EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

Successful cooperation for cloud computing policy – outcomes & take-aways

EUBrasilCloudFORUM Open workshop and Cloud Computing Policy Dialogue meeting, 9-10th November 2016, Brussels Cloud computing has been a catalyst for economic growth and new business opportunities – creating new business models, accelerating innovation and changing the economics of industries. However, significant research and innovation is still required to realise its full potential and increase take-up. It is therefore important to identify future challenges, gaps and opportunities for cloud computing research and innovation, where Europe and Brazil can continue to cooperate on cutting edge ICT. EUBrasilCloudFORUM is playing an instrumental role in this respect by coordinating groups of experts investigating Cloud Computing topics for future cooperation. Defining EU-Brazil co-operation priorities for future research on ICT - particularly cloud computing, including security, big data and the Internet of Things (IoT) - was the focus of the EUBrasilCloudFORUM Open Workshop which took place on 9th and 10th November, 2016, in Brussels, at the European Commission Premises. The main outcomes of the workshop are summarised below.

Future Challenges on Cloud Computing Technology: Gaps and Opportunities in the Context of the EU-Brazil Collaboration Session 1, 9th November, 2016

Brazil to look at European Data protection regulations as the way forward to cross-regional innovation The EU’s General Data Protection Regulation (GDPR) (applicable from 25 May 2018 with the

Directive becoming national law by 6 May 2018) aims to harmonise data protection laws across Member States, with some using it as a lever to

PANELISTS Fabio Martinelli, CNR, Italy Claudio Caimi, HPE and Cloud28+ Flávio Lenz, Central Bank of Brazil Heber Maia, Ministry of Planning, Brazil Karin Breitman, EMC Brazil

MODERATORS Jim Clarke, Waterford Institute of Technology Moacyr Martucci Jr., University of Sao Paulo

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

also improve cyber security. The GDPR could provide a good example to apply in Brazil, where a new law is currently under discussion by a special commission dealing with data collection and protection, with the aim of increasing harmonisation between Brazil and Europe.

Another relevant EU regulation is the Directive on security of network and information systems

(NIS Directive), which was adopted by the European Parliament on 6 July 2016 and covers two

main topics for international cooperation: Risk management and information sharing on cyber

security, affecting critical infrastructures and cloud computing services. Finally, as part of the EU

cyber security strategy, the European Commission and the European Cyber Security Organisation

(ECSO) signed a contractual Public-Private Partnership (cPPP) on cyber security on 5 July 2016,

with the aim to address evolving cyber threats by develop innovative products and services, thus

strengthening European industry in cyber space with a total investment of €1.8 billion (EC plus

private investments). It is important to keep abreast of these developments, including the outputs

of the ECSO working groups, such as the Security SRIA WG and SME WG to identify best practices

that could be beneficial also to Brazil. Future collaborative research should also take on board the

findings and outputs of the EC’s Cluster on Data Protection, Security and Privacy (DPSP).

Data governance in the cloud. An EU-Brazil supply-chain for cost-effective use of cloud technology. How can we share cloud solutions with other companies in more modern architectures? What

happens if you have multi-regions, e.g. inside Schengen Area, outside Schengen Area? The event

highlighted that Europe leads the way in terms of cloud security, privacy, and system integrators.

These areas are nascent in Brazil, where there are no regulations yet for Internet and security. This

poses a tremendous challenge to academics, start-ups and large companies which might invest in

technologies for a market that is not sufficiently mature though the uptake of cyber security

products and services, for example, still remains low in the EU (UK Cyber Security Strategy 2016-

2021). A combined, multi-stakeholder effort is therefore essential, involving infrastructure and

service providers, innovators and technologists to co-create an ecosystem where cloud services

generate cost savings. A supply chain of partners needs to be there to provide market support.

For instance, the telecoms sector is not as strong as internet based companies, but it is starting to

move to the level of providing services with cloud computing playing an increasing role. An

example of a multi-location service was given with one site in New Jersey and one in Sao Paulo,

which was able to share latency space, when needed, making services more viable.

Trustworthy cloud for Industry 4.0 We are now in the Industry 4.0 era, in which every company is going digital, requiring R&D

partnerships, including the involvement of businesses. Cloud is the foundational technology from

which to build up and scale out. However, trust remains a fundamental issue, where it is important

to offer trusted services and solutions to the business community. Trustworthiness – connected to

secure-by-design approaches and any quality attribute - can be considered as a must-have

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

research topic. Trusted supply chain from a scientific and research perspective is also very

important. A document is currently being written by CNR1 on Industry 4.0 for Italy2, explaining why

cloud will play a key role for Industry 4.0. Trustworthiness is also linked to Public versus Private

cloud, where private cloud services are mostly implemented by large private enterprises, e.g.

banking while SMEs generally opt for public cloud as they cannot afford to build their own

infrastructure. IT transformation projects within companies is very difficult and that is where

the trust comes in. IT transformation is also about people transformation and filling skills gaps.

