tequila and handguns. We don't understand what the implications of Cloud computing are. But many of us are betting heavily on these, on account of the efficiency, on cost reductions and economies of scale that are promised to us bye-bye Cloud computing. It makes millions for every University, college, worldwide, to run their own e-mail systems. It requires people, server, data centre, electricity, upgrades, software licenses, and here comes Google, for example, or Micosoft and tells you I'll give you e-mail for free. Not only that, I'll not send advertisements to the people who use these e-mail services until they graduate from your schools. And become members of the workforce. With these propositions, it's a no brainier. All of the CIOs in higher education are jumping into this Cloud computing platforms. Many of us consider the enterprise planning systems. This requires corporation, nonprofits, governments to spend millions of dollars with great companies like Oracle or SAP for example, or others. Well, some of us are switching into Cloud computing for those applications.
For example, instead of running our own financial system, we are relying on a company in San Jose who will run all of our financial transactions. For this, we believe that the Cloud offers wonderful business opportunities, but also some challenges that need to be ads dressed. As was mentioned, this may not be an evolution, yet there is a paradigm shift for users and organisations in the way that we acquire and we use technology services practice.
>> HERBERT HEITMANN: Thank you very much. I'll not ask Christian about his business. I assume that TrustWeaver can take advantage out of the uncertainty that is a sole technology. Maybe you can share with us what are the opportunities for businesses, like the one that you own and manage in the context, and what kind of special offerings that you can bring to the table here. And then that could be a segue to the second phase, and we will highlight the issues of Cloud computing and we have heard a few of them.
>> CHRISTIAAN van der VALK: That's a couple of questions in one, I suppose.
When I -- when we started our business as a company, I'll not talk about TrustWeaver, it's obviously not a product or a service pitch. But I remember as an innocence lawyer signature around the table with engineer, in long sessions obviously as one does when creating a company. And I remember from that -- I guess in the engineering circle, the Cloud has always been an analogy for the Internet. They were drawing picture, and wherever the Internet was somewhere they would draw a Cloud. And I guess engineers have been doing this for decades. However, in my time of course, my short time in working with Internet technology, I've seen those pictures evolve. The thing that used to be behind the Cloud picture was a screen, somebody might access a corporate system and using a browser.
And over time you saw more and more pieces developing sort of getting behind the Cloud. And the picture ended up in our company being entirely behind that Cloud. And so one day I woke up and I was the CEO of a Cloud provider. I didn't know that. But that's what we do. So the logical thing to do for startup companies who provide any kind of IT functionality, whether it's for businesses or consumers. So that is interesting. That's what we do now.
And what we do is we focus on the compliance aspects of IT, of business processes, and in particular when business processes are facilitate business information technologies. And we try to look at what needs might arise in that environment. People who are associated with the ICC for a long time, within the international business community and working with the UN, for instance, we have been talking about legal concepts in the Internet age for a long, long-time. As long ago -- 20 years ago, we talked about EDI and then the Internet.
For instance, concepts like what is an original document? We have, in our minds, and unfortunately also in our legislation all over the world concepts of a paper, of document, of information existing in a single iteration. And of course very often also on some kind of physical support. Whereas we heard previously, if you work with smart engineers who take advantage of this Cloud technology, information will by definition be everywhere, because data centres, storage facilities are replicated, that is the whole point of being more robust, of providing more reliable services in the Cloud. How do you then deal with that, if you're in, let's just name one country, Germany, and you're supposed to keep your accounting material in original form?
And it has to be in Germany? Can you leverage these technologies? Simple answer is, of course, everything is possible. And our company, just like many other companies who provide Cloud storage services, will be able to identify where information is. The problem is, it is everywhere. So, it will also be in Germany but most likely also in Argentina and somewhere else that we don't know of for good reasons. How do you deal with that? It's challenging for companies to try to address. And so I can go very far into the theory of all of this, but it's my conviction that companies who live of course nowadays under probably much more control in terms of audit and the control frameworks than ever before in the history of the economy, and companies actually have to extend a lot of these concepts into the Cloud and work with that.
And as I said, I think it is my firm belief that control technologies will increasingly focus on the individual data, rather than the surrounding environment. There is a lot of tension there and we try to provide services around that.
And I want to say one more thing about entrepreneurship related to the Cloud. This is based on the of course the same private experience, it's very interesting. We have as a company been able to connect large amounts of very large multinational companies and business to business service providers through a simple Internet connection, and in many cases without any face-to-face meetings.
Now, we're talking a bit about the opportunities for development and developing countries. Our company happens to be in Sweden. But it could have been in Kenya or it could have been anywhere else. It's a couple of phone calls. It's a simple well-defined Web services interface and people tapped into their core businesses over the Internet, not just for a period, for all things, putting on a stam, no, this is core business to business vital time critical communication, and the connection goes to a startup company in Sweden, over the Internet, made without any fist physical relationship with the company at all. That leads to a lot of opportunities. Any smaller company anywhere in the world can achieve that, and the cost of sales is very, very low compared to of course any other T-Mobile providing software.
The flip side of that and I'll leave it at that, the business models, we don't talk about this much, but the business models for startup companies providing these types of services are different. The capital investment needed for a company that provides Cloud service is much greater and it will take much longer than for a software company. A software company can start selling licenses right away. For the Cloud, you sell it day by day and people will give you a sense when they will use your functionality. And that's something that the developing world should look for. We want people to develop Internet company, I think also the investment side, the investors in this world and the people who invest in development need to realise that this business model takes a long time before you get any return investments.
When it starts working, it's a tremendous powerful business model. But it takes a lot longer and I think a lot of people haven't realized that.
>> JOSEPH ALHADEFF: I just wanted to add something to Christiaan, while I think he is accurate for someone who is a Cloud technical service provider as he is, there are ways to leverage Cloud services which are the ways that you lower barriers to entree. so if you use a Cloud platform to help sell something using Cloud to help streamline some of the logistics and other things, you can get a lot of advantages without that same kind of investment, because you are not selling the metered service, you are using the platform over which your business model operates. So we have to think about Cloud in a couple of ways. There is the yes I want to become a Cloud service provider. And then Christiaan's analysis is exactly correct. But yes, I want to use the Cloud to provide service, that is a different story in which you do actually significantly lower the threshold and barriers to entry and you significantly lower the competitive playing field related to who can compete and how.
>> HERBERT HEITMANN: Lowering the threshold is the segue for me to move into the issues. I want to share a personal experience. A couple years ago, I had my e-mail, Microsoft outlook on my physical laptop, and the chief legal officer came and said would you sign here, you know, that you stay away from the German privacy law because we want to use your laptop and turn it over to the U.S. I said I don't have anything to hide. And for the first time I realised that we have -- we all appreciate privacy, but we have a significantly different understanding of to what extent and -- now I'm wondering, if I would use Google mail and have my e-mail in the Cloud. Is it at all somebody asking me at any point? How is privacy, that obviously has a different origin, in the Cloud protected or guaranteed or is it something that is indeed very Cloudy?
