Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
I now welcome the COO of Austrian government. Reinhard posh Reinhard posh is, is in the security in the European security scene, a very well known and respected person. He has got lots of awards, started. Many initiatives is one of the major heads behind the European identity cards initiative among other things. He's also the chairman of the management board of the European network information, security agency. So lots of stuff we could discuss with him, but today he's going to present the European cloud partnership. I'm very interested to hear what he's going to say. Thank You.
Thank you, Sasha. I, I was the chairman. You only can't be that for two periods. That's fine. Thank you.
Last week, I, I presented at the future internet assembly and yeah, it, it was on broadband. And what does that mean to cloud, et cetera, etcetera. And I intentionally presented from Google docs and right in the middle, it was on broadband.
I, I got a break, you know, the line broke and got a short disruption. That's the optimal thing which can happen in a talk when you're talking about broadband cloud and the impact, what does it mean? But it would not be the best thing in here.
And what, what does it mean to us? You know, I I've listened to the interesting talk of Mr. Car and all the time I saw on the right hand side, E I D and cloud, are we ready for that? Are the strategies ready for that? That's about what I'm talking today. Security impacts strategies in cloud. Now let's hope this works.
The European cloud partnership has been initiated by commissioner Cruz and it aims towards bringing together industry and public sector and to establish and to find ways to establish an ecosystem for cloud computing in Europe, where we all know that cloud computing is a domain, which so far, technologically, at least is dominated to a great extent from the Western hemisphere and from the us. And, you know, you have big sayings, like the CTO of Amazon, who by, by the way, is part of this group, which I will talk later on.
He said, old hardware companies will have to fight. Extinctions might be not yet, might be in a few years, but there's some truth about that. If you look into the development, it'll change the, the, the whole attitude, the whole expectations we have there will it also change our attitudes towards securities. Do we understand cloud now? We most probably, if we go around these tables, you would have different understanding what cloud means, but there are some elements I try to get around here. It's on demand. It's needing broad brand network access. It's rapidly changing.
It's sort of a next layer of abstraction. You don't care so much on what is happening on the physical side, and you don't need to do that with all the, the facts which are vendor locking, et, et cetera, et cetera, what you find there.
And now, you know, in what environment this partnership is working, and it's not only this partnership, it's also member states who have been trying to approach that topic in one or the other way, you know, all that in the technique, the BSI or the Giza GSA, as it called in English, where I was at the, the, the, the B conference yesterday, they going towards certification. And that will be certainly part of this European cloud partnership in one or the other way in Austria, we have approached this by having a high level strategy, which aims at making agencies and administrations.
We are federal country aware of what the, the, this is about and having not only the influence by the vendors, which have a totally different goal to fulfill, they have to sell, they have to place their products. But as, as an administration, you have to have both sides in view. So we made a strategy which gives some of the elements like procure procurement elements, like strategic elements on data, data protection was mentioned, et cetera, etcetera.
The, the, the, the position paper which has been worked and which has been agreed, is deemed to provide background and facts for conscious decisions. That's what we need, you know, not just getting, getting excited and doing it, but having conscious decisions when we go into cloud. And when it's about conscious decisions, we see some barriers and the barriers are legal.
If you look what legislation you work into, for example, in administration, like our country is not ready to contract under us law, which you have to, if you go to Amazon, they will tell you either you contract under us law, or you leave at home. And that's something we, we, as a small country, I'm coming from Austria, as you have heard, have probably no chance.
You know, the, the, if you pick that out and say, forget about that market, they are perfectly happy. But if you get the whole of Europe as a for saying, listen, that's the only way you can be in the administrative market. You have to change that security is another thing. And that has all the flavors from the security in the basic meaning, but also going onwards into things which are sometimes flagged as the Patriot act, which means who has governance about security?
That's, that's very, essentially we are assuming that as an administration, as a country, as a government, we have the governance on the security of our administration. And that might change if you go, if you go, cloud privacy is starts to get understood. And the lock in fact is not understood in a very good way. Just to give you one point in this position paper, we said, if you go into the cloud and you calculate what it brings, you calculate what it costs you to change from this cloud model to a different cloud model. And you have to include that into your financial calculation.
And if on the bottom line, you still are happy with the figures. Then you can do it besides unless you have other things which prevent you from doing that.
Now, the, the commission issued a communication, assuming that until 2024, 5 billion additional direct expansion in cloud will happen, that will result in approximately 1000 billion accumulated GDP result. And it's, we are talking about about 4 million jobs so that that's not neglectable and that's increasing afterwards. Even the main areas the communications focus at is what does the fragmentation of the single market mean?
You know, we have uncertainties in applicable law. I just pointed to the contract law, but there are other many other elements in applicable law, which touch this like data protection.
