Engendering confidence in the cloud - answering the questions of security and privacy



INTERNET GOVERNANCE FORUM 2010
VILNIUS, LITHUANIA
16 SEPTEMBER 2010
0900
ROOM 1
WORKSHOP NUMBER 136
TITLE:  ENGENDERING CONFIDENCE IN THE CLOUD-ADDRESSING QUESTIONS OF SECURITY AND PRIVACY IN DEVELOPED AND DEVELOPING COUNTRIES



********
Note: The following is the output of the real-time captioning taken during Fifth Meeting of the IGF, in Vilnius. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the session, but should not be treated as an authoritative record.

********


>> GAO XINMIN:  Good morning everyone.  
The workshop will begin.  Ladies and gentlemen, my name is Gao Xinmin, in charge of the Internet Society of China.  Today I will be the moderator.  
The remote moderator is Mr. Anders Halvorsen.  He is down here. He is the Director of Public Policy, the World Information Technology Services Alliance.  
Welcome on behalf of the three organizers of this workshop,

(Technical difficulty)


>> GAO XINMIN:  This could provide resources, IT resources, very rapidly deployed and easily scaled, and the service provision on demand.  But one of the major concerns is the security issues.  
So, our workshop will discuss all the security problems we are challenged with and facing in Cloud computing applications.  
We have for this morning three panelists -- six panelists.  They are Mr. John Morris, on my right side.  He is the General counsel and the Director of The Internet Standards Technology and Policy Project, Center for Democracy and Technology, based in the USA.  
Mr. Wilfried Grommen, he is the General Manager and Regional Technology Officer for Central and Eastern Europe, Microsoft.  
Mr. Waudo Siganga, he is the National Chairman of the Computer Society of Kenya.  
Next is Mr. Lu Jianfeng.  He is the vice Chairman of the Qihoo company.  It's a famous security company in China.  Mr. Lu.  
And then Ms. Coura Fall, from Senegal.  She is with the Senegalese Information Technology Association.  
And last is Mr. Jeff Breugemann, Vice President for Public Policy for AT&T.  
Now we will proceed with the workshop.  We discussed before this session we will proceed as follows.  First, we invite all the panelists to make presentations.  Afterward, we will open the floor for audience to make comments and impressions, as well as we open the floor to remote participants of the workshop.  
So, first of all, I would like to invite Mr. John Morris to present his speech.  Mr. Morris, you have the floor.  

>> JOHN MORRIS:  Thank you very much.  Thank you.  
And I do have some slides, I'm not sure if we can get them put up on the screen.  
Good.  Thank you.  
So we're going to talk a lot today about Cloud computing.  We will hear from industry.  We will hear from government.  We're going to start with a perspective from citizens, from the users, raising some questions about privacy and security, which I think we will then be able to have a good conversation answering today.  
So, you know, let me just start off with kind of my one slide overview, which is that while businesses and industry can certainly benefit very much from Cloud computing, citizens also really do see benefits, although it may not be as obvious to citizens, the benefits.  
But there are also risks that are posed by Cloud computing, risks for the providers of Cloud computing services, risks for users of cing services, and risks to privacy and some potential risks that I just want to flag even to free speech concerns.  
And, you know, as I think we will discuss today, you know, for Cloud computing to really work, it will be quite critical that countries respect the rule of law in dealing with Cloud computing and have appropriate legal systems to handle Cloud computing, so that users of Cloud services can be confident that their data will be appropriately dealt with and secure.  
And I think we will talk today, you know, looking for lessons for developed nations and looking for lessons if developing nations.  And my personal view is that many of the lessons, quite similar for, you know, whether you are a developed nation or developing nation, you need to develop appropriate legal protections to facilitate Cloud computing.  
So, but first, let me just ask the question and pose the question of, you know, what is Cloud computing?  There are a number of different definitions of Cloud computing.  The most narrow or simple definition is Cloud computing is moving a computing function or a storage function away from a locally controlled computer and on to someone else's servers in the Internet Cloud.  And so the -- the kind of one of the most well-known Cloud services in the United States is called salesforce.Com.  And it facilitates, you know, business to business interactions, but using an entirely Cloud based services, so that sales forces and business representatives can have their information available at all times.  
so, some definitions might exclude consumer facing services and would focus mainly on business to business services.  I would suggest that there is a broader definition can include consumer services.  
I consider the question of just the Flickr photo sharing service, you know, it's not -- it's not clear whether that is a Cloud service truly by a narrow definition, because Flikr itself may be running its own service or they may be distributing its services and storage around to other service providers.  So the consumer does not know if Flickr is a Cloud service.  But from the consumer's perspective, Flickr is a Cloud service.  They are taking their own photos, and they are storing them in the Cloud.  So it's important that we try to be clear as to what types of Cloud services we're talking about.  
So there is significant potential for Cloud services for businesses that can outsource data operations to Cloud providers.  They can save money and they can improve reliability if they don't have to run their own services, then there is a tremendous upside for businesses.  And there is a tremendous upside for businesses that want to provide services to other businesses or even to users.  There is great flexibility and technical models.  Cloud computing can enable new entrants to come in and create new services with very little investment.  So there is a great upside for businesses as well.  
But a question is from the citizen perspective, I work at a Civil Society organisation, and the question is what is the upside for citizens?  Why should users care about Cloud computing?
And my answer as to what is in it for the user, what is in it for the consumer.  An important way that consumers benefit from this is from computation.  It enables new startup companies to compete with much larger companies without having to make a very significant investment in servers and computers and networks around the world.  We have large players in the online space, such as Google, which has a huge infrastructure of servers and storage facilities.  But someone can break onto the Scene and by contracting with Cloud service providers can also have a global infrastructure for storage and computing services.  
So from the user perspective, the consumer perspective, what Cloud computing really offers is innovation and the competition.  With Cloud computing, startups can really ramp up their services without having to make huge investments in servers.  
But there are significant risks to Cloud computing, risks to Cloud operators, risks to service providers that use Cloud services on the back end and risks to users.  
And let me spend just a few minutes talking about those risks.  The risks to Cloud operators, the people who actually run the Cloud services, is what laws apply, what data privacy laws apply, what data retention laws apply, what law enforcement requests do they have to comply with?  Their Cloud services are available globally.  Do they have to respond to law enforcement requests from any country where their services are available?
And then the very question of where is their data located?  Do they have to control where their data is located in order to minimize their risks?
Then there are risks to service providers that use Cloud services.  They have similar question, you know, where will my data be stored?  Will my data be stored in a country that allows me to make promises to my customers about the protection of that data?  So Cloud services introduces some significant questions about what privacy laws apply to the Cloud, what privacy laws apply to data as it moves in the Cloud, and how can I make promises to my customers?
But there also are risks to users themselves.  You know, also, similar, privacy.  You know, where is my data?  Who can have access to my data?      And then questions of access, you know.  Can I get my data back?  Can I get my data back from the Cloud whenever I want it or can I get my data back from the Cloud if there are problems with the service?  And there is a possible risk to free speech, because Cloud services, as they are distributed around the world, could become points of control for governments to attempt to control content, control access to content.  So there is a, beyond the privacy risks which is a very well-known risk of Cloud services, there is also a risk to free speech.  
So, partial solutions, let me just wrap up with a couple of slides of suggestions of solutions, is that governments, including my own government, the United States, needs to enact strong baseline privacy rules so that users around the world can have confidence that there are strong privacy rules governing Cloud services.  We need strong rule of law so that users around the world can have confidence that their data won't be accessed arbitrarily.  We also need strong countries with bankruptcy law, so that if a Cloud service provider goes bankrupt, they can have access to their data, so that it's not tied up or lost forever.  And we want to promote protections for intermediaries, so that the Cloud providers as intermediaries are not used to restrict access to content.
And then there are some technical solutions, including building encryption into the Cloud such that the users control access to their data.  
And then a final question that is very of concern to users is data portability.  You know, users don't want to be locked into one provider.  They want to take their data and move their data
So just to wrap up, there are very significant potentials for Cloud computing, but also significant risks.  Cross border cooperation will be essential to solve these risks, to give Cloud computing the confidence.  If countries want to use the Cloud, they have to be able to trust that cooperation and it would be a problem if they required local storage, because part of the Cloud benefit is to have distributed storage.  And if the country wants to host the Cloud, they need to build strong walls that respect privacy and free speech and due process.  
So thanks very much, and let's continue discussing these issues.  

