Comment: The EU, Cloud Computing and Security

Winter's words of wisdom: "Better protection is available for those who have the will and the decisiveness to acquire it"
Winter's words of wisdom: "Better protection is available for those who have the will and the decisiveness to acquire it"

At the World Economic Forum in Davos this past winter, European Commission vice-president Neelie Kroes asked businesses, the public sector, and the IT world to work toward a brave new world of cloud computing.

I think public and private sector partnerships are realistic, as long as organizations can accept that some of the information to be shared is sensitive or drawn from pools of sensitive information.

This simply means that there must be policies to define what kinds of information may be shared, with whom, and under what conditions. Longstanding examples of this kind exist. Intelligence agencies and militaries share information, but they do it within well-defined policy agreements on a need-to-know basis.

With policies to define what is to be shared, with whom, and how, it then becomes a matter of procedures, oversight, audit and execution. The issue is to clearly define the benefits to sharing, then work out the policies and procedures for executing it.

It’s important to get the technical details right to avoid sharing sensitive data by accident. The classes of information must be defined in such a way as to exclude operationally or technically sensitive data right from the start. The processes for extracting and packaging that data must be policy driven and automated so as to consistently and reliably exclude the sensitive data. This would include withholding certain kinds of personal data, but might also involve data about customers, operations or even network configurations that might constitute some kind of competitive advantage.

A pressing question is: Can the state stimulate private sector measures to improve security? There are multiple incentive levels that can be developed and implemented by the state; leverage can be both positive and negative. On the positive side, as awareness of the need for better protection grows, businesses will want to rely on service and technology providers’ ability to demonstrate more secure services and technologies. This process can be led by governments and driven by government standards, or by industry participation in codes. Other kinds of incentives include liability structures for CEOs that incorporate responsibilities to meet standards and certification for network and operational integrity. This is just as CEOs do for financial integrity under regimes like Basel II, for example.

Better network hygiene and meeting defined standards become positive incentives in the marketplace. After all, if a service provider can demonstrate that it operates its services and uses technologies that meet defined levels of assurance, it is in my interest as a customer or consumer of those services to protect my interests by using that provider. Many of the issues here are basic network management and enterprise administration. ‘Goodness’ in the form of information assurance can be defined in ways that will convey a market advantage.

Although attacks on financial institutions – or any other easily monetized data thefts – are big news, the longer-term damage is the loss of critical intellectual property that would otherwise create enterprise leaders. This is my view, and one also shared by many of those in government and industry who have studied the problem. It’s not just data theft; it’s the theft of technology plans, business models and processes.

"The issue comes down to establishing various kinds of trust anchors"

It is not in the long-term fiduciary interests of an enterprise to lose this kind of information to adversaries or competitors. It goes to the very economic strength and competitiveness of our industries and the ability of government agencies to execute their missions – to ensure our place of leadership in the world. The issue comes down to establishing various kinds of trust anchors in hardware, software and operational processes and metrics.

By developing these individual points of trust, and developing architectures that will ensure the development of ‘trusted stacks’ of technologies and services, it is possible today to realize much more robust networks that provide far greater levels of information assurance than we commonly enjoy in public access networks or most enterprise networks . Given some help with awareness and the kinds of market leverage I have outlined, many of these elements could start to emerge from research labs in the very near future. In the meantime, well-known and easily accessible network protection technologies and processes, linked together in auditable services, could begin to protect our enterprises much more effectively. Better protection is available for those who have the will and the decisiveness to acquire it.

Davos is probably too broad a forum for the kind of detailed discussions that are needed here, but it is interesting to note that the cyber threat made it into the list of top concerns for 2012 – it’s a serious, global issue that merits a serious industry and political response.


Dr Prescott Winter is the chief technology officer, Public Sector, for HP Enterprise Security Products. Winter is a national security and intelligence veteran with three decades of experience at the US National Security Agency (NSA) and Office of the Director of National Intelligence. He joined ArcSight, an HP company, in 2010.

What’s Hot on Infosecurity Magazine?