As, as I said, we have the data protection, which is dealt about with a new regulation, which is no more directive. That might be a chance. We have contractual issues. We have consumer protection issues, but we also have criminal law issues. What happens if a subpoena happens to a cloud provider, will it stop?
You know, because it has to disclose everything. That's an interesting thing. And that's why governance from a government point of view is a very basic thing. We have contractual issues. It's unclear. What is about the liability in case of disruption, look into the contract of Amazon. What they give you as a liability, they are liable for the amount you have to pay. You have paid this year. Now you can just cross out this liability that doesn't help you. You need much more. If you are managing like a CATA, if you're managing like a task tasks, like a, a tax system, what have you.
And by the way, who owns the data, that's not so much a problem with the government data, but if you go into clouds like Facebook, what have you, this is an issue as well, which standards to apply. It's not totally obvious. The key actions, therefore are map standard, the clarity and fairness with contracts and the, the, this partnership aims at, at giving you in the first place sample contracts, giving the member states and the administration of member states, just hints on how they could do.
And the, the head of the European cloud partnership is the president of Estonia. Ms.
Davis, he would like to see a directive, but I think we are quite far from that. The partnership is separate for the moment in two elements. One element is the steering committee. And the other element is a pre-commercial procurement project.
Now the, these following three slides are from Kim, the Tel, who is the head of unit in the commission responsible for that area. It, it, the key actions are standardization contracts in terms of conditions, terms, and conditions, and the, the strategy, the steering board, the results, which I intended are working groups for standards should work until the mid of this year.
We will meet on the 4th of July having a detailed map of standards until the end of the year, and then 2004 to address also other issues like green, it, et cetera, et cetera, which might have a impact just to see what this means in terms of European policies. The partnership is also about to develop a ways to have certification, to have some clearance. And there inza is called to be on duty, develop a model of SLA, which is also a big issue in cloud because you basically due to liabilities and get, get not much from that angle.
So this is the list of people in this very small group, which is the steering board, Ms. Cruz is as from the commission there, but is not formally member. It's headed by, as I said, the president of Estonia. And you have like a few people from industry from, from government, not all the member states present there, it's not, not a formal committee. And you have a very high level industry. People like the CEO of Erickson, et cetera, cetera, you, you might have access to the slides anyway. So I'm not reading that through.
This is, comes together with this pre-commercial procurement project. It's called cloud for Europe, where 11 countries and 24 partners are taking part to assist implementation to see what it means. You know, making strategies, making proposals only makes sense if you have grounds, which make an experiment of that. And pre-commercial procurement in this case funded by 10 million Euro should help things to be on, on, on a well based ground. The project will start with the assembly in July, where the project will be formally signed.
And here you have the, the, the states who are present in there, it's to elaborate, to explore public sector, cloud procurement. So we are facing this point in time on public sector implementations and what it means in there.
Now, it's not that easy. Just imagine what we could, by the way, in a few weeks ago, we have found that having cameras in your cars and having them on all the time is against data protection, but, you know, cloud in, in our legislation, you know, in Russia, that's very popular. It's also not allowed, but we are.
Yeah, okay. Not, I'm not discussing on that, but what, what he cared, if you have that on, you just could have on touch. I had an accident, you know, you recall, and you make automatic processing, which would add to, to truth, which would add to ease of process, but it is very invasive. It can be very invasive and can, and would need lots of security so that it is unable. So therefore the goals are to use some services, to analyze the requirements, to have a common tender, which goes cross administration. So all these member states will make one tender to explore the conditions of tendering.
And then they also should pilot and evaluate what came out. The plan process is one year of requirement. And two year of pilot phases is like the, the, the usual large scale pilot. Now in the last part of my intervention, I would like to come back to the theme, which is E I D and cloud, just to make you aware that this, the, the form formal notion of E I D in the cloud is much more important than it is on a single application now.
And therefore we have different notions in the public sector and the private sector, even if we are not always aware of that in the public sector, you have birth, which is, you know, you, you get a statement of birth, which is birth certificate. And from that time onwards until well, until I die, I, I, I might an entity for the public sector, and that might be school, marriage health. What have you name is not part of that? I could change names ever so often. I still may remain the same identity. That's the, the uniqueness of E I D notion in the public sector.
The private sector is totally different. You don't care who it is. You have an event, someone is, but choosing, like buying something, you're buying a car. You want that the same person is then consuming the insurance because he paid for insurance. It's the same person is calling for the guarantee.
And what, what have you. So when it comes back, this entity comes back, it should be the same one, and it's based on payment. So you have a clear, you have a clear notion, what is the, the, the framework of liability, et cetera, et cetera. And what is the duration? How do we bring these together? That's a very important point in both things. In both ways, you have the same technologies, you have a database of entities, and in many cases, you even have the same items there, but what, what does it mean in terms of what does E I D mean in terms of natural and non-natural persons?