>> GAO XINMIN:  Thank you, Mr. Morris.  His speech gave us the risks of the Cloud computing and some partial solutions.  Thank you very much.  
The next speaker I want to invite is Mr. Wilfried Grommen to make his presentation.  Mr.  Grommen comes from Microsoft.  He is the general manager and a regional technology officer for Central and Eastern Europe.  He is based in Belgium.  I think he is very experienced on this Cloud computing issues.  
His presentation will give us some initiative from Microsoft and other uses regarding the privacy protection and security for customers in Cloud services.  
Now, Mr. Grommen, you have the floor.  

>> WILFRIED GROMMEN:  Thanks, Mr. Chairperson.  Thank you for the audience being here and having this opportunity.  John, I didn't know that we had in fact exactly the same kind of presentation.  So, I'll try to say additional points from Microsoft's perspective.  
In fact, I conceived a presentation from a Cloud provider perspective in what we think should be the kind of handing and discussion with a multi-stakeholder audience being governments, being NGOs.  So that is the position I take from the presentation.  
Because as a summary, how to really get this confidence in the Cloud, in fact we are listing four major issues.  First of all, there is a need for creating this digital market, because applications data is going to go across boundaries.  And so there must be coherence in the legal framework connected to the -- to the connected world.  And this is going beyond the boundaries in a country.  
The second important point is that on everything related to privacy and security and the practices we, Google, Facebook, Yahoo, apply, there should be much bigger transparency and clarity.  And we give you some suggestions as a way forward.  
How to really enhance security in the Cloud.  I'll describe some problems and how to combat digital crime and how can you reorganize in that defense.  And then at the end, I think, in this conference it shows it very clearly, how do you really resolve the sovereignty issues in getting a kind of common approach to jurisdiction.  
These are the four important points that I want to briefly cover.  Just creating a market for businesses, consumers, using this digital infrastructure, we try to really -- and that was also the suggestion from Brad Smith, our general counsel in the dialog with the EU, can we have this?  We need this legal regime.  It covers the flow, access, and protection.  John mentioned from our perspective, if you look at the data retention director for the telecommunication service provider, you know, we are confronted with countries where this varies from six months to two years.  So if you have a concrete class, look in our instances, what do you have to do to really deal with these kinds of uncertainties.  
It goes further.  In every country, the definition of an ECS is different on consistency regarding eGovernance, eNetwork, eSecurity, eCommunications.  So for every country we have to look at these rules and see if we can meet the local national regulations?  And for that reason we were strongly behind the letter of digital Europe where there was a call for this coherent data.  So we look at legal entities to create this harmonized legal regimes.  
The second one you can look and say Microsoft you have to clean up your own mess.  I'm not saying this was a mess, but we all have these issues.  I was in a panel around privacy and social networks.  We admitted that everybody has 20 pages of privacy regulations.  No consumer at all understands finally what are the security and privacy practices of the Cloud providers.  And as Microsoft we would like to come into a dialog with a number of data protection regulators, you know, multi-stakeholders, to clearly define what we call the transparency in Cloud computing principles.  We are really favorable to have this transparency that consumers can compare the services and the regulations that they get there.  
There are interesting initiatives.  We are really, as you know, part of and we received the ISO 2700 series.  There is an interesting framework released on this, on the information assurance, and in every country we really are, with our legal team, discussing with the data protection regulators, can their regulation comply with I think the new challenges of Cloud applications?
Can we enhance security in the Cloud?  The position today is clearly that you can only combat digital crime if these three other conditions are met.  
First of all, there must be strong deterrents to criminal and civil enforcement with meaningful penalties and remedies.  In a bad world, you only change a bad world with this kind of pressures.  There is no other way.  Today the world is much too, let's say, open, relaxed, cannot really deal with it.  
The second thing is that we really think that there must -- it cannot be done by governments alone.  You know, this is such a complex matter that we really believe that there must be a kind of framework where there is information share, structured and organised, between the public and private sector, especially on sharing the technical expertise.  
We have, say, peer-to-peer kind of relations with the Interpol and all these organisations and just recently also on privacy with the European Council, where we really try to educate and collaborate.  I think there must be more legal framework that encourages this.  And I think there must be the ability for law enforcement in different jurisdictions to team up and exchange the information globally.  We have just this kind of very small thing that today as an example, if somebody gets intruded or attacked or spammed as one of our consumers, we as Microsoft cannot request, you know, to really open that case.  So the request for a third-party rights claims is something which we as an example propose that some legislations are changed.
And we realise that within this challenge, you know, how can we have and avoid these conflicting jurisdictions on data from nation to nation?  There are procedures established, the multilegal assistance treaties, but they are very slow.  There is a kind that the Council of Europe had an idea like the cybercrime, where you had the 24-hour contacts.  There is the Global Network Initiative on the openness of speech and so on.  But our general counsel is really looking I think to have political entities to nations to have the need for a multinational framework in the form of a treaty or international instrument to deal with this I think Cloud sovereignty issues.  
Just let me conclude with two other elements, because as a Cloud provider, one of the very most important things is that, from our perspective, we are confronted to provide businesses and consumers with the assurance that their data and their lists are secured, for which we use a very strong information security programme.  We really have an online process of getting our security controls updated and maintained.  And the most important thing today is also in the complexities of regulations is that how to deal and how compliant you are, the question about compliance from our perspective.  So we determined internally a framework that allows you to check for every country and for every state.  Requirements around compliance can be built into the processes, the action, the changes, so that we in a certain way, not an automated way, but anyway in a systemic way can deal with the compliance requirements.
As you know, we achieved the ISO 27,000 and more on the reporting side, the SES stations for our infrastructure.  
The last, a quick comment, because from a technical perspective we don't go into technicalities.  I just show you what it means to do the overall say security or in-depth defense.  A new proposition which we made a month ago is the last, the application security.  An application is as good as the code it is written in, if it runs on a platform of a Cloud or it runs in your own premises.  And so we as Microsoft four or five years ago, when Gates announced his truth worthy computing initiative, we really had developed what we called a security development lifecycle.  It's a process in the development, how to secure code.  We just decided to make this specification and process available under the creative comments, so that anyone in the industry can, in fact, apply these principles to write secure code when that will be deployed on Cloud platforms.  
Thank you.  

>> GAO XINMIN:  Thank you Wilfried.  You gave a really clear picture about the complexity of the Cloud computing and security issues.  
The next speaker will be Mr. Waudo Siganga, from Kenya.  Please.  