>> PABLO MOLINA: I'd like to take this Question, which is fascinating. One of my hobbies is being on the board of the electronic privacy and information centre. One of those organisations concerned with privacy worldwide for Internet users as well as the public in general. Basically, think that Cloud computing is the best and the worst that has happened to privacy on the Internet. Let me tell you why I think it's the best. When it comings to nonprofits running and storing information for their constituents, you know, the members of your organisation, the students in your schools and everything else. There are two types of organisation, there are those who have lost personally identifiable information of their constituents. That information has been leaked or misplaced. And they have not -- and they have reported it. And there are those who lost the information and they have not reported it. Basically, these organisations with limited technology and resources are not very good at keeping information confidential. So in this regard Cloud computing could be good. Because the companies could devote the necessary resources and it's in their best interest to do so in order to compete in the market, to have good privacy and information security guidelines.
On the other hand, the problem with Cloud computing is that it's still an area that we don't understand very well. We understand some of it uses. We don't understand some of the future uses, for example, things that Christiaan and Herbert were referring to, or Joe, by which several parties are working toed together to provide a service in which case one may provide an application layer, the other is providing DB services, the other is providing storage services. Who guarantees that all of those companies are fulfilling the obligations necessary to enforce those privacy guidelines of the different countries and regions where the people live and what happens when the information travels across borders? In other words, I think we need more clarity and one thing that we will see here, first, the technologies come up with the idea. Then the business people find a way to profit from it. And to market it. And then here comes the lawyers and the regulators to try to ensure that those technologies are providing the best possible good for humanity.
>> HERBERT HEITMANN: I got the indication that there are the first questions coming from the Web. Heather, correct? And if so, how do I get the questions?
>> HERBERT HEITMANN: We will fix that little technology prob prom. That has nothing to do with Cloud computing.
>> HERBERT HEITMANN: The data privacy is one element. And there are other areas that can, from a corporate perspective become critical. The data security. Your role in advising the New Zealand government, what was your approach here? What was your recommendation? How can you ensure that, especially sensitive data, are treated with the necessary care?
>> VIKRAM KUMAR: I think when we look at Cloud computing and the issues that are challenging us today, a lot of them will be solved by vendors and the industry simply through market dynamics. And a lot of the well-known problems around privacy and security are issues that Cloud computing has made worse, but exist in any case.
One of the things that concerns me most is from the aspect of a large corporation or a government Department is the control over data, particularly where that is residing in multiple countries, and what that raises essentially is jurisdiction issues.
And this makes it really complex. So, for example, if you are a tax Department or a large multinational corporation, and you have a database with fairly sensitive and personal information or confidential information, and if you have that database on the Cloud, it will typically be in a number of data centres in a number of different countries. And what you looz lose essentially is control. Because the laws of the country in which the data centre resides, the laws of the country in which the headquarters of the particular provider is, and the laws of the country of the organisation that has the data or owns the data, they can all conflict quite badly. And I think that jurisdiction issues is the one area which is going to be of significant problem for the Cloud computing industry to solve. And that is not something that the industry will be able to solve through market dynamics.
So at the moment, certainly my view is that any corporation or organisation or government Department which has sensitive data, don't put it on the Cloud.
>> HERBERT HEITMANN: That's a very clear statement. Christiaan?
>> CHRISTIAAN van der VALK: In the business world, I think it's not only to keep your data in a controlled way, away from the general public when that is necessary, but it's also to make sure that the data don't get corrupted, that the compliance of certain information is guaranteed.
As a nontechnical expert I'm asking myself, it sounds a bit like in the product world these days, we have to air carry in addition to the information related to the product, a lot of context information. Where it comes from, what kind of temperature it has been stored through the supply chain and what have you. Is this --
>> HERBERT HEITMANN: Is this going to happen with information and data, that this context to provide better understanding, wherein particular does this data come from, will it be managed in the future and you understand where the information comes from and what kind of legal environment needs to be applied here as well as what else can be made with that?
>> CHRISTIAAN van der VALK: In my world, there is alively and extremely controversial debate between those two extremes, in a sense. What model are we going to? And this probably is mostly a business to business, or corporate issue. I don't think it affects consumers as much, but it might.
And as I said, one important message for me here is that I don't think regulators have any idea as to how many different types of requirements and control frameworks apply to companies and information systems, infrastructure, and processes, to meet all those rules and regulations and requirement, which have multiple dimension, by the way.
They might be private, quasi private. Maybe some international law. But most likely they are international and therefore you have to deal with, if you're an international company, as many different laws and requirements as you share markets. In that debate of course, countries are taking varied approaches. And you see those two extremes come back in legislation now. One is the audit trail approach. People say, basically, in order to prove that this information was created or real and is still not tampered with 50 or 30 years ago, we wanted content information and you would have to store that store that information.
Other side of the spectrum is to try to address those issues, as I said previously, on the data level. Both have advantages. And I don't think the world started that debate. I think, unfortunately, in place like these, that debate needs to be had a lot more. Because there are real architectural and serious business issues related to it and policy issues. Right now both models are practiced and you see this come back in various types of business legislation. If I look at the world you can divide it into two pieces. If I look at Latin American and Europe, there are more attempts to put it in the business data level. If I look at the UK and Australia you see the other model and various forms in between.
>> HERBERT HEITMANN: Thank you. The first Question from the floor.
>> I'm Lamber, I'm a member of the European Parliament, coming from the Netherlands. Europe has 27 countries. We have data regulation of 1995, we will revise it next year.
How can we cope with this new development if you again, make it, like we say, European oriented, geographically new regulation? This is something -- this is governance. How can we cope with this new thing? We are willing to be open to support it, but we are still working on our own legislation. And this is something I should like to put on the table.
The second thing is, just a question. This Cloud computing thing, will it be something that will be dominated by some big companies that are -- that make their investments and that -- is it open or is it, in fact, not open because it's a business case for some?
>> HERBERT HEITMANN: Big companies.
>> JOSEPH ALHADEFF: I'll answer both Question, how is that. I think when you look at the fact that you have a directive that Harmonizes to a certain extent member state law, because the directive acts as a floor and not a ceiling, so member state laws can be above that. You still have a range of complexity and compliance even today as information moves across the various countries. Within the European Union that is stronger. Outside, you have to qualifier, a delegation to get the information. But I think the concept of how we look at this going towards the future is I think commissioner Redding spoke about the concept of accountability or the idea that obligation flows with information. I think that we see that this is the underpinning concept, which is one of the mechanisms by which the European community looked at how do global companies perhaps deal with this issue? Because a binding corporate rule may have a more global application and less complexity than a model contract.
So we are starting to see concepts evolving in this fashion. I think another important concept is the consultation that is going on in the EU is the consultation is predicated on the notion of effective regulation. So one of the things being looked at in the regulatory review is the outcomes based nature of the regulation and how to minimize some of the bureaucratic burdens that might go with the regulation. Not to limit the effectiveness, but to limit the burden that comes not at expense of effectiveness. I think we're seeing positive development, but we're on a learning curve as to how to do this. And I think the other beneficial fashion is that we're seeing these developments in both the EUAPEC. So two large regions are moving in similar directions, thinking about these issues.
