What Does the Future of Cloud in Europe Look Like?

Cloud technologies have been catalysts for growth, innovation and agility for data-driven organizations across Europe. How do IT leaders ensure that their organizational cloud-based environments are scalable, effective and comply with relevant data privacy regulatory laws?  

Daniel Melin, Strategist at Skatteverket; and Kaj Kjellgren*, Senior Network Architect at Netnod Internet Exchange; help us navigate the current volatile cloud landscape and provide answers to important questions on cloud security, compliance and challenges. In addition, we hear about the roles they play in the highly anticipated and talked about cloud project, Gaia-X.  

   

How can businesses ensure effective cloud data protection?  

Daniel: Customers need to choose cloud services that are sufficiently secure for their information. When evaluating security, the customer needs to take the whole spectrum of security into account; physical, IT, information, legal and political. Security is like a chain and every link has to be evaluated. 

The Swedish Tax Agency has established a cloud center of excellence consisting of experts in IT security, legal, data protection, document and archiving, physical security, procurement, and architecture to make sure that all aspects are looked at before a new cloud service is enabled for users. 

Kaj: Protection of data must be based on an initial categorization of the data itself, and identification of requirements on each data element. Not every piece of data requires the same protection. Of course, there are legislations and traditional security requirements that have to be followed.

For information security, this normally comprises availability, correctness and confidentiality. If you start from zero, orchestrated microservices are the easiest way of ensuring adequate protection using the zero trust concept to isolate the various containers touching the data. Once again, this has to be according to the defined requirements for each data element. This orchestration, often called cloud, can be self-hosted or hosted by third parties, just like any service an organization needs.  

 

What are the biggest challenges concerning compliance with cloud data protection regulations and laws? 

Daniel: There are direct challenges with laws like the Swedish Public Access to Information and Secrecy Act (offentlighets- och sekretesslagen) and the GDPR. Both are challenges for Swedish public sector customers today. However, the Protective Security Act will be the hardest law to comply with, especially when a non-Swedish cloud provider has access to huge amounts of aggregated information. 

Kaj: The main legal challenge for any IT-related issue since 1990 is that legislation is different in different jurisdictions. The market economy pushes for large specialized organizations, services and products that are bigger than any jurisdiction. This has hurt the flow of money and created tax havens for a number of years. A similar situation now exists for services. 

Those rules made by politicians with imaginary borders do not comply with the foundation of the Internet, which was made by technicians and engineers to be open, free and unlimited by country borders between jurisdictions. On top of that, no single economy today is large enough to produce services for that economy alone without having to scale impact price for production. 

 

Tell us about your role in the Gaia-X project. 

Daniel: The Swedish Tax Agency currently has an assignment from the Swedish government to monitor Gaia-X. That work includes talking to all relevant stakeholders, gathering information, presenting at conferences and taking part in the Swedish hub. We are positive about Gaia-X and what it brings to the table. 

Kaj: Netnod is one of the founding members of Gaia-X in Sweden, and together with similar organizations help with basic services like transport which are needed for players higher up in the value chain. We are currently most active in the Sub-working group Interconnection & Networking which lies under the Architecture Workgroup within the Technical Committee under Gaia-X AISBL. 

   

What role does the human factor play in cloud security and vulnerability? 

Daniel: The human factor is as relevant as always; I don’t see that cloud services create any particular new challenges. However, a successful breach of a hyperscaler yields an extreme effect due to its size and storage of aggregated information. 

Kaj: When implementing any kind of service, there are many different kinds of threats where insider actions, both mistake or intentional, are included. This is where a proper orchestration of microservices using zero trust comes into play. The integrity of a pod managing certain data is important so that it is self-contained and secure regardless of how an attack against the data is designed. One never knows the goal of the attacker, so second-guessing detailed attack scenarios is always doomed to failure. There are always unknown unknowns.  

Most cloud services are provided as unmanaged components, pieces of a bigger puzzle, regardless of whether the cloud is self-hosted or not. The engineers at a company have to create a functional workflow that creates, configures and secures solutions based on these pieces. This is both a big risk and a safety net, since a lot of people don’t fully understand the complexity of said services and tools, and don’t understand what needs to be secured or how. That being said, those tools are built to be robust and not expose users to dangerous or even impossible configurations. 

 

What areas should organizations consider when choosing a cloud service provider? 

Daniel: One of the biggest concerns today is that cloud service providers have to adapt better to customer needs. Currently, there are a handful of providers offering a one-size-fits-all model. It is certainly a cost-effective model, but the price tag on the invoice does not tell the whole story. The legal implications when using cloud services based in countries with extraterritorial legislation will be an ongoing issue. 

Kaj: Categorization of information must take place, followed by an analysis of what requirements there are in each category. The requirements have to take both legal and security (availability, confidentiality and correctness) aspects into account. In some cases, there is a balance between goals where the so-called risk appetite is to be decided upon. Be aware of benefits and risks, and make sure you avoid creating solutions where there are too many unknown unknowns.  

 

What are your predictions for cloud trends in the next five years?

Daniel: We will see a market with more cloud providers, from small to hyperscalers, which will provide cloud services that fit different customers. The American hyperscalers will continue to license their technology to other cloud providers. Laws and regulations related to national security will be broader and will affect both cloud providers and customers more and more. The effects of geopolitics will be worse over time and the EU will follow China and USA in being more protectionist. 

Kaj: We see more legislation, specifically in the EU, that isolates the EU from the rest of the world. This will create more borders that force us to use different solutions for different jurisdictions. What we instead need to do is harmonize the laws and regulations in different jurisdictions with each other so the market for IT-related services will not be as fragmented. We are close to a situation where we have serverless environments, with only pods managing information. Everything is orchestrated by mechanisms that understand both information and the policies applied to the information. 

 

The answers have been edited for length and clarity.

*Part of Kaj Kjellgren’s answers were contributed by his colleagues at Netnod: Mattias Ahnberg, Head of Architecture & Development; Patrik Fältström, Technical Director & Head of Security; and Christian Lindholm, Head of Sales and Marketing & Senior Product Manager.