>> WAUDO SIGANGA:  Thank you, Chairman.  I think after those very formative presentations by very expert presenters, John and Wilfried before me, I think it's useful to add on to that some perspective from the developing world on this issue of security and privacy on the Cloud.  
So first of all, I have to say that just like is happening in the developed world, in the the developing world, the uptake of Cloud computing is proceeding inevitably.  But of course the lingering questions about the security and privacy that we're discussing here.  And these continued concerns are reflected in what I would call a cautious approach to the adoption of the technology.  And I'm going to refer to recent research that was done by an organisation in the United States called the Institute funded by the (Off microphone.) In which 643 IT executives from the US and 283 IT executives from Europe, Middle East and Africa were surveyed on their opinions about security and privacy within the Cloud.  So I'll be referring to a few of those results of that survey as I proceed, because I think they give out a good picture about what is happening or what is thought about security and privacy in the Cloud, not just in the developed countries but also within the developing world.
The first thing I would like to mention is that Cloud computing, first of all, when we try to justify it, to give the reason for Cloud computing, most of the time the answer is the cost element.  The cost is one issue that really goes down.  And when the -- this survey was done, the IT executives also posed these questions for their motivation for Cloud computing, and I have the results there on the screen.  As you can see, as usual, the main reasons are shown there, reduction of cost, faster deployment time, increasing efficiency, increasing flexibility and so on and so forth.  
Now the key thing that I wanted to point out on this slide is that it's very uncommon when people are asked why they think they should deploy to Cloud computing, for them to give the answer as improved security.  And you can see that here.  
Improved security, only 14 percent of the respondents said they would deploy to the Cloud because of improved security.  In fact, many businesses and IT executives perceive the Cloud to lower rather than improve security.  And this is because of a number of reasons that I enumerate here.  
First of all, aggregation of data in the Cloud is seen as a vulnerability that can be easily exploited, much more easily exploited by potential hackers.  And so that is a difference between the Cloud and in-house IT Departments.  
Secondly, it is difficult to assist Cloud providers for security.  For one thing, the companies themselves, the companies that like to put their information and data on the Cloud, most times they are not ready.  They do not have the human capacity to be able to assess the Cloud service providers for security.  
The second thing, the second reason is that at the moment, maybe I stand to be corrected by Wilfried here, but it looks like for the moment there are no standards.  Standards are lacking for this security -- for assisting -- for assessing security, for assessing security for the Cloud service providers.  
The other thing that is missing at the moment with regard to, from the perspective of the users, is third-party verifiers of the security from Cloud service providers.  For example, if we -- if you think of the role played by certification agencies, which we are talking about the secure communications on the Internet, we lack that kind of role when you are talking about the security and privacy verification of the Cloud service providers.  
The other reason why many business and IT executives perceive the Cloud to lower perceived securities is that companies are not sure, and this was mentioned by the previous speakers, is they are not sure about the legal status of their data.  
For example, the data in many cases is housed outside of the geographic and legal jurisdictions, and this poses a lot of questions.  What happens, for example, if my Cloud service provider has a problem or goes out of business or I have some legal problem with my Cloud service provider if my information or data is outside the jurisdiction in which I'm operating.  Or even the Cloud service provider himself could be outside my jurisdiction.  
So, this uncertainty about the legal status is one handicap to the uptake of the technology.  
A final reason why these companies are cautious in the uptake is that companies perceive an increased risk from communication breaks, and this is true in my country, Kenya, and many other developing countries where we are connected to the outside world by communication lines that are vulnerable to all kinds of risks.  And this can break many of our countries and we have problems with things like power outages.  And this puts a perception in the mind of many decision makers that if they outsource some of their critical service, some of their critical data, they may not be in a position to manage these kind of problems.  
And these problems of course compound themselves in a developing country, where you expect, for example, the government to be one of the main clients for Cloud computing by putting a little government information on the Cloud.  Most of the government decision makers would be a little bit cautious and perhaps a little reluctant faced with some of these issues that I've just mentioned.  
So what this boils down to is that many companies --  while looking at Cloud computing, are unwilling to put most of their sensitive data on the Cloud.  And if I go back to the Institute research, we can see that they were asked what type of information was too sensitive to put on the Cloud.  And you can see there some of the answers.  Intellectual property was thought to be too sensitive, financial business information, health information.  When you talk about health information, we are talking about government as a client to the Cloud computing.  And nonfinancial information, credit card information.  All useful information that is too sensitive to put on the Cloud.  
So this begs a question, the organisations that are putting the information on the Cloud, what kind of information are they puting? Perhaps they are putting useless information there, because the useful information is too sensitive to be on the Cloud.
And this just goes to reinforce that, and it's broken down, for example, you can see the European middle eastern, Africa countries, and the US, the kind of Cloud  deployments that they think -- percentage of business critical applications or services in the Cloud.  You can see that the business applications are low for the infrastructure, the software, the platforms.  They are very, very low because of some of the issues that I just mentioned.  
Added to this confusion is a fact brought out maybe in this next slide.  This is a problem with knowing exactly who is responsible for security within the organisations that put their information on the Cloud.  So for this -- this research that was done, they were requested whether the Cloud computing provider is responsible for security, and these are just some of the answers.  It goes to show that a lot of of the organisations within themselves is not clear who, between the organisation and the Cloud service provider, is responsible for security.  
And even within organisations themselves that were surveyed, it was not clear within the organisation.  Is it possible for security within the Cloud?  And one thing that I can point out in this particular slide is the information technology, you can see there 59 percent.  Traditionally IT within organisations, within the company, have been responsible for security and privacy.  But, in the new Era of Cloud computing, it's still not quite clear to many IT executives exactly who is responsible, even within the organisations, for security.  
There was also a question that was posed whether Cloud computing resources evaluated for security prior to deployment?  And you can see that there are no standards.  We don't have a proper capacity within organisations that are able to do the evaluation, and so on and so forth.  
So what are the suggested solutions?  My objective is to get organisations, both the companies, business organisations, and very important for developing countries, even the governments, to put more of the information in the Cloud, to utilize the Cloud much more, as Wilfried was saying, to create a market for the Cloud.  The suggestion I have is first of all global standards for Cloud security and privacy need to be established.  I think that is very important.  I mentioned that there are absolutely no standards, and IGF, well we are right now, perhaps could be a facilitator for this.  
There there is also a need for third-party validators.  Organisations don't have the capacity within themselves to evaluate the security preparedness or the guarantees of the Cloud service providers.  There needs to be some global coordination regarding international and national laws.  I think Wilfried put that nicely.  A coordination in the legal framework.  
In our country, perhaps we had a law that came into place about a year ago, and this law puts -- puts the issue of people hacking into others' information.  It's a crime.  But that is a law that is only applicable within my country.  So how do we map that kind of law on to the Cloud, where there is cross jurisdictional operations going on?  So there needs to be some global coordination and some coordination of the international and perhaps international laws and national laws.  And this adherence and coordination goes a bit farther.  
I'll just give you one example.  Within Europe, there is a definition of privacy or private information private data.  And that definition is different from the definition of private data in the United States of America.  So, all this kind of things that are impinging on global coordination, I think they need to be brought together.  
Then, the organisations using the Cloud need to have qualified secure tools.  The tools are exist, the tools to make sure that security within the Cloud is deployed and existing.  But this awareness and training needs to be brought to the personnel within organisations.  And then also management has to be aware of the tools and the security environment within the clouds, so they can tell the technicians about what to deploy in the Cloud.  
And, finally, organizations need to assign responsibility.  We saw that within organisations themselves, it's not clear who is responsible for security.  And apart from that, between the client organizations and the Cloud service providers, there is a bit of unsurety as to who is responsible for what.  
So as a conclusion, I can just say that adoption of the Cloud is expanding.  But emphasis on nonsensitive data and application at the moment and we should find a way of making sure that we bring more data that is what I will call sensitive, but all kinds of data onto the Cloud by improving on the security and improving on the confidence that the client organisations have.  
Efforts need to be put in place to increase the levels of all types of data on the Cloud by enhancing the security environments and by education.  Security tools and methods need to be better known between the service providers and the clients.  

>> GAO XINMIN:  Thank you, Mr. Waudo Siganga.  Your presentation is interesting and you've done a survey on the Cloud computing applications and some concern about the security issues.  And you also gave us some very useful thoughtful suggestions.  I think it's good.  
Next speaker will be Mr. Lu Jianfeng.  He comes from China. he is the vice Chairman of the Qihoo Company, a famous security company in China.  As Vice President, he is really an international business developer for companies and also responsible for security technology development for 360 Cloud security platform service.  Previously, Mr. Lu was the head of the Trend Microcompany in China, responsible for R&D work for nine years.  
So, now in China, the 360 Cloud security service platform is very famous and this is a very big one.  So I would like to invite Mr. Lu, to give us his speech.  Please.  