What does it mean in terms of cloud? Does the cloud provider own your E I D system?
You know, could you imagine that Amazon owns your E I D system and then is forced you to do battery acts to deliver that, you know, without you being notified. So they, they see that public and private sector really have different things. What does E D mean with mobile devices? When it comes to, to factor authorization? I will have some words on that. So we need, we need a regulation that that's on the way as you know, the Ida regulation, which is E I D, and signatures is negotiated. And the plan is that it should be finalized this year roles. And man mandates.
We have seen that in the last talk. I might be a natural person having the role as a citizen, having the role.
No, I have not, but I could have the role of, I could have the role of tax officer. You could have the role of a CEO. I could have, well, not me, but if I were a female, I could have a role of a mother that's totally separated. So the person in the roles, we need to separate that UN unless we do that, we can manage. And then we have attributes and we always mix up identities and attributes that comes from the notion of paper ID and the paper ID you base on attributes, because that's the only thing you can verify. You can look at your picture and see, this is the person.
But in fact, the picture is an attribute. And when it comes to the ID, we have to be careful on that. What has the that to do with cloud cloud is not a different world by say, but it's a new technology. It challenges the legal and contractual areas. We've seen it challenges the security, because it reaches a new dimension. We have a further partner in this game and this partner is sort of anonymous.
It's not, it's, it's not so well comprised in a contract trust. And E I D therefore need further concentration, especially when it comes to accountability. This comes together with the mobile devices.
You know, we all have these nice little things, which by the way, show that no one cares about regulation. I have an iPhone. And if you look to the plug where low, where powered the iPhone since 2001, I think we have European regulation, how that should look like. You know, they, they, most probably the companies know, but they don't care. And that's the problem on the regulation? How do we get effective regulation? Not how do we get more regulation, but how do we get regulation to be effective iPhones and tablet? Is it just computers?
No, it is not. The capabilities are different.
They are, they are seen as limited, but they are very much vendor driven. Just think about flash and apple.
You know, they don't really like each other. So they don't work. Systems are sandboxed, which is not usually the case on, on a desktop, on a laptop.
You, as the owner are the manager, you're the system manager. You decide which apps is there. You are responsible for everything. That's easy for the company. They give you the responsibility, you do it, but it's not so easy problem for you because you might catch malware. There's hardly all the detection. There's hardly any, you know, updates and patches. They rather would like you to, to buy a new one than to patch your old one, because the speed might not be that essential for you. But some other elements like being on top in terms of having the new apps, that's what you want.
And you don't have external devices. And that impacts the whole field of E I D and sorry, that was the wrong button that impacts the E I D and, and security, especially when it comes to cloud.
Now, when it comes to cloud, we have to think that cloud, I add a new element, the standards in interfaces that drive E D in the cloud must be external to the cloud so that it can have the, the control over the identification. And most probably, if it comes later on to things like encryption, et cetera, et cetera, that's the same thing. So any anything in terms of security, you might want to separate from, from the core elements from the cloud. And therefore, I think we, we, we are asked to have effective regulation.
Now, a few words on public private sector, as you've seen the cloud partnership targets, basically public sector. So when it comes to ID public sector, identity, public sector, provider, and public sector use, that's easy.
You know, that works public sector, identity, public sector, providers, identity providers, and use the private sector. That's just a matter of regulation. You can allow that, or you can disallow that. And most countries now allow that. Now the interesting thing is public sector identity.
You know, you have your birth register, you register inhabitants, what have you, then you could leave the rest for the private sector. Private sector could provide that. That's the model we are using in Austria. That is calling some thoughts on what does it mean in terms of responsibility, in terms of legal contracts between the public and private sector and the, then you can use public and private sector applications. Now the last one is the most tricky one.
If you have a private sector, identity base and the private sector, identity provider and a private sector application, how can you match these? We didn't have a fi we didn't find a way that a private sector identity base is now effectively linked to the, the public sector. We have some attempts in the Nordic countries, but that, that is intermingled in the sense, because they they're using the, the social security number equivalent everywhere.
So it's basically, again, a public sector ID, which is just managed by private sector provider, but that would be the target, but it's not easily feasible ERD mobile devices. As I said, there is difference. You usually have secure elements in the mobile devices, which you don't have on what don't use on laptops and PCs. You have the application software, which can interact with the system and the browser, which is not the case on due to the sandbox situation on the mobile devices. And that has great implications. And you have the security devices, which you cannot connect.