There is no curriculum that includes cloud infrastructure in Brazil. How do we bring about the

next generation of people to work on this transformation? Certification is another growth area but

training and knowledge within universities are non-existent.

Standardisation of contracts is also needed as business contracts need to be signed as customers, especially SMEs, struggle with legal and technical terminology. Several projects in Europe have done valuable work on cloud contracts and service level agreements (SPECS, SLAlom, SLA-Ready, MUSA, HNSciCloud), which could guide future R&I collaboration aimed at increasing standardisation, where at a minimum customers need to understand the service level they are getting and how data is used and by whom.

Keywords: # GDPR | #Trustworthiness | #Industry4.0 | #Standardisation of cloud contracts

1National Research Council (CNR) of Italy https://www.cnr.it/en

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

Cloud Federation, Portability and International Standardization Session 2, 9th November 2016

Enlarging the Federation paradigm (responding to the market needs) Federation in Europe is a requirement for science where providers are not ready to supply the short-term, temporary demands from the market. Cloud federation today goes far beyond technology federation to encompass federated billing and accounting and those “de facto” standards that comply to market. Many other barriers – from banks, from new business based on hybrid cloud, from the focus on SaaS – are today preventing the creation of a strong European (but Brazilian as well) Cloud Computing market. Standardization is convergence on best practices (de facto standard) but standardization need to reflect new “XaaS” (e.g. Data as a Service) disrupting the market to allow consolidation and recover trust, which has been significantly reduced by current leaders in the field by re-structuring trust properties. Companies do not want to have cloud computing standards as their local APIs are the biggest guaranty they have for their market share. A body of standards would drastically improve competition by setting companies free from heavy, expensive, proprietary frameworks. Cultural and conjectural barriers to innovation and federation deployment still need to be addressed, including bureaucracy.

Keywords: #open pass | #virtualization and #networks | #security | #devops | #hyperfederation

PANELLISTS Ignacio Blanquer, Polytechnic University of Valencia, Spain, and EUBRA-BigSea project Alfonso Rios, INDRA, Spain; Eduardo Alchieri, University of Brasilia; Luiz da Silva, Trinity College Dublin, Ireland, and Futebol project Michel Drescher, Oxford e-Research Centre at the University of Oxford, UK

MODERATORS Priscila Solis, University of Brasilia Sara Pittonet Gaiarin, Trust-IT Services

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

PANELLISTS Andrea Bondavalli, University of Florence, Italy Andrey Brito, Federal University of Campina Grande & SecureCloud project Wagner Meira, Federal University of Minas Gerais & EUBRA-Bigsea project Felipe Matos, Start-up Farm and Brazilian Association of Start-ups Alessandro Bassi, Alessandro Bassi Consulting

MODERATORS Marco Vieira, University of Coimbra Antonio Augusto Frohlich, Federal University of Santa Catarina

Brazil European Union joint

opportunities on Big Data Security and

Privacy on the Cloud

Session 3, 9th November 2016

Privacy awareness first. Secure applications come second. Security and privacy are different things. They have different enemies and apply in different ways to users, where it is important to also understand the interplay between privacy and trust. Privacy is mostly to do with individuals though vulnerabilities can also affect privacy while security is a big issue for companies. Privacy, especially in public clouds is a major challenge as it is hard to say there is a guarantee of QoS and user monitoring to see what is being provided. Is the perception of privacy the same in Brazil and EU? When we have an agreed vision of what is private data, what type of data is being moved to the cloud and what needs to be protected, we can move towards solving the technical issues. No matter if other countries are protected, if I am not guaranteed where the data will end up, it is meaningless. An open issue is how to enforce and control the privacy agreements, like Service Level Agreements. How can individuals verify in real time that the policy is conforming to their contracts? A big issue in relation to privacy is user awareness. It is very easy to attack smart phones because owners don’t know how to set up their security and protection mechanisms (due also to the lack of formal specifications of trust in 4G networks). They do not know how to manage their security, meaning their data can be available for others. In most cases, users are left alone to their own knowledge. Privacy is not easy, as it is a social aspect and a growing issue in the data mining / analytics communities. Solving the awareness issue is key to moving forward on technical aspects: how can the infrastructure help build applications that are security and privacy aware? How can we promote traceability of data and revoke data if it is lost? What are the weakest security and privacy points in going multi-cloud? There is a lot of distrust – if we want the results to move between platforms, share data with business partners, there must be no worry that issues will arise. Where is the future heading? Cloud must not be just a repository of data but has to provide transparency of algorithms and strong guarantees.