>> LU JIANFENG:  Thanks.  First, I think I'll first give you an introduction of the Cloud computing and the situation in China.  Then then I will give you some introduction about our Cloud security system, followed by how we protect privacy and what is our practices.  And then the last one is some suggestions here.  
So, first let's look at the Cloud computing in China.  Actually, essential market research in China was done this year and they have data so I'd like to share this data with you Guys.  
In the next two years, actually, the Cloud computing will increase from the current like 43 percent usage to be like 88 percent.  That is a very big increase.  And the experience here will be like, you know, 34 percent of like the service providers will increase, more than 100 percent in the spanning.  And about like a 47 percent will increase less than like 100 percent.  But it will be about like 20 percent.  So the spending for Cloud computing in China I think it's definitely significant growth here.  
The main concern for Cloud computing in China is the end prices, like the users are concerned about data security, privacy, as well as confidentiality.  So actually today's topic is very, very interesting and mostly like, you know, relating with our day-to-day business activities.  
So the next one, I would like to give you guys a brief introduction about like what our system is.  In 360, we founded it in the year 2005, and you know the reason why we are doing security is because we saw the threat grows very, very fast.  And within our own data centre we see the growth rate is like ten times every year.  So, for example, in the year 2010, we expect to see about like a 1.5 or like a 1.6 -- no.  150 million new Trojan samples will be emerging in the year 2010.  So, this is a very, very, you know, dramatic growth for those threats.  
So how we can deal with it, so that is a very big issue.  You know, the traditional antivirus technology, it's like signature based, and for each new children founded, there will add a new rule or add a new signature into their signature database.  And every user needs to download a very big signature file, like 20 megabytes or even like for some vendors it would be like more than a 100 megabytes file.  So that would make their computer jam.  They lost too much computing resources, too much memory.  
And the second thing is it's pretty slow in scanning.  Like you need to go through all of those like signatures.      And the last one is very ineffective.  You need to have the new sample before you can detect the children.  
So what we are doing is we just changed the traditional way.  We built our Cloud security system in China.  It's -- as far as I know, it's the largest Cloud security system in the world.  It's bigger than like McCarthy, because there are other security vendors.  And every day what we are doing is like, you know, we need to handle more than 50 billion carriers from all of those users in China.  The users in China, it's like 300 million per month and every day we have like 100 million users connecting to our Cloud system to do the query.  And within this user community, we actually found more than 10 million new executable files, or 10 million new, you know, all these files, with like ten million new files.  Actually, there are 3 million new viruses. So that is a very big number.  I think this is the first time we release this kind of data to the public.  It's -- within our own lab we are very impressed by such a new number.  3 million new children, new viruses every day.  Think of how you can handle this in the signature file in the traditional antivirus way.  So the Cloud -- the Cloud security is the only solution for this.  
And we have like a modern 10,000 servers at the back end, dealing with two parts of things.  One is dealing like with 50 billion carriers every day and the second thing is for like those 10 million executables, we have to classify them as malicious or not.  And this is processing within like 30 seconds.  That is very fast.  Faster than every other security companies.  Really they are dealing with the update area every one hour or every four hours.  
So that is our Cloud security system in 360 right now, in China.  It's like 80 percent of the Internet users, they are using our technology, using our system.  
So, with this system, actually, like for users, they feel like this is very low. They only have like a very small client footprint.  And also like fast.     Our scanning speed is ten times faster than like the other antivirus or other security solutions.  And also, it's very effective.  Every day we catch like about like 100 million incidents, infection incidents or intrusion incidents.  
We have used like this technology, like a prevention system.  And in our security browser, to protect, you know, the download security as well as the -- you know, every user visiting a Web site, we will tell them like this is good or not.  Is this like a phishing or like a children's objective Web site?  And we also have our own like a 360 antivirus product, which is like a dual engine.  One engine was the traditional signature based.  And so there is an engine for better protection and performance by scanning.  
So this is why we say this is the world's largest Cloud security system.  We have 300 million users, and every day we collect more than like 10 million new executable same hosts.  And we handle those like a URL filter or a URL.  Every day, modern, 20 million.  
I think those -- yes, excess.  And with our file database, that is the key to the security system.  Right now it's 800 million and it's growing very fast and we expect to see like a 1.6 billion at the end of this year.  And like -- and we cover like 96 percent of all of it in the world.  
We have some practices here for privacy.  The first is we stated our privacy policy clearly on our Web site as well as on the products.  And the second thing is when we need to submit some executables for inspection or for like our analysis, we will let a user know what kind of information we have submitted, and we will ask them for permission for this.  
And the third one is what we are doing, we are only like submitting those executable files.  We don't touch any like document files or other, like privacy related information.  
And the first one is we actually, in February of this year, we actually found like a trustee in China.  Like every month or every quarter, we will submit our latest source code to them.  So if anyone has some questions about like our privacy or if there is anyone, you know, who wants to do some like review about what we are doing, they are open to go to their trustee to inspect or review our source code.  
And the last one is after we joined the IAPP, the privacy protection association in the world.  So with all of these activities, actually, we see a fast growth in, you know, for user -- a recommendation of our products, you know, in the -- in the beginning of this year, like you can see like a 360 antivirus.  We have a very big gross.  Right now it's like more than 80 percent of the Internet users in China.  And for the product 360, it's going to exceed 100 million users every day.  So that is like what we see, like a privacy protection helps our user acquisition.  
So the conclusion and the suggestion for privacy protection is actually I think firstly we need to have some laws and regulations.  You know, if any organisation or any vendors violate privacy, they need to get punished.  So that is a first suggestion.  
And then the second suggestion is I think we need like some industry standards and best practices for privacy protection.  Just like -- well, what we did, I think, it's very good suggestions for the industry standards.  You know, maybe some like a de facto has standards there.  
The third one is self discipline for those like service providers.  
The last one I think is most important.  It's the user feedback to like security or privacy protection vendors.  So anyone finding any privacy violation, they need to be, you know, have exposure to the public, so it helps the user to vote by feet to this kind of like a violation.  
So thanks.
(Applause)

>> GAO XINMIN:  Thank you, Mr. Lu.  I think the 360 security service platform is one of the good examples for applying the Cloud computing in secure service sectors.  And also the 360 platform very carefully deals with privacy problems.  And also Mr. Lu suggests to call for some Public Policy makers to still continue to improve the legal environment and to guarantee some privacy concerns.  So I think his presentation will be very, very useful and interesting for all audience.  Thank you again, Mr. Lu.  
So the next speaker will be Miss Coura Fall, from Senegal.  Miss Coura Fall is one of the founders of the Senegalese Information Technology Association.  She is a data provision specialist and also quite a broad experience in management.  And she is very famous in Africa.  So I want to invite Coura Fall to give the speech.  

>> COURA FALL:  Thank you.  It's Fall.  We are a French speaking country, so I'll not have good English.  
But after very useful presentations from China and other colleagues about the Cloud computing, I would like to give a perspective from Africa.  The situation is different, and we have some challenges and maybe some suggestion to have a safe Cloud in Africa.  
During our last national IGF in Senegal, where I was running a session on Cloud computing, I asked to questions to the participants.  The first one was how many of them have a yahoo or Google or Hotmail address?  Most of the people and probably all of them raised their hands up.  But when I asked the second question, which is what was Cloud computing, less than 5 percent raised their hand.  Just to show that Cloud computing has been widely used in Africa for a long time, but only at the consumer level.  
At the professional levels, large corporations, company, government, and SMEs hesitated to join the new concept in Africa.  Therefore, before addressing the issue of security and privacy, I would like to talk about the Cloud computing concept in Africa.  Is it an opportunity for us or another new technology that will widen the digital divide?  Africa, you need to understand more of this concept to develop the digital market that was talking about my colleague from Microsoft.  The Cloud is a new innovative and complex concept for Africa.  And it is also a very big step ahead of conventional computing in the continent, where most of the people cannot yet take full advantage of the existing system they are using, because of the lack of expertise, the lack of capacities, and the lack of standards.  
The fact that the Cloud enables to deliver individual and business services from remote centralized servers that share all computing resources and bandwidth to any device and anywhere is a good opportunity in the continent.  
For example, from an Internet cafe in a rural area in Senegal, for example, someone can use a simple device, like a mobile phone, to draw a required application from the Internet.  And this is great and innovative.  I think that always the users in Africa understand the Cloud concept.  We should start talking about the way companies providing Cloud have to address questions of privacy and security.  
However there are challenges in our developing country, especially Africa.  The Cloud can make sense when the users have devices that can browse the Internet in a fast and affordable way.  So the Cloud requires high bandwidth, good and stable connectivity, and everyone here knows the issue of access in our country and this problem of access is going to block our countries from using the Cloud.  
Internet connectivity is still problematic.  For example, we have a penetration rate in Africa of about 4 percent.  
The other issue is the cost of the device.  But if Cloud facilitated the deployment in Africa, it raises questions with regard to security and privacy.  And the security will depend on how it is deployed.  We have the issue about the data.  And organisations and companies need to think about how to protect their data.  I think my colleague talked about that.  The services or application, with more security there is a question of who owns the data and application, the backup of the data, and this raises three points.  
So the problem of availability, the data must be available as soon as needed.  So how can we struggle with the issue of access?  The problem of integrity and confidentiality.  Cloud necessarily implies the presence of a third-party.  And so the responsibility is clear.  How can we get this confidence?  How Africa, we can have a safe Cloud?
Cloud service users in Africa need to be careful and understand the risk of data safety.  For example, the way passwords are assigned, protected change has to be precise.  
In regard to integrity and confidentiality of data, contracts with providers may include some clause like an external audit, like closed to oversee the traceability, and unauthorized access for personal data.  Also about the host of the data, the sensitive data.  But we have some system that I think that we have to share and learn lessons, like the one, the 360 one, the system from China.  But I think also in Africa, in in our developing country, we need to go slowly.  One step at a time.  As an Article of balancing act about the Cloud advice.  
And we should maybe start with messaging the SMS  messaging in the Cloud and start to have already some addresses like Yahoo.SN for Senegal or dot CA for other 40 countries in Africa.  And our IT African specialist like developers need to use software tools to develop software to offer some kind of services for the Cloud.  
The Cloud is complex, and therefore a contractual framework is necessary to prevent risk and allow the company and user to get most of the application on the Cloud in Africa.  
I can  conclude by saving that the security and privacy within the Cloud is our responsibility.  We have a multistakeholder approach.  It involves the private sector, the government to define the rules of privacy, like John suggested in the first presentation.  The Civil Society Information and the Internet community also have to be involved in this approach of the Cloud in Africa by giving their needs and having a perspective from the population.  
In Africa, we have to do things differently to address the issue of the Cloud.  And we have to learn about the lesson we had with addressing the issue of access for that, so the solution for us is to initiate it.  In China or other countries, they have that.  But we need in Africa to initiate a baseline study or research on Cloud, assessing the specific issues, the problem of cost, to have a real and good picture of Cloud in Africa.  
The other solution that I have also to provide is to create a task force that will develop a strategy for the use of the Cloud, to define local policy and regulatory framework, to define the implementation monitoring and evaluation mechanism of the defined strategy.  And also, and it is very important to address the issue of RNS of tools and technology.  The Cloud cannot be created in Africa if there is a problem with connectivity.  But I believe it would be an opportunity between our countries if we have more confidence and solve the problem of security and privacy.  Where the mobile phone has succeeded, why not the Cloud in Africa?  I believe in it.  
Thank you for your attention.
(Applause)