When it comes to large company, the the greatest advantage that large companies have, apart from being able to spend greater amounts of money in the protocols and networks that they use, is that they have brand reputation. And that's one of the major advantages that they may have over smaller companies who are less known. And it's difficult for individuals or SMEs to evaluate the quality of a provider they haven't heard of. And so how do you actually get that information out in a way that other providers can actually demonstrate the value of their services if they can't rely on their brand? And that's how you make that information usable and comparable, when you look at provider, so that you can make informed choices about which provider you want to use and the kinds of services that they offer.
There will always be advantages that a larger corporation has, if they also are very large corporation, because they may be looking for the level of assurance, the level of responsibility and the level of essentially asset and backing that can only be provided by the largest players. But there is a huge opportunity in the market that is not limited by that. The very top end of the market is probably limited by that as a segment, but that has been a historical fact and I don't think that changes and that still leaves a level competitive playing field for much of the industry to work on these issues.
>> PABLO MOLINA: If I may piggyback on that. I think that there is a policy vacuum when it comes to Cloud computing. Because we don't know how Cloud computing will be used, how much adoption will happen and how will it happen? Existing guidelines, soft laws and hard laws are not probably adequate to help us understand and manage this new technology environment.
Now, that doesn't mean that we have to rush to write new legislation and appoint new regulators. But it probably means that we should first look at all the existing mechanisms that we have and engage an interdisciplinary body of experts, technologies, economists, business people, even philosophers and certainly politicians to discuss the issues. And then on a case-by-case basis, they can start developing the rules of the game. When it comes to whether or not there is going to be much competition, well, one part of that depends on the regulation in place, whether we favor competition through market regulation, through technology development, which is a wonderful Question.
But I would agree with Joe, because of brand name reputation, which is critical on the Internet, and maybe resources. We may find top notch, highly respected expensive providers at the top, and we will find others at the bottom of the pool who are also providing creative content to the Internet. It's very conceivable that, you know, for example, educational institutions will get together to do their own Cloud of educational services. And also anybody who is interested in AV production, you know, they may rely on exclusively on YouTube, but they may open their own independent film and documentary Cloud to promote the publication of those materials by people all over the world.
>> VIKRAM KUMAR: I just wanted to address part of the second Question. To some extent I disagree that there will be too much domination. Because for me, if you look at it from the perspective of an individual, they don't particularly care about Cloud computing. What they care about is the services that they are getting delivered to them. Many of the services, today we think of them being delivered by the browser. That is probably not going to be true a few years from now. Now we have many desktop applications or we have applications on a mobile phone. Many of them have Cloud computing as a back end. But it doesn't really make a difference whether you have Cloud computing or not, or you have a traditional data center or a mainframe. It doesn't matter. What matters to people is the service, is it good, reliable, possibly free?
So, my opinion is that in the consumer space, we are going to see an explosion of many, many online services, most of which will fail. And that's the nature of the Internet. And some of them will succeed. And a lot of innovative and new applications will come along.
That is quite different from what will happen in the business space and the large government space, where there is a far more sophisticated understanding of, for example, risk management. And I think in that case, we will see a different market emerging where you'll have a consumer market and a business market or large organisation market. But I do believe that in the consumer market Cloud computing or whatever else we choose to call it will actually not make a difference at all. It will just be the services that are delivered, some of them will be on the Cloud and some won't.
>> HERBERT HEITMANN: I confirm what you said. For a while, I said that I go into my Facebook, Twitter, YouTube account, and sometimes stick there. Since quite sometime I'm not going this anymore, because there are other service providers who aggregate all of this information into a more entertaining fashion. And I realise that the big names don't need to remain big names because there are others with business oriented service approaches that make a difference from a consumer perspective. Behind my back, where my eyes are not so well working, I get Questions from all over the world.
Heather, will you read them?
>> HEATHER SHAW: I can read them if you'd like. We have two questions from the Kenyan hub. The first Question, in your view, what is the impact of (reading the first Question)
The second Question following on that from the hub in Kenya. Would you advise developing countries to invest in local data centre, considering the complexity brought about by legality, security and data protection for information stored in unknown geographical Cloud computing platforms?
>> HERBERT HEITMANN: We turn this into a marketing or I ask Michael to explain to Joe whether they should put their data centre -- they have another choice to turn this into a marketing event and Michael to convince Joe to put data centres into Kenya. Or we turn it the other way around and ask Joe what he thinks needs to happen in developing countries. I prefer to do it the other way around. Michael, you can start with asking the Question from the Kenyan hub about what you think needs to happen in developing countries. And then Joe, you talk about or whoever else wants, to contribute to this, what are the perfect markets for the physical expression of Cloud computing from a business perspective, which is my interpretation of that Question.
>> MICHAEL KATUNDU: Thank you moderator. Very good questions coming from Kenya, from the Kenya hub.
I would like to start by appreciating, yes, this kind of technology is basically a paradigm. It requires a paradigm shift. The private sector, government, Civil Society Information, and every other use of the Internet. One thing I would like to appreciate it that governments are quite conservative all over the world about their data. And governments are known to be mega users of Internet and other services of ICT.
Having said so, yes, within developing countries, as I did, we are trying to take up ICT applications in a big way. But particularly in areas of eGovernment, eEducation and so forth. And we are in the process of building a local and data centres within the country. But we will be able to secure our data and be able to do this in the near future.
I agree with the previous speakers that Cloud computing is happening in a way. When we got the Internet, when you post information on the wall of Facebook, you don't really know where the back end service are taking place. If you go back to your wall, you would not be able to delete anything. It's going through an Administrator located somewhere, and we don't know. And that is the sense of the Internet governance. People are trying to appreciate where and what is happen, and who is validating which information whatever. Specifically talking about Kenya, Kenya at the moment we are in the process of running certain services in the government. We are privileged to be at least three, and we are in the process of building our digital infrastructure within the country. And this connects various governments and institutions in the country, and also at the same time we will be able to have government online.
It's like a chicken and an egg. Where do we start? Do we stop what we are doing, building our local data centre, and jump to the Cloud? The Cloud has several different advantages. You'll be able to take advantage of issues of an expensive hardware and software applications. You don't have to invest in them. At the moment if you've not done that so far, you can take advantage of what is already done. You'll be able to take advantage of an expensive label and building has been a challenge, capacity building. In this case you don't have to worry maintaining your data centres and servers and so forth. Issues of also building and operating successful recovery plans and business continuing to plan in the event that your sites, your data centres are down, you don't have to worry about that. If you invest in Cloud computing, again, issues of contracts, annual contracts and so forth. There are several other challenges, which as developing countries we are likely to be faced with. Among them, we are looking at various jurisdictions. What if your data goes across a Cloud? Where is that data likely to be duplicated? There are several interests among certain countries. Certain countries would want to see your data and how do we get over this? Trust. How do we trust that organisation? Tomorrow, if that contract is breeched, where do you go for litigation and so forth? Do you go to the international court? Do you go to your local court and be able to get a court for this kind of breech.
So we are looking at different contracts here which we have to take into consideration or ideas coming from the floor. So this is an area that we really need to focus on. If today you breech my contract, as a country or as an organisation, and I want to change to another supplier or provider, how will I be assured that data has been migrated to another Cloud?
I really need to feel that Cloud is where I wanted my data to be located to. So these are some of the various concerns.
