Udo Helmbrecht will be speaking at
the Cloud World Forum, taking place on 17-18 June 2014 in London. The Cloud
World Forum is EMEA's leading Cloud event welcoming 8000+ attendees and 250+
exhibitors over the two days. Visit http://www.cloudwf.com/ for your free delegate ticket. The 6th annual show features 12 theatres
led by Cloud end-users: more than 300 speakers from multinationals, SMEs,
public sector organisations, online players, regulators, telcos and analysts
take the floor in engaging, thought-provoking keynotes, hands-on labs,
brainstorming sessions and live demos over two days.
As we
approach Cloud World Forum in London
this June Business Cloud News had the opportunity to get a few
minutes with one of the conference speakers, Udo Helmbrecht, Executive
Director, ENISA.
Q. Can you give me
a sense of some of the unique attributes of your business or vertical, and how
they shape or impact your IT estate?
ENISA works with a
range of stakeholders, from citizens and small businesses to large corporates
and member states. We are constantly interacting with our stakeholders across
the EU, through social media, video conferencing, group calls, collaborative
real-time document editing, mailing lists, et cetera.
Although ENISA
doesn't handle secret documents, we do manage a lot of information which is
sensitive. So security of our services, and this includes both confidentiality
of data and business continuity, is paramount. At the same time ENISA is small,
it is actually one of the the smallest EU agencies and we have limited budget
and resources. Balancing the increasing information technology needs with the
high information security requirements and the hard budget limitations is
challenging. In practice we are constantly looking at ways to make our ICT
operations more efficient and more effective. This means we are buying more
standard off-the-shelf products, and, where possible, we look at outsourcing
and cloud computing for the delivery of our ICT resources. For example, our
website and collaboration portals are based on open source products, which are
customized, run and maintained by web-development and web-hosting companies.
The development of an innovative and competitive EU cloud market will be vital
also for us as customers.
Q. What do you
think the most disruptive elements of cloud computing and enterprise IT are
currently?
Cloud computing
continues to change the way customers use information technology. With its
Cloud computing strategy, the European Union has placed cloud computing at the
center of its Digital Agenda. Cloud computing has the potential to increase
innovation and competition, to boost jobs and economic growth, and to reduces
the time and money needed for new ICT solutions. At ENISA we focus on cloud
security and cloud security has been a hot topic for several years - and even
more so in the last months. Because cloud computing is a kind of outsourcing,
customers may loose some control over how their ICT is implemented. Many of the
security risks associated with cloud computing are related to this potential
loss of control. Over the years cloud providers, together with the customers,
have developed ways to give customers more control. Many cloud providers now
offer dashboards, with monitoring data and controls, service level agreements,
detailed contracts specifying the responsibilities of the provider, preferences
on data location, and more. This trend will continue.
The recent
revelations by Edward Snowden about the NSA's surveillance activities put the
media spotlight on another aspect of cloud security. If customers place all
their data in remote datacenters, then how can they know for certain that
nobody looks into their files? If datacenters are in foreign countries or
operated by foreign providers, how can customers trust that access requests by
law enforcement are handled in a way acceptable for them?
At the same time,
it is easy to see that cloud computing offers important security opportunities
for customers. Imagine the costs of a state-of-the-art datacenter, with 24/7
monitoring and incident response functions, with highly skilled ICT and IT
security staff, robust power supply and redundant data connections. For most
customers such investments would be far out of reach. Now imagine several of
these datacenters, spread across a region, to prevent outages even in the face
of natural disasters. The catastrophic earthquake and tsunami at Fukushima
Japan of 2011 provided a good practical example of the robustness of cloud
computing. In the disaster areas, most legacy ICT failed but the large cloud
datacenters were unaffected despite the large scale power cuts. In the direct
aftermath of the earthquake, cloud computing was used to coordinate
communications between survivors and rescue teams. And in the weeks after the
disaster the affected legacy ICT of businesses was migrated to cloud computing
datacenters. In the following year the Japanese government made migration to
cloud computing a top priority, as a crucial step to improve the resilience of
the Japan's society and economy.
Q. In five years,
what do you think your organisation will look like and what kinds of
technologies do you think will be needed to support this vision?
In five years
certainly ENISA will have much greater ICT needs. In particular we foresee
doing more and more with online interaction tools, more with video material,
online tutorials and trainings, and virtual face-to-face meetings. At the same
time our employees will be even more mobile and become even more ‘road
warriors'. In practical terms this means:
-
The core of our organisation travel
exteensively. To become more effective we will need to complete the transition
to full web-based systems to allow a fully hybrid architecture where our
employees can work from a desk, from a laptop, or a smartphone, seamlessly.
-
Mobility is key for ENISA, because we
need to be in contact with the security community. This means we will need to
better integrate the different mobile devices with our internal security
requirements. We are looking forward to developments in the mobile app market
for this. Currently it is still costly for us to develop good interfaces and
authentication methods for allowing smartphone use of our intranet
applications.
-
To be more effective in the current
media landscape our content will have become more interactive and it will
involve more video material. We are finding out that small and short videos are
creating a lot of impact, for example. This inevitably means we will be looking
at large datacenters, which are well-connected to the EU's backbone, to allow
all our customers quick and easy access to our content.
Q. What do you think
are some of the biggest challenges involved with moving your IT estate over to
the cloud?
Cloud computing is
a kind of outsourcing. As we all know from the past, in outsourcing, and in ICT
outsourcing in particular, the main risk is a lack of governance and control.
It requires a different mindset for ICT departments as they are switching from running
servers and installing software to managing contracts and monitoring outsourced
services. Over the past years, ENISA has focussed most of its work on this
aspect: How do you do due-dilligence before procuring a cloud services? What
are your security requirements? Which are key service levels to guarantee
security of the services? How do you measure and monitor these service levels?
Another important
challenge for cloud computing customers is compliance with laws and governance
standards, and how to show compliance to third parties. Often laws and
governance standards lag behind the uptake of cloud technology, and customers
find it hard to adopt cloud computing, because of legal limitations, or because
they have difficulty showing compliance to these laws.
Q. What are you
most looking forward to a Cloud World Forum this year?
For ENISA it is
very important to keep in close contact with the industry. We see ourselves as
a bridge between the public and the private sector. Often in our work we try to
translate legislation and more high-level policy goals to more practical
cost-efficient and cost-effective security solutions. The Cloud World Forum
offers an excellent opportunity to engage with industry expert and understand
their views on the current issues in cloud computing and their views on the
future of cloud security.
In particular, we
are looking forward to understand better the pros and cons of information
security certification: How can certification speed up procurement? What can be
expected from certification, and what not? How can we reconcile the dynamics of
cloud systems, which change every week, with the requirements of the static
once-per-year compliance checks? What are the needs of cloud providers with
regards to certification? How can we incorporate continuous monitoring in the
existing information security frameworks.