>> GAO XINMIN:  Thank you, Miss Coura Fall.  She is very, very good and stressed the specific challenge the developing country is facing in the Cloud computing application field.  
So, in China, I think in eastern developed areas in China, the infrastructure is enough to support Cloud computing services.  But in the remote areas, in the western areas, it's the same situation like Africa.  We are still facing a lot of challenges to improve the supporting infrastructure and other issues using the Cloud services.  So I think it's a very important issue that we have to deal with.  
Thank you very much, Miss Coura Fall.  
We have the last speaker is Mr. Jeff Breugemann, from AT&T.  He is the vice president for Public Policy of AT&T.  Mr. Jeff Breugemann is responsible for developing and coordinating AT&T's Public Policy position on Internet, technology and the broadband use.  
So he has brought working experience on the Internet governance, broad deployment, and cybersecurity views.  
Now we are pleased to invite Jeff.  

>> JEFF BREUGEMANN:  Well, I'm going last and I have a challenge to present different things.  I want to go back to what John said, defining Cloud computing.  It's helpful to think about the difference between the core architecture of Cloud computing as a new model of infrastructure as a service or software as a service, and then the broader context where I think we're often talking about Cloud computing as any service that is posted or capability that is hosted on the Internet or delivered over the Internet or on the network.  And I think a lot of the concerns that we're seeing about Cloud computing really are just the same function of a lot of the things that we talk about at IGF in terms of privacy and security on the Internet, and they are becoming magnified as Cloud computing is enabling this proliferation of new types of services to be delivered and consumers in particular to store an enormous amount of their personal information online and manage it that way.
But if we take a step back, I think architecturally, there is no reason why Cloud computing is less secure, less private.  In fact, our chief security officer at AT&T, Ed Amaroso, makes the opposite point.  He said if you look at it, less secure than what?  Things are ugly today when you have consumers and businesses trying to manage data at the edge, and manage their own security and manage their own infrastructure.  If you compare that to what can be a great benefit of using Cloud computing, a company like AT&T can put enormous resources into securing the physical infrastructure.  We have a large security staff that is much like 360 communications.  We are constantly proactively looking for ways to address security and proactively respond to threats.  You can get a great synergy by being part of that larger Cloud infrastructure.
And I think on the business side, while I think you have -- Waudo I think you identify the concerns.  But in the US, we see the government moving rapidly and embracing Cloud computing.  I think business, increasingly getting more comfortable that their security concerns can be addressed and that they can take advantage of the enormous cost benefits that come from moving to Cloud computing.  
And then when you move down to SMEs, I think there is -- you know, that is probably an area where there is the biggest gap between their current level of security and the improvements that can come from Cloud computing.  Now we offer services like online backup and storage that really can help provide a greater level of security than these companies can offer on their own.  
And then we move down to the consumer, and I think the issue there is not so much the architecture of the Cloud computing service, but really just a function of consumers going from a world where they had -- they can manage their own information on their computer and it was pretty limited to now having a much greater exposure by being able to share, produce and create information online.  But I think from an architecture standpoint, technical standpoint, these issues can be addressed.  
On the privacy front I actually also see an opportunity for the Cloud to enhance privacy, not just be -- to be viewed as weakening or threatening privacy.  For example, we actually partner with Microsoft to offer a secure electronic health records network in the State of Tennessee, which uses an innovative approach.  Instead of creating new databases and more copies of electronic health records, it allows doctors using a very secure authenticated system to view records in different hospitals on the Cloud, but yet not creating new security risks and new privacy risks by duplicating the information.  And I think if you apply that concept to consumers, you can think about a Cloud architecture where you could store your information safely online and maybe have much more effective control over who gets to view that information, whether it's another person or a business or a service that you want to use on the Internet. So I think there is a lot to be said for the Cloud as actually an enhancement to security and privacy.  
With all of that said, I completely agree with what the other panelists are saying.  From a consumer standpoint in particular, the Cloud, it gives you many more options, whether it's e-mail providers or service providers or new ways to get functionality that you enjoy.  But that also brings with it all of the challenges of a lack of consistency in the types of contracts and agreements that are presented to the consumer, the clarity with which they understand the implication of their data being hosted in the Cloud, the concerns that, with companies being so easily able to enter the market, as John said, that brings with it the security risks of how do you know that you're protected?
Ultimately, though, I think the biggest issue is what Wilfried talked about is the sovereignty issue.  I think it's very possible to update both the agreements for the consumers and the laws to reflect the evolution of Cloud computing.  It's, as I said, I think it's really a function of the larger evolution of Internet based services that we can adapt to.  But I think this idea that we now have a Cloud architecture globally that doesn't respect sovereign boundaries is a large and growing problem that countries are dealing with.  And I think that there is a big risk that the reaction is to pull back against that by trying to make sure that data is kept within the country, so that they can have more control over whether it's government access to the information or protecting the users.  And so I think there is a real risk of greater barriers to data flows that will weaken the benefits of Cloud computing and lead to more maybe regulatory barriers that try to keep data within the sovereign boundaries of countries.
And I think that would be particularly unfortunate in the developing world, where I think Cloud computing can be a very efficient mechanism both to deliver service, particularly over mobile -- you know, Cloud computing is a great assess to help efficiently deliver new services.  But also as a way to allow new market developments in developing countries to take advantage of infrastructure that is out there much more cheaply to be able to enter the market with new services and applications themselves.  So I think the IGF is a great opportunity to talk about some of those international challenges that we have and how can we address very legitimate concerns that countries have with protecting the privacy of their citizens and protecting the security of the data without resorting to new types of limitations on the development of Cloud computing.
Thank you.  

>> GAO XINMIN:  Thank, Jeff.  Okay.  With all the six speakers finishing their presentation, now it's the interactive section.  We would open the floor for the audience and all the remote participants for discussions.  
Do you have any question, comments, or both, please raise your hands.  And state your name and the companies or organisations.  Then we will ask the panelists to answer your questions or your comments.  
And also, I suppose the panelists could raise your questions and comments for each other.  So, maybe we will start it.  Who is first?  Okay.

>> AUDIENCE:  Yes.  Hi.  My name is (off microphone.) I'm from Bulgaria.  I work for a company which does work based on Microsoft.net technologies.  Most of our clients tried and used Windows (Off microphone,) which is a Cloud computing service.  
And I would like to give another view on how actually Cloud computing can be used and some of the implications that it has on small business, especially in Europe.  
Most of our clients, having tried Windows de jure, actually are concerned that their IP, not only the data that is stored, but everything, the whole application that they plan to upload to the Cloud and use the Cloud for its computing power can actually be used by the service provider, the Cloud service provider, be it Microsoft 360 or (Off microphone.)  It doesn't matter.  And they raised their concerns in front of us.  They use our tools and our applications.  We really don't know how to handle this case.  And you guys, Cloud service computing, how do you feel about the intellectual properties especially in Europe, where there is no clear legislation about this?  