Cybersecurity is an area which is new and emerging in a big way. As a developing country, we are getting frustrated lately. How do I be sure that my data, whatever it is in the back end, is not being cyberattacked, is not exposed to hacking, is not exposed to phishing and so forth? That confidence is a challenge and it requires that we do a lot of confidence within -- with potential users, potential likely users in the developing countries and so forth. For them to be able to appreciate this kind of new paradigm shift.
Issues of certification authority. When data is going across various network, you need to be assured that this data is digitally signed, various countries and developing countries have rules for certification. You have to also encrypt your data. How do you sure that that data going across the Cloud, nobody is deciphering that date and reading it and passing it to another Cloud. Now we have hot issues with Blackberries and a number of you are following. So developing countries want to have say over this country, even though it's likely to be out there in the Cloud. So as we move forward, there are various issues and we really need to build confidence, trust, come up with best practices, and I would like to believe this is one of the beginning of this kind of forums. We come up with best practices of how best do we venture into this new area. It's a business area for the private sector. A business area for the government sector and developing countries. It's a benefit in ICT and investments at beginning, but also as a care and concern in areas of when this data goes, how do I get it back and so forth. Thank you very much.
>> HERBERT HEITMANN: The Question for you is what criterias do countries need to offer or to provide to be attractive places for the physical part of the Cloud to be located on it?
>> JOSEPH ALHADEFF: Well, the first thing is to go back and differentiate the benefits you can get by using the Cloud versus the benefits you get by being a Cloud provider. And the huge amount of leverage in the Cloud is the services that you can run on the Cloud without having to be a Cloud provider yourself. But if you want to go to the concept of the Cloud provider, the first thing we have to quell as a concept is the Cloud ceases to function as any competitive advantage for anyone if the design of the Cloud is that you want a data centre in every country. Because then you don't have the Cloud you have today.
So, and today we have been moving away from data centres in every country, to concepts of centralized data centres, where people put more resources into protecting the data, into managing the data as well as possible. So we have to think about how you manage data, and the fact that data will not stay in every country. So you have to then start thinking about how you assure security and other rights related to that data as that data may change locations.
I think just base Question of do you want to be a data centre provider, a number of the Nordic countries spoke about the cool winds that will cool your data centre by opening the window without having to worry about all of the air conditioning. So, in some cases, that is a technical benefit for you, if your climate happens to be that way. But, the workforce may not want to live in that same country for some of those same reasons.
The issue, though, is an issue of a consistent power supply, an issue of an environment that is fairly fixed and stable, an issue of a workforce that is technically competent, a logistics infrastructure that is easy to get supplies in and out of, airports, railroad connections that make sense, if you need to move things in terms of equipment coming in or people to service the equipment. And if your business is associated with a call centre you have to look at linguistic capacity language skills. All factors that people will look at when they consider whether to sign a data centre. And the competitive cost nature of that centre, the cost of real estate, facility and the cost of personnel. So those are all factors that you would consider.
The one other thing I would mention is that there is a fear -- not a fear. But it's a concept that there is a new paradigm and we entered the brave new world. We entered a world with increasing complexity. But these are the same issues that people talked about when global sourcing contracts came into effect. These issues have been around for five to seven years already, and they are being dealt with in ways that are imperfect, I admit, but they are already being dealt with in many ways. And you're starting to discuss the fact that many governments outsource some of their information, they choose which information to outsource, based on the national requirements related to that information. And then they choose what conditions to put in contracts, including where the jurisdiction of that contract will be resolved, what the rights related to that contract are, what the obligations related to the information is, who may access the information and from where and for what reasons. These are complex contracts, they are not easy negotiations. They are north the kind of negotiations that you would expect consumers to be able to engage in. But at the business to business and business to government level, these are negotiations that are ongoing with precedents that already exist. How we start dealing with these in the consumer realm will be much more difficult. That's an unacceptable level of complexity for a consumer to have to figure out.
>> HERBERT HEITMANN: With regards to the energy concern, there are energy providers around that can also supply with you clean energy. I never could sell him software when I worked before. But now that I work for Shell, maybe there is a business opportunity.
>> CHRISTIAAN van der VALK: In the last half hour I heard regulatory vacuum and I heard people repeat various concerns about not knowing where the data is. And it takes me back to the early 90, where we had the same discussion, and a good number of us lived through what happened then. Regulators, you know, making it into a matter of prestige as to who would have the first law about something that was actually not even practiced yet, like digital signature, one of my pet topics, people started enacting laws before anyone ever issued a certificate or almost, this is of course, a very, very good example of excessively bad legislative practice. And let's please try to avoid that this time. Just because somebody coined a term that happens to work well with an emerging reality, it doesn't mean that we should try to regulate it right away.
I believe firmly that we cannot regulate it right away. And I believe firm lee, but this is a reality that I live in and perhaps people in the audience don't see every day, that the way the change of service delivery that are being built-up and that in the end consumers will tap into, are change of business to business agreements, where basically, things like Sarbanes-Oxley, various other types of corporate governance frameworks but also internally developed frameworks that people need to comply with, in the end boil down to such an incredible normative overload that even the smallest companies have to comply with huge amounts of very often conflicting requirements. And the Cloud is not some kind of unchartered unregulated no man's land. It's the opposite. It's over regulated today.
Those changes, if you look at the kinds of contractual requirements that are put on you if you're a provider in that chain, even if you provide the most innocuous piece of data transfer information, it's unbelievable. Don't come away with the idea that the companies who provide these service are not regulated. They have to live with many, many different framework, normative frameworks and audits on a daily basis that they have to come plea with. And stringent contracts that basically come from higher level corporate governments and over types of requirements.
Rather than putting another layer of regulation on top of that, let's go back and look at whether the businesses have to comply already. Let's take the inefficiencies out of that process so we meet the functional objectives, which have to do with understanding control, transparency and accountability. We're not there yet, and putting on another layer is not going to help.
>> HERBERT HEITMANN: Those who submit Questions, I hope you sit in comfortable Chairs. I'll give the mic to the gentleman on the floor.
>> Andrew Cushon, I'm one of the ISO C Ambassadors this year. And I work on policy for Vodafone. But the questions and comments are my own. I find this enthusing. I'm excited by the prospect of Cloud computing and the opportunity to hear from you all. It seems that it solves two challenges in running a software business. The challenge of distributing the product and the end-user hardware requirement, in a sense. You know, consumers can perhaps rely upon lower grade technology, because more of the power is required in the Cloud, and the core. But nevertheless, that will be traded off against the need forever more ubiquitous, capable and reliable networks to provide the consumer with those connections. So there are interesting challenges there.
However, more in the sense of Question, the amateur philosopher in me is interested in what I think I caught call the civil liberty style concerns that I can see from Cloud computing. I find it very interesting that we're also optimistic about this when we consider that the risk of Big Brother style intervention in this, can the centralization of so much personal and corporate information, and I wonder whether or not that will relate to some kind of consumer backlash against products such as this, as people realise just how much of their lives are stored in synchronized masses of databases.
But with regard to the to regulation, governments around the world are concerned about quasi Cloud like services. And we only need to look to the experiences that Blackberry has had in India and other countries in the Middle East as to how those concerns can manifest. How do we manage government's concerns around security and sovereignty, if you'd like, to ensure that that doesn't become a barrier to allowing those markets to develop. Thank you.
