Conclusions from the Cyber Security and Cloud Computing Conference in Vienna: Better together
For many years I have held various roles at EU level, such as in the working group on a “Candidate European Cloud Security Certification Scheme”, the decision-making body for the “EU Cloud of Conduct”, and the European Telecommunications Standards Institute (ETSI). The primary aim of all these initiatives is the establishment of a European digital single market – an ambitious enterprise, but for us Europeans, an essential strategy for survival.
In early December 2018, the “Cyber Security and Cloud Computing Conference“ of the two working groups Cloud Security Certification (CSPCert) and SWIPO (Self-regulatory Codes of Conduct for Switching Cloud Service Providers) was held in Vienna, at the initiative of Fabasoft. It gave further explanations about the importance of cloud computing for the European single market, and the progress of the work by both groups.
A choice between working together or a rigid set of regulations
Talking about the latest regulatory initiatives towards the free flow of non-personal data in Europe, Pearse O'Donohue, EC Director for Future Networks, emphasised the role of the current self-regulation measures in creating a secure and open cloud environment. “Since all companies have the same technical expertise, they also all face the same problems where data security is concerned, or when customers want a smooth transfer of their data when changing providers,” explained O’Donohue. “So European cloud companies now need to pool their resources, to devise a solution that works right across the industry and which will become an industry standard. This will also ensure there is no unfair competition.” The unattractive option is a set of rules laid down by the authorities.
Dynamic purchasing system assesses new proposals
Javier Cáceres, Cloud Program Manager at DG DIGIT, spoke on the public tender process by the European Commission to set up a legally binding instrument for access to cloud services (“Cloud II: Phase II”). He explained that, to allow for the changing needs of cloud businesses, a Dynamic Purchasing System (DPS) is being integrated into the new procedure, which allows the registration of providers and ongoing assessment of new services. Cáceres also spoke about GovSEC, a risk assessment process based on an adaptive framework that allows system owners to consider the following key questions: What dangers and threats are we facing, where and how should the process be used and managed, and against whom is defence needed? This then enables the best available security tools to be selected for specifically identified circumstances.
Europe targets the “golden mean”
If we can manage to find a “golden mean”, with digital infrastructures that reflect distinctively European values, we can become a global player. In summary, we must firstly ensure that online platforms can operate in fair market conditions to contribute to the growth of our economy and societies. Secondly, Europe must exploit the full potential of the data economy. And thirdly, European assets must be protected with appropriate cybersecurity measures.
Uniform cloud service standards are therefore urgently needed for the digital single market! Small and medium-sized European businesses in particular cannot afford to deal with a patchwork of various different certifications. In view of the findings of the cloud working groups on CSPCert and SWIPO, as presented at the Cyber Security and Cloud Computing Conference, I can assure you that we have already made pleasing progress towards the goal of a shared market.
Helmut Fallmann is a member of the Managing Board at Fabasoft AG. Amongst other things he is Co-Chair of the Working Group on a Candidate Cloud Security Certification Scheme, and a member of the Steering Board for the EU Cloud Code of Conduct.