>> WILFRIED GROMMEN:  I can give some answers on your question.  So, first of all, as a company dealing with software licenses and so on, I understand more than your concern.  So we as a company ourselves are extremely supportive of any kind of action and respect for the IP which has been created for you like a company.  In reality, I think there are only two ways of doing this.  One is the copyright kind of thing, which I don't believe in a certain way where it is deployed changes anything from the copyright as such.  And on the other hand, there is the patenting, which we also believe is an important element.  And I see you nodding, because we all realise how scattered the, as an example, the European patent law is and the need for a unified European patent directive.  
So, what you are stating is I don't think that from the principles, the underlaying legal principles, anything has changed.  What you are referring to is that maybe the broader visibility, accessibility makes these questions even more relevant.  And I think there you're right.  Yes.  

>> GAO XINMIN: Any other questions or do you want to add something?  No?
Well, next question?  

>> AUDIENCE:  Yes.  Hello.  My name is Jonathan Zucker.  There seems to be a lot of agreement on the panel about the need for coming up with some sort of harmonized framework for privacy and data protection internationally in order to really realise the benefits of Cloud computing, on which we mostly all agree as well.  You mentioned the community patent in Europe, and just achieving a level of harmonization even between Member States in Europe, much less around the world, and to some extent even in the US harmonization between states.  How on earth will we get the political will necessary to bring about international harmonization on privacy and data security laws necessary to create a legitimate single market for Cloud computing?

>> GAO XINMIN:  Yes?  Maybe John?  John?  

>> JOHN MORRIS:  Well, my answer to that question is that I think you're right.  I think that if the goal is an agreed upon harmonization so that they are precisely the same privacy rules in every jurisdiction, that seems like a very big challenge.  But, you know, I think that -- for every jurisdiction, that seems like a very big challenge.  But the European countries don't think that the US has the right privacy protections and I think there are things that the US can do to move closer to a globally accepted level of privacy protection.  So I think that we could move toward harmonization more easily than we can achieve, you know, a specific agreement.  But I think Wilfried suggested a global treaty and maybe there is some potential there, just for Cloud computing.  That may be more plausible to focus on harmonization just for Cloud computing than kind of broad harmonization of national privacy laws across the world.  

>> GAO XINMIN: Mr. Wilfried?  

>> WILFRIED GROMMEN:  If you look at it from a privacy perspective and for the rest of the world, if you look at the EU and the Article 29 working group, you know, their propositions where they deal on the privacy regulations in Europe, it's a very strong guiding principles and directives, even, which the countries tried to implement in the local data protection authorities.  What you do see is that everybody is taken by the speed of the uptake of the Cloud.  The whole data protection agencies in a certain way are suddenly confronted with challenges which will go far beyond what they expected would happen.  So, on that issue, I think we ourselves are in, say, in daily national discussions with the data protection authorities to have as much alignment around the guiding principles from the EU.  The proposition which we and our senior counsel made in January, Brad Smith, is the pure jurisdictional challenge on law investigations.  What kind of proof can you get and how are they done?  What is done now is much too cumbersome, too slow, and even sometimes I think -- I'm looking for the word -- ad hoc in a sort of way.  And from that perspective, it's the only -- there is this idea to really have a kind of diplomatic initiative and to have a treaty announced around this specific issue.  

>> JEFF BREUGEMANN:  I think there are elements of a trade agreement to the way the Cloud computings are going.  Maybe that is good or bad.  Maybe we want more bilateral and multilateral agreement to foster of use the Cloud.  Other countries may view Cloud as a competitive threat and use privacy as a way to erect barriers.  To me, it will also be viewed as part of a trade thinking.  

>> GAO XINMIN:  Okay.  Yes, there?  Please

>> AUDIENCE:  Thank you, my name is -- can you hear me?
Kristos Valinscso.  I have a question for the panel.  Last year, there was the -- during the privacy and data protection conference, they came up with international standards with regards to the protection of privacy and the confidentiality of information.  So I would really like to hear from this panel whether that international standard could be or should be applicable to the Cloud computing environment and under what premises.  
Well, that's pretty much the question.  Thank you.  

>> WILFRIED GROMMEN:  The only thing I can answer is, as it has been referred to here, around security there is much more, as I said, structured information.  And I'm referring to the ISO 27,000 specifications which clearly states what are the kind of security framework measurements, you know, control points and processes that you have to follow.  So as a company, you know, this kind of big international respected standards, we try to implement and for which our Cloud platform has been, in fact, got the attestation.      I also referred to the other one for the standard accountancy one for the U.S. There are others, you know, the playing cards, there is the the HIPPA.  And I started on the compliance discussion, if you go vertical, you know, you have a lot of business associations which have very specific security and privacy regulations.  And as a Cloud provider, you have to match them and try to cover them.      Step by step, we have this process.  Let's not reinvent the wheel.  These things do exist.  
I'm confused by you saying that there is an international privacy standard.  I'm confused.  Maybe I'm ignorant about it.  But I'm not aware of an international privacy standard.  We know in some of the -- you know, there is a privacy regulation in the US, privacy regulations in the EU, privacy regulations in specific countries, and that's what we try to adhere to, and there we do see a lot of uncertainties.  So I'm confused about the standards on privacy.  

>> GAO XINMIN:  Okay.  Please.

>> AUDIENCE:  Good morning.  I'm Christina from the University of Budapest.  I would like to know how realistic it is that government records will move in the Cloud abroad.  They go in another country, basically, for the US or Europe.  And if it is the case that you find that this is at the moment not realistic, why it should be more realistic for consumers and businesses?  
And the other question I have is more to the Civil Society Information side and on consumers and consumer protection.  I would like to know how it can be avoided that the business model of social networking, where personal data is used for profiling for behavior and targeting, as a side, basically as a side business model to the hosting of this information, how this can be avoided when moved to the Cloud.  And this data will be used for analytical purposes in order to have secondary or have trade-in data.  So I would like to know what safeguards are possible here.  

>> JEFF BREUGEMANN:  Whether we provide Cloud services to government, they do expect that it will stay within the national borders.  And I think you see more hybrid models developing.  Some companies don't want to go to a completely shared architecture, but they may be willing to do some of it.  
I think, really, it comes down to the cost savings for a business that operates in multiple countries or a consumer who may not care where the data is located, may outweigh those concerns.  
On your second point, I think that goes back to what I was trying to say.  I don't think the fact that the data is in the Cloud is the issue.  It really is the service that you're using online.  So we have some services where you can back up all of your data online, it's completely under your control, no one is looking at it.  No one is targeting based on it.  But, with social networking, you're engaging in an agreement to use the service where they get access to the data.  And I think your point is well taken, that there should be clear notice to you about what are the terms under which your data may be used for targeting, and that you have ability to control and decide whether or not you want to do that.  
But I don't, you know, so I think that is a function of all of the new types of services that are developing on the Internet.  Oftentimes advertising supported that, you know, where there is a trade-off with the user that may impact your privacy and you should be in full control of that decision about whether you want to do that or not.  I'm sure John has thoughts on that as well.  

>> GAO XINMIN:  John.  

>> JOHN MORRIS:  No.  I think on the second question, you raise a very, very good question.  And I agree with the answer that Jeff has put forward, that at the end of the day, the consumer, the user, has no idea whether Facebook is using a Cloud infrastructure or whether all the data is stored on a single server in California or something like that.  But, the protections that should be available to the users should apply no matter what.  And so, so I certainly agree there needs to be, you know, clear notice and the ability for users to control their information.  
Facebook itself, if it decides to use a Cloud architecture, if it decides to place data outside of its home country, then it really does start encountering some of the cross border issues that we have discussed here, where it really needs to be Facebook's responsibility to make sure that it can comply with whatever privacy promises it makes to its users, wherever it's data is.
And I think that is part of the risk that services that use Cloud platforms face, because they need to make sure that in fact the data, you know, will not be subject to arbitrary disclosure just because it's in the Cloud environment.  