>> PABLO MOLINA: I love philosophy. I teach ethics and technology management at Georgetown. So that brings up an interesting point, which is part of the policy vacuum that we discussed. And we are dealing with new values that we were not considering before in light of the new technology, things such as account act, control, usability, autonomy, control of the information, ownership of the information.
For example, yesterday I believe an employee from Google was fired because he was using his MHA rights to check people's email. It's great that Google fired this person. But if that person happened to violate my privacy by looking at my e-mail, I'm not happy about it. I would rather see a mechanism by which this would not happen. There are a number of organisations in the United States, in the government of the United States, that have great surveillance powers, technology powers to exercise and to tap into these clouds would be terrific for them. Let's say you are trying to thwart terrorism, one way to do that is to follow the money. The more of the financials services up on the Cloud, the more you can tap into this information. And this is where I think that you need some multilevel agreements, but you need the development of system policies and guidelines to make sure that while you provide these service, while you take advantage of the economic and technical opportunity, that also, you're preserving the privacy of the users. And part of that is an interesting concept discussed here before, it's the concept of transparency. A big part of this is to be able to communicate in an easy to understand way to the users of those Cloud services what is it that they're getting into. There is another interesting point, which is how much of capture relationship it becomes once you start using one of the big providers? How is -- how easy is it to switch from one provider to another. How easy is it to move your data, if you live in the UK, and you want to reside in the US, how is it to switch? How easy to is to switch?
>> VIKRAM KUMAR: The first part of your Question, around network, I wanted to address. Cloud computing requires a shift of focus from some of hardware at the end to the transmission networks. It's more complex than that. Because, the nature of the network is important, first of all. So, a lot of countries, including New Zealand, we have asymmetric upload and download speeds. Cloud computing requires substantially higher upload speeds than we have today. So getting out fiber is important. IDSN doesn't cut it. It's the same challenge that mobile phones will face until 4G comes along. Until some of the speeds in practice become fast enough. But it's not only the network, it's also what about the international gateways? Because if the Cloud is global and you're sending lots of data back and forth, you have to think about the cost and reliability of the international gateways that are out there.
And finally, I think it's just worth also reflecting that you can't look at Cloud computing on its own. It's a part of online services. And what we're looking at the moment is a shift for the consumer market into online services being delivered more and more as products.
And that is now happening in the business market, because the business market and the government market was essentially buying hardware or software and they were look at it as individual products. And what we now are seeing is these products are being offered as services, but the service are being offered in a way where you can buy them in chunks. And so they retain their product quality. So we have got this change that is happen, and a lot of it is very hard to ascribe to Cloud computing on its own. It's a part of the change of services being offered online. And sometimes it becomes really important to distinguish general issues of the Internet, general issues of online services from Cloud computing, which is one way in which those services may or may not be delivered.
>> HERBERT HEITMANN: Thank you. Now I'd like to ask for the next Question from the Web.
>> HEATHER SHAW: The Question from Paul in Kenya, would the current cybercrime legislation be sufficient to tackle cybercrime on the Cloud or should there be a new legislation targeted towards Cloud computing?
>> MICHAEL KATUNDU: It's a general Question on the existing cyberlaws. They address the likely event of cybersecurity challenges within the Cloud computing. The answer is yes and no. Basically, what we are encouraging, if I can talk from the perspective of developing countries, is that the various developing countries to have their own cybersecurity management frameworks in place, so that they can be able to nationally have a way of responding both reactive and a proactive manner on cybercrime attacks. We appreciate that cybercrime is here with us, it's not likely to go. So it's best to cover a part of it to make sure that in the event that there is a cyberattack, then there is a national point of conduct, where you're going to report. And then within that national point of conduct, there is a sector within the country.
You report to various sectors in the country.
And collaboration is encouraged for us to be effective in dealing with cybercrime.
And you have the responses within the various country, and they can collaborate on the national level. Then we can say that we have better ways of mitigating these new and challenging areas of cybercrime. It's not really changing the laws drastically. It's an issue of having best practices and being able to collaborate as required.
I wanted to make a comment on the issue of Cloud computing as far -- from the perspective of access. We appreciate that in developing country, access has been a challenge, and hence a reason why during the IGF forums we have been having this access topic, which is controversial to some extent. When you exflor the aspect of having Internet exchange points in various country, basically, it's to keep your local traffic local and be able to avoid paying a lot of money.
We appreciate (Off microphone.) It's developing countries are yet to be able to take up these. They can market, sell, create awareness, but the back end services are likely to be (inaudible) this is likely to revise traffic strategically. The traffic from developing countries is likely now to turn around and are supposed to be kept local, to be distant, which we know are charges that are quite high. And we are in the process of negotiating. And we want to keep the international (Off microphone.) Rising cheaper. So this is a way to develop as we build best practices in this area. We have to explore the likely market for the clouds, for the back end server, and the systems. How are you likely -- and this goes to my colleagues here on the podium. How are we likely to be able to also try and bring down the cost of the international circuits, so you can debate on any current years?
We can deploy these services now. Thank you.
>> HERBERT HEITMANN: Thank you.
>> JOSEPH ALHADEFF: Apart from the valuable information provided. And the information across CERTS and across Departments, there is the Council of Europe Cybercrime Convention which creates an international framework related to how the issues are cried. And it's written at a high level and should be applicable for quite a while. But as exploits change and the threat matrix develops, we will have to go back and reconsider the application of those principles. The principles will stand, we have to make sure that the methods are in keeping with the best way to address the threats. But that framework is a useful framework going forward and should be considered as well.
>> PABLO MOLINA: It's not only that the great corporations or the computer scientists and engineers are great in innovating. It's just that the bad guys are innovating the crimes. let's look at privacy laws for many different countries or the rules for electronic evidence for any legal proceedings. In many country, they are based in the fact that the information is contained in a mobile phone or laptop. Have the police get control of the laptop? Then have a forensics expert go through the laptop and find out the information. What is the information is not to be found here you and your property. Unless the laws and procedures are changed, they will not be very effective for law enforcement.
>> AUDIENCE: I'm working for the Icelandic government. Elva. And I would like to ask a question from a government perspective. We see that I come from one of the countries that you were mentioning, where you can open the window, so it's going to be quite cold. And we see that there is -- that governments see emerging business models in this, to have favorable legal frameworks dealing with security, privacy issue, and so forth, that can provide green energy and so forth. And from that perspective, from our side, we have been thinking quite a lot about what is then going to happen in this world if a vast or extensive chunks of data are being lost, for example, in a territory of a country. So, could you elaborate a bit? Do you see this as being like a shared responsibility?
I mean, you don't know what can happen, it could be a cyberattack. It could be whatever. But, data is being lost. Could you elaborate a bit on that? Thank you.
>> HERBERT HEITMANN: You mean when an S Cloud occurs in the Internet Cloud? Christiaan?
>> CHRISTIAAN van der VALK: I think that -- I'm not sure I fully grasp the context of the Question. But from my experience in working with people who really do know the technology, and the risks of data getting lost once it is stored in this kind of environment is extremely low. Precisely because of the replication across many different sites and databases. So, I think sometimes we're losing a bit of the perspective that many of the developments that we're talking about here actually deliver such massive improvements also to security, availability and performance that many of the questions we're asking start to become a little academic. Yes, they may be lost, but of course the risk of it being lost is being drastically reduced at the same time. So we should not lose that part of the equation.