You know, even if it's technical feasible, you would not add, you know, a twice as heavy card that this mobile phone, and then make that that's not, not the way you go, what the NFC is taking up the way it's, you know, predicted. We will see that might be an avenue, but it, it needs solutions. Now that available everywhere, we, for example, went to the mobile E I D, which is which I will show at the end of this talk in a, in a second, what does it need?
If we have this whole setup of E I D and cloud, it needs something how to relate individuals to an ID database registers, you know, it needs an identity database, and it is someone who is making this match up the registration process. You can do that in private or public sector. No problem. Then it needs some security, possibly hardware, two factor, unless you do that, the example which I gave when I started, you know, you are here, you make your presentation. Now the line breaks. That's the optimum situation where I, as an attacker would jump in because the presenter there has the only duty.
How do I get on with my words still, you know, typing here and getting my presentation back. He will give you any credential in this moment.
Therefore, it's important that in such situations, you, you're not, you know, exposing everything because I'm not doing talks or every day. So my files might be mixed with more important. These files are public.
Anyway, they might be mixed with others, but the most critical thing is they user motivation. How do we get the aware? Because it is a little more than just typing in the same user as it password everywhere. How do we get the motivation user? How do we get the balance between the cuties we assigned to the user? Just to give you one, I, one view how we did it in Austria with our mobile ID. Here's a virtual example. It's not happening because the European citizen initiative has a clear regulation. And it's based on, on very complex forms.
But what, what I'm showing you here is how can it, what could it look like if we take advantage of technology in this case of mobile ID and HDML five, you, you had a, a European citizen initiative motion, for example, you know, any environmental, what have you, here's a sample with it as a demo. And don't, don't read into that. If you have your mobile devices, you have lots of additional rate, which is there. If you combine your device and your ID in most cases, the only say, yes, I want that. I want to say yes to this initiative.
Well, for example, I, I need a criminal proof of criminal record of, of an empty criminal record, hopefully. Well, that's exactly how we do it.
You, you go into a Porwal you say, I need it. And that's all you do. You don't enter any names. What have you, because that comes from your environment and that's that where the clouds come in, what you then need is well that's public data anyway.
So no, no problem exposing my, my address. Anyone could Google that. What you need though, is to have a clear linkage between your will and between what, what is there and there, the, the two elements, one hand identification on the other hand, signature come in, I'm not going into detail on that because identity is needed before you start the process and signature is needed. As you finalize the process to just to make sure that no one intervenes now, now this what it would look like you a yes, then a PDF is generated. The PDF is signed, which is simply done by using your mobile phone.
Normally you would have use a different device to make sure that it's not a problem on this device, but on an Android, there's no separation between the telephone layer and the presentation layer, no system wide separation. Therefore for security reason, you would not prefer to do that on the same device. You get a one time SMS, which is basically the key, what you normally would key in on a keyboard. And you get your assigned PDF, which is then automatically transferred into the database. Now this would take you like half minute. You would see a QR code with an Wordman vote for green.
It, what have you, you would take a photograph. It would bring you up your, yes, I'm really, I really want to do that. Now you have to think twice and think twice is embedded into the E I D and signature, and then you have done it. Thank you for listening. And hopefully there were some elements would, you could enjoy. Thank you for having me. Thank you very much.
Pretty deep look into the future and towards cloud and E as a environ could bring to us my question, very simple question, but maybe difficult to answer is if you would have to bet where your ID, whatever ID means in the context of these different dimensions and context you explain is coming from is actually what, what would you bet be where your ID, your most trustworthy information base will come from in 10 to 15 years time? Well, I, I tried to bring in that notion on one hand, you have an ID, which you have, whether you, you, you know, use it, whether have technology to that or not.
And then you have technology to use your ID. So, yeah, ID doesn't come from anywhere. The technology comes from somewhere. And if you ask him where my technology comes from, I think it comes from private sector on the long run. That's that's for sure, but it will base on something which is backed up with regulation, which means administration.
So We need that inference in, in that interface, which we in Austin put into law, every identity provider, which for the requirements has the right to use the database from administration to provide these technologies to public, to, to public for private or public use. So Google could actually, if certified or accredited, depending on the model could actually be one of the Identity providers, not, not even certified accredited, if they fulfill the requirements in terms of technological level, they could just work up and say, I'm doing this.
And then they would get issued a link to the register where they get authenticated records. If, if they fiddle around with that, doesn't matter because they will get nowhere. The identity would not work. Yeah. But they could do it. Anyone can do it, you can do it. There's no.
And, and I think this, that, that's why I brought up this slide with the red and green, where, where the potentials and that I think that's where we can, we have to go to embrace the industry and also to embrace the user. Yeah. Thank you very much. Very interesting view specifically, I think also for manufacturing organizations and user organizations, how to think about that model and how to position themselves on their identity and access strategy in view of these developments.