>> GAO XINMIN:  Okay.  Yes.  Do you want to --

>> WAUDO SIGANGA:  Maybe just an addition to that question about the governments being willing or not willing to have their records stored abroad.  I think in the developing world, the answer that Jeff gave would actually be accentuated.  There would be a bit of resistance and reluctance if it was known that government records, which in many cases are considered to be sensitive information, actually, not being outside of the jurisdiction.  
But the whole concept, the idea, it will also have an impact on the willingness of governments, particularly from the developing world, to participate.  The things that we are talking about, setting up treaty, trying to set up coherence in the framework, legal framework, and so on.  The bottom line, if they are not willing to have their information out in the Cloud in a location perhaps that they are not sure of, if the US government is not willing, which other governments in the world would be willing?
So I think it's a much bigger problem than even just the data.  The willingness to participate in the whole process that we have been discussing here, about the treaties and legal framework, international legal framework.  

>> GAO XINMIN:  Okay.  There is --

>> WILFRIED GROMMEN:  Clearly, governments have a strong will and they have government data this that they really want to own within country.  But there is also not unique data.  And there is not unique government data.  I mean that by that is correct we believe in the hybrid idea that you'll have public and private clouds and they can find an offering to their citizens or to their servants, where they say the e-mailing system, we have all of the cost advantage of the public Cloud, but these registries are coordinated for the country and they reside in country.  So I think there is a kind of very well made architectural mesh to be found to exploit the advantages of the scale of Cloud, because that's what it's all about.  It's a question about scale and costs, and taking care of your, say, national and privacy and data security issues.

>> GAO XINMIN: Yes, please.

>> AUDIENCE:  Good morning.  Good morning panelists, member of the audience.  My name is Carline Francis and I am representing the organisation of Eastern Caribbean states.  I'm actually the project manager for the regional eGovernment project, which is funded by the World Bank.  And the project promotes the use of Cloud computing.  So, I'm very, very happy to be here and to have learned so much about Cloud computing from the panel.  
I just wanted to follow up on what was said about a government private cloud, and in particular perhaps a private Cloud for a regional -- a specific region, say like the OECS, where the government data would reside within that location.  In terms of your research, is that economically feasible for a Cloud provider?  Has research been done in terms of providing such a service to small island states, and whether or not those services would be affordable and beneficial to us?  Thank you.  

>> GAO XINMIN:  Concerning the private Cloud, who can answer?  

>> WILFRIED GROMMEN:  So definitely private clouds are going to pick up and are, I'd say, a new wave of deployment or infrastructure for geopolitical entities and so on.  We are pretty convinced it's part of our intrinsic strategy as Microsoft to offer these private clouds.  But I want to really address that there is -- these are physics.  There is a boundary between cost and scale.  And saying that when we talk about clouds, we are talking about infrastructure that offer 400 million users with 155 pedibytes and storage.  So this is so low, the costs.  And then when you decide for other reasons to do it, there is going to be this kind of difference in the exportation cost.  But still on its own for a government private Cloud or within some region, I can tell you honestly for us, you know, looking even at an entity like the EU, it's much more advantage that we create a data centre in Dublin to really respect the European concerns about data residing in Europe.  You know, it's consistent with the regulatory frameworks from the European Union.
So it does make sense to do that on, say, entities or geographical entities.  

>> GAO XINMIN:  Please.

>> AUDIENCE:  Good morning to you all. I'm Monique George.  I'm representing the Southwest Community College.  In terms of deployment and implementation of Cloud computing for an entity or an institution within a developing state, what are the best practices in terms of do we have case studies, models, the country who has successfully implemented that, that the developing countries can in turn emulate?
And my other question is to Mr. Lu Jianfeng.  You have a very impressive product on your hands.  And when are you going to now globalize it?  Because I noticed that it is still Chinese based in terms of the language and your platform as well.  And in terms of when are you going to open it up to the English speaking world?  Thank you.      
>> GAO XINMIN: Mr. Lu?  

>> LU JIANFENG:  Right now we are still focusing in the Chinese speaking world.  But if you guys are willing to cooperate with us about like releasing some, you know, the secure solution to other countries or to the other languages, we are very willing to, you know, find some partners to do this.      
>>  GAO XINMIN: yes.  Miss Fall?  

>> COURA FALL:  Just a quick comment on the first question.  I don't know if there is best practices on the Internet.  That's why I suggested to initiate some research and study about the implementation of the Cloud.  But, I think that we will have to learn about China, the China for addressing the security.  But in the implementation I think in Africa, we need to have a more information about the Cloud, the private Cloud, for our government especially.  

>> WILFRIED GROMMEN:  The first criteria I believe you started with is the communications infrastructure.  Cloud lives and falls by the communications infrastructure.  And so we can talk long about Cloud and the Microsofts and the Yahoos and everybody.  It starts by -- and I must say every nation -- and I think they all do that, is to deploy and see what is the level of deployment.  And the word access has been mentioned clearly here.  So that is one.  
Certainly an early process, we are in the early process, we are now in government and private clouds.  There are consumer clouds that was mentioned.  I liked your comment, the G mails and Hotmail, and the user clouds.  But clouds, what is this?  I just give you one example.  We have service in central and Eastern Europe around the Danube River, Hungaria, Poland, Romania, a number of countries, where specific providers called CEE online only focus on delivering private Cloud services.  So their whole business model is based upon that.  I just adore it.  It's cross national.  It's done by a private company.  Just go to them, CE online I think it is.  It's a good example which I just quoted now.  

>> GAO XINMIN:  Okay.

>> AUDIENCE:  I'm from Botswana, representing Africa and ICT service providers.  
My question is on the gap between the technological development and the legal framework, the panelists have been propounding for proper legal structures to address the issues of private protection and security.  But I don't know how far the governments are represented even here.  The panelists, I think, most of them are techies, and there is no government.  How do we then intend to engage them?  I saw the gap widening.  

>> GAO XINMIN:  Yes.  Maybe Jeff?  

>> JEFF BREUGEMANN:  You know, I think one of the opportunities that we have found is to bring our business people in who do Cloud and talk to the government about the opportunity for using the government service on the Cloud as we have been talking about.  That is a great introduction to make the government more aware of the benefits of the Cloud, which I think gives it a whole different perspective to the privacy and security issues.  So if they can see the, you know, the uses of the Cloud and really experience the benefits, I think they will be more willing to understand why we as business are saying that this is critical to update the security and privacy and to allow the structures to foster the growth of Cloud computing.  So sometimes our services are the best thing we can do to help educate the government on these things.  

>> GAO XINMIN:  Now I want to ask the remote moderator whether there are some remote participants that raise some questions.  Are there some questions?
No?  Okay.  Then please.

>> AUDIENCE:  Thank you.  I am from the Internet Society of China.  I have two questions for the panel.  The first question is for Mr. Waudo Siganga.  Just now, you talked about a group of statistics about how to reduce the cost and enhance the security about Cloud computing in your country.  I wonder how you can have the statistics and also the source of your statistics.  This is the first question.  
And the second question is for Ms. John Morris.  I wonder, is there a legal (Off microphone.)

>> JOHN MORRIS:  I didn't get the issue about the statistics.  Maybe you can just repeat it.

>> AUDIENCE:  We found that the statistics about how to reduce the cost while to enhance the security of the group of statistics, the database in your country, I wonder where do you get statistics and the source of that?  

>> WILFRIED GROMMEN:  The source of the statistics.  Yes, this research was done by an organisation called the Polymon Institute.  On my presentation that I think is going to be put online or made available, I'll put the references at the back.  You'll be able to see the Web sites of those two organisations and you can visit that, and perhaps even have a look at complete research results there.

>> JOHN MORRIS:  So on the second question, you know, Wilfried mentioned that there are European efforts to really try to organise and focus on rationalizing the rules for Cloud computing.  You know, I think there was very strong interest on the part of America to the United States to also reach some rationalization and agreements with the Europeans.  Frankly, just because at this point American companies, some disadvantaged in trying to provide Cloud services in the European market, because Europe doesn't view the American privacy rules to be sufficiently adequate.  So I think there is strong interest on both sides of the Atlantic to reach some sort of accommodation to facilitate Cloud computing.  
But as to a specific organisation, I'm not -- Wilfried can perhaps.  

>> WILFRIED GROMMEN:  There is a lot ongoing on the regulatory discussions and reflections.  And I must also say that because the other question was raised, there is no dialog, I have the impression there is enormous dialog from our perspective.  We really feel a much, opener and say public/private partnership or multi-stakeholder debate on these levels.  There is the green paper from the Commission on how to really do criminal evidence out of other countries.  There is UNESA, the platform for the cybersecurity with whom we work, and there is much going on.  So on the level of the EU, there is dialog and I think there is strategic reflection.  
I think it's more, if we now talk worldwide, I think it's much more difficult, I think, for individual countries to come up with what is going on.  And that's where we also say it from our providers' perspective, we would like to have a broader forum where the things are in a multilateral agreement agreed upon on a larger scale.  Because if on an individual basis, that is not the way Cloud computing works.  So that is a bit of an answer on the dialog.  Yes.  A bit of reflection.  
And we really, really support these initiatives which are on a larger scale with partners like, and I mentioned because I'm European, like the EU.