>> HERBERT HEITMANN: I think --
>> JOSEPH ALHADEFF: I think one clarification is lost would mean compromised in the way that your Question is being asked. So I would modify Christiaan's statement and take the word "Is" out and replace it with the word "Can be." Because that goes back to the Question of who is your provider, what is their security and what is their level of having managed risk appropriately?
And so the Question goes back again, I think, to how -- it's one thing for enterprises to perhaps be able to go Judge the quality of a Cloud provider. I think it's more difficult for individuals to make that same judgment. I think for the most part, in the initial case, if they are concerned about privacy and security, they will rely on brand. If they are concerned about what service they are getting, as Vikram said, they will just be concerned about how good the server seems to operate and they will not worry about the back end until a problem happens.
But I think understanding how to better understanding what your provider is offering, which is talked about as transparency, and understanding how to evaluate those things, whether by brand or other feature, is going to be the differentiation. Because a lot of information is stored on computers that are sitting underneath someone's desks or laptops on their desk. And the statistics in a lot of countries are that 25 percent of those computers are infected by Bot Nets. That's not a wonderful place to leave your information.
There are a lot of enterprises that look at the computers every morning and have no idea what the flashing lights mean. Because you are in physical control of the device doesn't mean that you have secured the device in any way. So that's one of the ways in which the Cloud may enhance security. But if the network isn't secured, then you can compromise information in transition. If the data centre isn't properly secured, you can have a potential breech of the data centre.
The Question of data being lost as in misplaced, becomes more and more remote, I grae agree with Christiaan, becomes more remote as time goes on. The last factor you have to look at when you think about this management is also the type of service you're asking for. So, for instance, if you're asking for someone to manage your information it's more difficult for you to enci79 it and give it to them, because it's harder to manage the information that is encrypted. So these are factors that you have to consider. And that's the part that we may look at and say perhaps now this is the brave new world portion, because these are multiple factors that you have to think about, and perhaps we weren't thinking about these enough before.
>> PABLO MOLINA: To follow up on this, about a year ago, at the annual meeting of privacy commissioner, worldwide, which took place in Madrid, last October, basically, there was an interesting session pointed at the possibility that you brought up, the session's title was you know your data is in the Cloud, what if it rains? And the interesting take away from that is the following, that we ought to identify, particularly for the services, the accountability, in order, to is responsibility for that? And are you exercising due diligence in preserving, storing, delivering that information? And it's interesting. The government contracts (off microphone) and what happens if the information is leaked? Who is responsible? We are trying to determine this in the United States after the British petroleum platform, you know they had a problem and oil spilled everywhere, who is responsible for that.
And then on top we need the regulation that goes with that, to find out legally, who is liable, which may be a different Question to answer. But in the end, the number one penalty for organizations that are losing their data and most of us have at one point in time or another, it's basically the brand reputation damage that can be bad but in the past has not been terrible, not for the government of the UK, not for any of the other egregious data breeches that were reported worldwide.
>> HERBERT HEITMANN: Yes?
>> VIKRAM KUMAR: I wanted to add that not with standing everything that you heard, it's still worth being sensible. So, it might well be that the chances are remote. It might well be that an organisation is to be held accountable and liable. Yet whether a consumer or business, you always need to plan that you still may lose the data. And have back ups in place, et cetera.
So, for example, if I buy into an advertisement online and store my whole -- all my digital pictures online, and they get lost, and let's not say it can't happen, because we had, for example, Microsoft side kick they say lost all of their data. It does happen. It's remote, but it's not of comfort to me to know who is liable for that. I just lost all of my photographers forever. So you have to be sensible and have backups.
>> HERBERT HEITMANN: Our colleague, Peter is trying to get his questions through the firewall, he can text it on my cell or Heather's cell phone.
>> The microphone seems to be missing on that stand.
>> AUDIENCE: Thank you very much. I'm also a member of the European Parliament. I'm Cally Kalatva.
I want to go back to the research in the field of civil security. The legislation, this is not enough. This is still a very important theological problem. And we have to decide in the future for the programme.
So, yesterday I was in another workshop and we were discussing about that field, and what I got from that workshop is that new ideas are needed and also there was a sentence that came to me that was at least to stimulate it. And that was that one of the colleagues said do not put more walls. It's a question of moving faster. My Question is, does it make technological sense? How far we are from setting the logical solution to all of the problems that we mentioned on security and how we are progressing on that, what we have to do in the future on that field, what we have to support. Thank you very much.
>> PABLO MOLINA: How many members of the European Parliament are in the room, out of curiosity? I know that there were at least three. I could recognize them.
So the fact that you're here speaks volumes about your concern, precisely for these interesting topics. My own prediction as an observer of the technical industry is that I don't see any time in the near future. And the reason why I don't see it is that there are other aspects of human activity, crime, misbehavior are endemic to human nature. For all the technology that we have, people will find a way to use it for the wrong purposes. This is great, because we will all have jobs for many years to come.
>> JOSEPH ALHADEFF: I think the do not put more walls is usually less an attribute of security and more a question of access to information that people are thinking about. But, even from a security perspective, there used to be the concept that security was created by having a big castle and a Moat and a nice big draw bridge and that represented the concept that you had a firewall. And that was the way in which you did security. And that's still one of the ways that you do security. But you have the concept that next to the data you put a body guard. So if someone gets through the firewall there are still ways to defend. Now you have layered security. And more and more of that layered security concept is being implemented, you have the actual places that data is stored being more resilient against external threats.
Well, the threat of the hack, you have to worry about social engineering and others that bypass those defenses and go in through other ways. Those attacks are being things that companies are paying more attention to and there is more research done on how to deal with those. The last thing is that you have to work on the culture of security and privacy within the actual business, so that you understand the value of those things and that it is a value of all of the employee, not just a value of the technical community or the privacy compliance office. So that is an evolving, I believe, area of progress within companies that we're seeing. And so I think that is also important.
And, you know, to Pablo's Question about what if it rain, part of the solution from the security side is that we have umbrellas.
>> HERBERT HEITMANN: From the European Parliament to the American government, former --
>> AUDIENCE: No longer US government, I have to be clear otherwise -- I'm David Gross. Is this working? Okay. I have to get closer. Sorry.
I'm David Gross from Washington, D.C. with Wiley Ryan. I was struck by some of the earlier comments which I of course heard before, which is the problem of access by governments who have legitimate interests in having access to data that is stored somewhere. And there is concern that is often well publicized about having timely access to such data when it's stored overseas.
It seems to me that one potential solution that has a couple of practical implementation problem, but could be a path forward is I've been struck by the number of countries around the world that would be very -- are very active in seeking to host large data farms for a variety of reasons.
It's been alluded to before. If I were such a government, I might say that in order to attract such a large data form fo to my country, that I'd be willing to sign an MOU or a treaty with any other country that would be willing to send data to my -- the data farm being located by a private enterprise, not by government, and therefore basically have an analogous situation to having embassies on my territory, which I allow to consider sovereign on that host government. As I say I as the host government will step out and allow the normal processes to take place in order to encourage companies to come to my shores and employ my people and create new enterprises in my country and allow for that sort of access from overseas.
