We had the opportunity to take part in the “Privacy in Cloud Computing” workshop, as part of the 5th International Meeting on Information Security that took place in the city of León, Spain.

I shared the workshop with a number of very relevant representatives of the legal side of Cloud Computing, including the Spanish Data Protection Agency, Law University Professors, Cloud Security Alliance and members of the Spanish Privacy Professional Association. The different approaches to cloud computing security and privacy risks were stated, offering a lively discussion to the audience. After getting a more accurate overview of the current legislation applying to security and privacy, and explaining the technical solutions that currently exist to comply with it, both Spanish and European wise (Spain has one of the most restrictive data protection legislation of the European Union), we all realized that we agreed in more than one aspect:

• Security concerns are more related to contractual issues and Cloud concepts awareness rather than to technical constraints. The fact that there is not a major ISP providing a European public cloud service doesn’t help any of us build the confidence around a well known reference, meaning a company with a speech integrating technical, business and legal aspects and able to provide real success cases covering all of them.
• We all missed to communicate all aspects of Cloud Computing appropriately to end users and customers. They are either aware of the legal obligations and do not know how they can be met, or they are concerned about the business impact of cloud computing without exactly knowing all the implications in terms of security or privacy. Either way, it affects the decision making process and prevents cloud computing from being massively adopted for core business processes.
• Public Administration has been a very important driver in Cloud Computing adoption in countries like the U.S., with the cloud first policy pushed by the Obama administration through the Federal Cloud Comuting Strategy. The impact of this mandate has not only affected the different public administrations budgets but it has also helped companies and service providers understand the importance of prioritizing their cloud offerings and cloud oriented developments, as well as improving their security and privacy controls, taking cloud computing to a different competitive level with respect to traditional IT. Europe simply does not have the mechanisms in place to promote or impose any global cloud computing strategy in such an efficient way.
• In order to have a smooth, risk-free migration to the cloud, a company needs to have a safe starting point: a clean IT architecture and all the security, continuity, availability, capacity, disaster recovery and auditing procedures in place. This is not the most common of cases. It is essential to make some prior work to get a company cloud-ready, and that means an extra investment that weights on the cloud yes/no equation.

So with all these common ground areas identified, it was easy to create a shared wishlist for the near future:

• All the efforts to understand what cloud computing can bring to European competitiveness need to turn practical. It is public administration where our politicians can perform. Private industry will eventually join. It does not have to do with unifying legislation or promoting any research and development in the area, which we already do. We need our Cloud First initiative in Europe and we need milestones to be set and deadlines to meet. We have a large and complex public administration structure. The larger it is, the bigger the impact.
• IT history has a large track of company consolidations in all sectors, through merges, acquisitions or bad business decisions that reduced the relevancy of some promising players. As a result of that, relevant competition is usually reduced to a few big players. It is the case for hardware providers, operative systems providers, internet players and management software companies. How many of those companies are European? I expect similar consolidation to happen also in the cloud providers arena, where Europe does not have any global relevancy today. If we want to have a relevant european presence in the coming years, we need to start building clouds our way now.
• We, as cloud providers, should take advantage of the restrictive legislation we need to comply with. We have been blaming the legislators for preventing cloud computing from being adopted, and we should have made these restrains part of our offerings from the start. There is a long way to go in cloud audit and cloud security systems, and the fact that we, in the many different european countries, have these hard to meet legal obligations are a big advantage to define and promote the standards in these fields.

It is time for Europe to get really cloudy.