>> GAO XINMIN: Please.

>> AUDIENCE:  I'm Dan O'Neill and I'm with the GIIC.  We have had the pleasure of hosting this today.  First of all, I want to say thank you to the panelists for the presentations.  Again I'd like to go back to this question that we continue to be focusing on, and everybody is kind of mentioning it in their presentation is, you know, how do we take that next step to finding some kind of international agreement that can bring us together on this question of data protection and privacy?
I guess I have two questions.  First, where does that debate belong or where should we be looking at in order to facilitate that?  And in sitting here listening to that, does it make sense for us to consider as a first step some kind of Plurilateral agreement where countries get to opt into that, choose to engage themselves in those discussions, you know, if there was interest?  I could see developing interest as we started to build on that.  But, you know, then we get those countries around the table initially that recognize the value of being involved in something like this and reaching that kind of agreement.  
For anybody on the panel.  

>> JEFF BREUGEMANN:  I would say I think the discussions happening in Europe already and also bilaterally between the US and Europe.  And I think similar discussions are happening in the APEC framework.  Because there is such a recognition of the market opportunity with the service, those may be two ways to create a little bit broader structure.  And I think the idea with both of them is you provide something collectively that then individual countries can join without having to start over each time.  So I think we're opt optimistic that if we focus on the larger discussions and set the template it would be easier.

>> AUDIENCE:  Within the WTO, we have the ITA agreement, which is a plurilateral agreement that countries who chose to sign on to those commitments can go ahead and do that.  

>> GAO XINMIN:  Yes.  

>> WAUDO SIGANGA:  I think the second part of your question, then, is I think Coura mentioned something about a proposal to have something like a task force for implementation of a Cloud computing, specifically for Africa.  And that could be another forum where these kinds of issues can be brought forward.  And if you're thinking of things like bilateral or multilateral positions or agreement, they could start locally, at least within Africa, they could start from that kind of forum.

>> AUDIENCE:  Excellent.  

>> LU JIANFENG:  We might need to push year feedback instead of having some international agreement on like a privacy proceed protection.  Every company, as a company, we care a lot about the customer, care a lot about the user, so, if, you know, we have kind of like a mechanism for those user, they can easily raise their issues about the privacy protection or some others.  Where every company will care about this.  Otherwise, users just go away.
So pushing for this user feedback mechanism is much more like feasible compared with like some kind of an international agreement or some other things.  So, that's my personal opinion on this.  Thank you.  

>> GAO XINMIN:  Okay.  Do you have -- I wonder, time has run out.  Maybe two last questions, okay?  The lady first.

>> AUDIENCE:  Hello?
I wanted to just switch back the attention to the security topic.  As you mentioned, it's more secure to have data on the Cloud and everything.  But I was wondering, there is something called DEFCON, if you follow-up, you know what is happening on DEFCON, you can see the huge data and security problems.  So there is like one problem with one service provider, a lot of data is going to be compromised.  So are we creating huge pools of data, where hackers can go there and find this data?  Now we have something called security of chaos.  Hackers, okay, they can personally find people, but they don't have huge pools.  So how are we addressing this issue of, if there is one security exploit, it's showing in the -- we're seeing it (Off microphone.)
So one security compromise will compromise all of this stuff.  So how do will we deal with this, and how will you secure hackers like in DEFCON.  Even banks and machines are compromised.  Not virus, you have the other stuff, like the Guy from 360 pointed out.  
And the other issue is that I wonder if you can give me numbers about how the servers are distributed.  Because personally -- my personal impression is that most servers are now in Europe and U.S.  So I was wondering, how is this going to promote this digital divide that we're having.  Yesterday in the network capacity, the network management panel, we were discussing capacity.  So, is this now becoming the consumer of data and the north is hosting it and Wisconsin is like Africa and the Middle East and many areas?  We're going to need international bandwidths.  How much effort is being put by companies to put servers in Africa, so people don't need to connect to the US with the lag and delays and the consumption of international bandwidth?  What is the distribution of servers, rough numbers?  
And how do you see it's important to distribute the servers in countries like Africa and also with places like the Caribbean countries.  Because if someone in the Caribbean country has an idea for the next Facebook, they will not be able to do it or host it.  That is my question.

>> LU JIANFENG:  Actually, for those, you know, this is already a mature practice like detection finding -- I think for privacy protection, also like those vulnerability in the banking system, in the Cloud computing, we actually can follow the practice of vulnerabilities.
I think the office is doing good with communicating with those techies, or like hackers, trying to get the vulnerability information and finding how to fix all of these.  
I think privacy and the vulnerabilities in the back end system, we can follow the same way, follow the same practice.  
I'm not sure if I answered your question or not.  

>> COURA FALL:  Just to respond to the last question about the problem of security and privacy within the Cloud, I said earlier that it is our responsibility in Africa.  We have to define it and the process is going to.  We have to think about how to define the rules and all the issues that we have in deploying the Cloud in Africa.  I think that we cannot give you a response now, because it's in the process and we are now discussing how to do that.  

>> JEFF BREUGEMANN:  I don't have statistics, but I think you raised the key points, there is always going to be a trade-off between storing content locally and versus the efficiencies of mass storage.  I don't think Cloud computing disadvantages this, it will be a constant equation of when does it make sense to move things closer because that will be a better customer experience or cheaper.  In some cases there may be a benefit to say we can immediately, more quickly take advantages of applications.  

>> WILFRIED GROMMEN:  On the question of the data centres, what we do is try to cover the world with data centres.  So there is a very clear strategy going into the different time zones.  We are practical in all the time zones now and a full redundancy, so that is one.  
But I would like to raise another thing.  These are the big data centres.  Yes.  But today, I don't know if you've seen that you can have clusttering of data centres and containers 4,000 servers, 4,000 Pedabytes, you know how much that costs?  $5 million.  You know, we are at a scale where computing is just such a commodity that I can easily see, you know, West Africa deploying such a container in a place, so they do have their data centre.  So I think the world is completely changing when I say access is important, because that's where it lives from.  But the scaling factor, where data centres are, how many people to manage them, the cost of them, I think there is -- there is a Tsunami taking place on that level.  

>> JOHN MORRIS:  Very quick comment on your, the very first part of your question in terms of vulnerability of pooling all the data.  You know, many Cloud commissions, at least some Cloud applications, can benefit from encryption, where the data may be stored in the Cloud but only the user is able to decrypt the data.  So, there is security vulnerability, but it's lessened because the data remains encrypted.  

>> GAO XINMIN:  Okay.  Okay.  Last question.  Last one.

>> AUDIENCE:  Thank you.  My name is (Off microphone.) And I'm from the University of Madrid.  Security certifications have been mentioned in passing.  And I wanted to remark how important they can be.  They can be market driven.  They can allow clients to remark their interests and their preference for companies that do have a strong security culture.  And I wonder why we're not finding ways to promote security certifications worldwide.  I think it would be a faster way to increase security.  And also there is third-party -- there is involvement of third-parties, because of the -- they have to be audited.  And there is not -- they are not one time options.  They are -- they have to be continued through time.  So that's my question.  
Thank you.  

>> WILFRIED GROMMEN:  The answer is yes.  

>> GAO XINMIN:  Okay.  I think it's time to end our workshop.  I thank the panelists for their excellent presentations.  I think it's very useful for all the participants.  
So, I will take this opportunity also to thank the -- Mr. Dan O'Neill for -- from the Global Information Infrastruction Commissiion, for his efforts and the coordination works that contributed to our successor workshop.  Thank you, Dan.  
And also I want to thank the remote moderator.  He also provided a lot of help for us.  
I think the discussion on this very complex issue is not -- could not be finished in two hours.  We will continue the discussion online, either in any case.  I hope to see you next year at IGF.  Maybe some topics we will continue.  Thank you very much.
(Applause)
(End of session)

********
This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings.  
********



>> GAO XINMIN:  The Friday morning main session will discuss these issues.  Thank you very much.  

(End of session)