Any comments, I realise there may be practical problems. But it seems that you need to come up with some new technical and innovative solutions to solve these problems. Otherwise, we will just be chasing our tails on a continuous basis.
I also don't think that having a global treaty works very well in this area, because that will take much too long to implement.
But a country could unilaterally say they would be willing to agree to this type of reciprocal agreement in very short order. Thank you.
>> HERBERT HEITMANN: Interesting idea. It reminds me of a discussion we had in preparing, we looked to analogies for free trade zones. I'll ask the colleagues on the panel to comment on this proposal or this idea.
>> VIKRAM KUMAR: There are a couple issues that need to be thought through. If you look at Cloud computing in general, the bigger the included, the more scale and cheaper the commodity. And that's important to recognize. So, you have to have enough countries signing up so that it becomes viable. It's very difficult for one or two or three countries to sign up, and you don't get the scalem. But you could get some scale. So it's certainly something worth looking at. But it's worth keeping in mind, that the bigger the Cloud, the better, the cheaper it is. And if it's not big enough, you don't get the scale to make it worthwhile. So there is a bit of a trade-off that happens.
The second thing is that it's a bit of a technical challenge sometimes to be able to restrict where data is held when it's at the moment it's quite arbitrary. So at the moment if there is a database in one particular data centre, it is -- it's quite common that it isn't only in one data centre, but it is held in a number of different data centres in different slices and dieses. So I think what you need to do to get that kind of an idea going is to have enough scale and have enough countries sign up quickly enough. But I certainly think it's an idea worth looking at.
>> PABLO MOLINA: I think that's a fantastic and very creative idea and one that deserving closer examination. Certainly, there is a reason why people bank in the Caymen Islands or in Switzerland and certainly the legal framework and the reward proposition. I think this could give a competitive advantage to some countries. It will make many of us unhappy in the Civil Society Information, we know what is happening, then at least we will be able to exercise our choice.
>> HERBERT HEITMANN: Next Question.
>> AUDIENCE: Thank you very much. My name is Moinda from the Communications Commission of Kenya. I just wanted to reiterate Michael's Question, which we have not gotten an answer to, that developing countries such as Kenya have taken significant efforts and investments in trying to build capacity within the country and -- in terms of access, and also international sub marine cables to be able to interconnect with the rest of the world. However, now I believe Michael's Question was that we now have all this access available in developing countries. However, Cloud computing will reverse the traffic trends. One of the presenters did say that data centres are not really -- have competitive advantage, because of the requirements in terms of reliability and stability of the electricity, for example,
Infrastructure requirement, such as roads, airports, the equipment. So, in essence, the competition is with regards to the services that you provide from those data centres.
So, we are currently building lots of infrastructure, but at the end of the day it's not a competitive advantage. What will be the competitive advantage is the applications and the services that you are able to offer on the basis of that infrastructure, which is their data centre.
So, how then can developing countries benefit from Cloud computing? I remember in the last session that just concluded, one of the participants asked: Does really Cloud computing at the end of the day facilitate the narrowing of the digital divide? Maybe not. I would like to hear your views about that. Thank you.
>> CHRISTIAAN van der VALK: Just a brief, one of the things that I said at the beginning of the session, I'd like to repeat, I think these new models of delivering service, developing applications and delivering them instantaneously, without having to invest in infrastructure, et cetera, are huge opportunities for people who have perhaps not the financial resources, but certainly the gray matter in the country to develop smart applications. And I think the example that I mentioned of the company I work for, it should really be taken into account. The cost of sales of bringing an application to corporations worldwide has been almost zero. Just the cost of a Skype call, just the cost of a conference call to actually set up very, very serious, robust, redundant Cloud connections with people who use them right into the heart of their business operation, without any problems.
And you can do it from Kenya or China or Sweden. This is frictionless commerce. So these opportunities are the ones that developing countries should focus on. Providing applications through these new services is just a fabulous opportunity and the cost is very, very low.
>> HERBERT HEITMANN: The infrastructure that I refer to is guaranteeing the access which is crucial for all of these things. So, I think -- my read on this was that we're very much these days in discussion on the Cloud focusing on the physical expression. And that leads to the Question of where is the data centre? And the way I read Joe's comment, don't lose sight of the big advantages that the application of services that are delivered and developed through the Cloud after as an opportunity for those who want to contribute as well as for the consumers who are using This.
>> JOSEPH ALHADEFF: I think the sub text, and it wasn't ignored, it's just that I'm not an expert to connectivity or the costs of infrastructure in terms of network infrastructure, which is why I didn't try to address it.
If in your region the cost of tapping into the network is significantly high, then that is a threshold barrier to the value of this frictionless commerce, because it's not frictionless at that point.
And I don't want to ignore the Question, I just don't know how to answer it, because it's not my specialty.
>> HERBERT HEITMANN: Your recipe is to increase competition. I don't know whether that works here. I see service providers in the room, in they want to have a question, they are invited to do so.
>> HEATHER SHAW: We have a question from Jerry George in St. Lucia. Is it reasonable to assume that most the Cloud storage providers will exist in the more developed countries with respect to cyberlaws relating to access to data? What is there to protect smaller countries being bullied into submission by the more powerful countries in accepting certain rules which favor them and their interests and to the disadvantage and those interests of the smaller states.
>> PABLO MOLINA: I think it goes back to the same Question. Thanks to globalization, globalization theory, tell us that when you have the opportunity to locate your operations in different parts of the world, then you will end up following the economic maximization models. In other words, you'll look at risks and rewards, and you'll place your factories and your operations. And there are centres are going to be the same. So there are all of these questions, what is the economic environment of the country? Can you get access to power and access to the technology, do you have an educated workforce. Are those people in the workforce speak can the language that I want them to speak so you can interact with them. When the executives of your company or organisation are going there to the site seeing trip?
Do they like the food and people? So, these are all of the concepts in globalization that determine where the data locations will be located. As David mentioned and some of the people and the panelists mentioned, the legal framework is critical. This gives you an advantage when decided where those data centres are going to be. And the countries or the regions that succeed in finding the optimal legal framework will have an incredible advantage over everybody else.
>> CHRISTIAAN van der VALK: I'm not a technologist, but I'm -- I worked with a lot of technology people. One of the things that I learned in doing so is that I think there is a notion here that in a data centre is in your country, you can more easily access the data than if it's in another country. And I think that that is slightly wrong. Most applications and systems are not designed or operated in such a way as to make it easy for people in the data centre to access the data. Quite the opposite. These are designed for remote access. I don't think that the data being physically present on your server in your country gives you a benefit with regard to industrial espionage at all. The access to the data is some kind of programmatic interface which you need credentials for or a graphical interface, which you can access from pretty much anywhere.
It's complete -- I wouldn't say it's not relevant where the data centre is, but it's certainly not the thing that determines whether or not you're going to be able to exploit that regulatory advantage. So the Question is based on an assumption that is slightly off from the actual use of the technology.
>> HERBERT HEITMANN: The experience has shown that the value add generation usually happens much more in the creative space of the applications, than in the much more commodity kind of provision. This is just from a scaling effect and the economic effects.
I don't know why we have no microphone on the one side.
>> It's the virtual mic on the left side.
>> AUDIENCE: Thank you for giving me the opportunity to ask this Question. I've just arrived, and I'm somewhat late in this technology. But I'm taking a look at this in a different fashion. It will not necessitate the need for many countries to sign up. I'm looking at it as a slot being assigned to every country, a satellite orbital slot where you're assigned a country, you assign a country a space. It has to be generous of memory assigned to that country. And service providers can say look, you want me to give you a slot, then you say yes, then you go to another country and so on and so on.
So every service provider from every part of the world can do business in any of these Clouds. That's the way I look at it. Thank you.
>> MICHAEL KATUNDU: From a point of view coming from the developing country, where ICT investment is not that much. We are in the process of looking at which application to put online and so forth. This is an area which we can start thinking of migrating into. But generally, knowing that within developing countries, we have a major investment in mobile telephony and the extent of use of these services is quite high, as opposed to countries like the US where the (Off microphone.) Is quite extensive. And when you think of mobile application on the mobile smartphones, they are not likely to have a lot of capacity to keep your data and so forth. So if you want to have Cloud computing in the next number of years, I can see the mobile, the smartphones, mobile technology being the way forward in accessing and locating your data and responding and getting access to your applications. So it's something that we need to think as a way forward and venturing into. Within developing countries, we are challenged with the concept of E west. We have dumping of equipments out there, coming to us and then we end up replacing them. And we need to dispose them. And we don't have the relevant regulations. And this is a way to have investments in equipment and be able to replace basic equipment, like the mobile phone, laptops, with no major investment in terms of servers and backend systems.
Again, within developing countries, we appreciate that. We are in the process of looking our best. We have our data in one location so you can continue with business and have recovery plans. We may not have experienced a number of disasters, but in the event of one, we may be having these. Suppose it's attacked, again you are required to have backups. So probably we can avoid that by investing in the Cloud, as we are calling it, and be able to have the data duplicated across world. This is happening in root servers, and so forth. So it's not a new technology. It's something which is already used. It's just a hard thing to change from the way of doing things traditionally to the new thing.
Again, we are investing in bandwidth, lately, in a number of countries. This is okay. Of course you needed high bandwidth. Basically, it's a way forward. And for us, I challenge developing countries if you need to, to locate our policies, the legal framework, and so forth, and particularly, the -- most of our countries is technology neutral. I don't see any challenges. But it's for governments to explore further and to look at how do you mean to venture into this, given that data is the most crucial item to have these days, because if your data is accessed, then you never know what next and what somebody can do to you. Data is accessed every day. But again, you really don't want to get into (off microphone) so we have to start rethinking in this new area and see whether it could be the next formal wise, being able to invest in the ICT applications with the less investment and costs.
>> JOSEPH ALHADEFF: One commend, there are a lot of people who were talking about some of the fundamental concepts and a lot of people talking about what are the business motivators. The OECD did a fine background paper on Cloud computing, which is available online and is continuing to do work in this space, look at emerging topics and practices and issues related to Cloud. So that would be one area of resource that one may consider. When it comes to the business facilitator, business factor side, there is a work product that comes out of APEC, which is called the digital prosperity checklist. And the it takes a look at what are the factors that make an economy competitive in relation to the information society and the digital economy? And both of those organisations have documents that are useful in look at these issue, and should be considered as you evaluate the concepts and better understand the issues.
>> HERBERT HEITMANN: Next Question from the Web.
>> HEATHER SHAW: Question from Charles in Ghana regarding Internet access. It seems not a feasible option for most developing countries to invest in clouds when there is no Internet connectivity. What do the panels have to say about this?
>> HERBERT HEITMANN: Well, if there is no Internet connectivity.
>> HERBERT HEITMANN: We are at the very beginning. And it's interesting to see where are the places with no Internet activity. I'm traving a lot, and sometimes I'm annoyed by the fees I have to pay. But where there is no access -- so the Telcos here in the room will know this best. It's their future growth opportunity. But I'm afraid that the panel doesn't -- isn't able to solve that.
>> PABLO MOLINA: I've been to a small village in Ghana, the name of the village is Chiwi and there was not electricity. So first I would want electricity, water and power and then Internet connectivity. Some of the problems are basic. And without those requirements being met, no person can take advantage of Cloud computings.
>> ALDAHEFF: While the promise won't be met in a place where you don't have Internet connectivity, there should be the concept, though, that some concepts from the Cloud are also useful and can be used in low tech phones that are accessible. And there are amazing things that can be done through connection through SMS messaging. And that's not high end PDA, that is basic standard phones. So maybe the Cloud infrastructure is not available, but maybe there are services that you can deploy across existing infrastructure. They may not have the promise of what the Cloud can deliver, but there may be significant improvement on the way things are done.
>> HERBERT HEITMANN: Not all innovations happen in the Cloud. What can be done is simple. Just SMS enabled cell phones in the space of microe-business is very impressive and again should not provide limitations to access.
Further Question? Heather, further questions from the Web? That's not the case.
You have a question or comment?
>> MICHAEL KATUNDU: Thank you, Mr. Moderator.
One of the areas which we, as we -- as a way forward and going forward in this aspect of Cloud computing, is for the investors to look at the aspects of cost. What kind of costs are likely to be involved in this venture? And the challenge from developing countries is probably -- the costs could also be kept as low as possible. One of the ways of doing this or achieving this is probably rather than investing heavily in the proprietary software, the investors in this area can explore aspects of using open source, software so that probably can keep the cost of licenses and so forth down. And by extension then the services are likely to be cheaper. Thank you.
>> HERBERT HEITMANN: And if there are no further comments or questions here in the hall or via the Web, then that gives me and that's the case, that gives me the opportunity to thank you all for contributing to this workshop here. Thank you to the host government of Kenya.
I also learned that in the meantime, The Honorable James and The Honorable Philp joined us here. Thank you for your tension. We look forward to continuing the conversation later in the year when Kenya is the host country for the whole IGF. We look forward to this. I'm not trying to summarize, but I have just a few comments in reviewing what the last two hours we have discussed and heard here about. At the begin, it was you Pablo who said a short-term Cloud it's under estimated (Off microphone.)
I heard clearly and called for the regulator to harmonize what is existing and comply with the challenges in this truly global demonstration of the Cloud and then think about the adjustments here. But adjustments are necessary. I think this also came across clearly.
We had the debate about where are the nuggets, what is the attractive part being a Cloud provider or taking advantage of the provision of the cloud. Everybody can make up his or her own mind on this. But it's good to look at it from the two aspects. And we had proposals to apply new models on both sides on the data centre.
I liked the example of the embassy kind of places was in the physical deployment of a data centre. And I'm sure that many who think about this will take this as inspiration to move further on. As an example, I think conversations where this dialog is necessary and important and why we, the ICC, strongly believes that the IGF needs to be continued in this fashion.
The topics will change, next year we will have other topics to debate about, but we all depend on this exchange to understand where the concern comes from. But also where the opportunities come by. Big business, small businesses, it doesn't make a difference.
Thank you all.