Cloud & financial technology Brazil counts some of the most advanced financial technologies worldwide, dealing with fraud which require very complex systems. The most trendy applications in cloud are using block chain,

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

decentralised systems to make them more secure, and these will evolve to other applications like law, governance, etc. FinTech is moving to the Cloud and this will bring a strong contribution to new business opportunities in Brazil with regard to cloud for start-ups in the financial area. Those applications can then migrate to other sectors such as LawTech, licencing, etc..

Securing cloud computing technology from cybercrime It is oftentimes envisaged that cloud computing technology and security are on opposite ends of a spectrum. For example, if you have a bigger space in the cloud, you may not have the power to enforce policies. A big cloud environment may be inclined to evoke more attacks as hackers want to hack things that are difficult. To say cloud is more secure than a server can be answered yes or no. E.g. A well-structured cloud is more secure than a badly structured server, while a big cloud is more appealing to hackers. There are hundreds of thousands of examples of cybercrimes as a service. Security can create layers of technologies but without clear regulations, it is much harder to deal with. The latest DoS attack came from many connected devices and there was no clear standard on how to deal with these attacks. According to the proposals of law bills of Congress in Brazil, personal data identification may change how the internet will work in Brazil, not necessarily in a good way, e.g. Every access could be identified with the registration number, social security number. A Brazilian startup called PSafe (www.psafe.com) is working on some preliminary solutions. Researchers should interface with companies like P-Safe. At the same time, public cloud providers have invested more in security services and there is a trend towards Cloud Security as a Service. Whereas other companies may not be able to afford such protections, it may result in the situation that makes the cloud services more secure. In other words, given the huge investments of public cloud may indeed make them more secure.

Social Cloud & user protection Cloud is getting more social and the demands imposed by users are not really being considered and/or taken into account. We do not really have the answers to these yet and we need to investigate more deeply to ensure the right direction is taken. This is a big research question for 2018 onwards. Public service transparency is now being challenged. What Google makes for us, what influences as services (e.g. Facebook), to what extent we should rely on these services blindly. We need to bring together the security, machine learning and data mining communities.

Keywords: #security | #privacy | #cybercrimes as a service #| #Financial cloud

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

PANELLISTS Ignacio Blanquer, Polytechnic University of Valencia, Spain, and EUBRA-BigSea project Wagner Meira, Federal University of Minas Gerais & EUBRA-Bigsea project Andrey Brito, Federal University of Campina Grande & SecureCloud project Monica de Mier, BSC and HPC4E Michel Drescher, Oxford e-Research Centre at the University of Oxford, UK

MODERATORS Priscila Solis, University of Brasilia

Towards 2020-2025: Cloud Computing topics to be taken into consideration in the future EU-BR collaborative calls

Cloud Interoperability, Data portability, Standards Session 1, 10th November

Expectations are to work at improving

interoperability and where cloud

applications can easily be migrated from one

platform to another, and contribute to the

maturity of standards that is used for this

capability. E.g. TOSCA. Currently, you can be

compliant to the standard but it can be

useless for the other TOSCA system and this

should not be the case.

Cloud federation of Services with QoS needs

to be address, more from big data analytics

perspective, considering both fairness and

accountability of techniques, and clarity on

how data and to what extent the data is

being used, and by whom and for what

purposes. The users must be aware whether algorithms being run are causing them troubles.

Security must be taken into account, including also provable security mechanisms for

distribution of data and privacy by design.

Addressing networking technologies like NFV across the optical and wireless domains is of

critical importance to network operators and, more generally, the telecommunications

industry.

Empowering users and raising awareness of their privacy must be considered in future plans

for call 5. There is quite a wide spectrum on how Brazilians and EU address privacy and if

dynamic solutions could be developed, e.g. cloud to the edge IoT could be a highly marketable

tool. There is also an opportunity to now factor in the EU’s privacy regulations in the current

Brazil programs.

Having pre-determined topics can be quite constraining, as what is hot today may not be hot in 3 years time. Shorten the time frame, and/or have an agreement for more investment and a more open agenda would be very much appreciated.

EUBrasilCloudFORUM .eu| info@EUBrasilCloudFORUM .eu|@EUBR_cloudforum

PANELLISTS Flávio Lenz, Central Bank of Brazil Karin Breitman, EMC Brazil Alfonso Rios, INDRA, Spain Claudio Caimi, HPE and Cloud28+ Fabrizio Gagliardi, BSC, Spain and RDA Arthur van der Wees, Arthur's Legal, The Netherlands

MODERATORS Antonio Augusto Frohlich, Federal University of Santa Catarina

Multi-cloud, big data and services for industry 4.0 Session 2, 10th November

It is necessary to provide security as a service:

identity management, data protection,

integrity, resilience, rights management, and so

on. The current focus is on cloud security as an

application/service. In this way, companies

could focus on its own business, without getting

side-tracked in resources and personnel.

Industry and science use cloud for different

proposes. There were calls for both a very solid

and simple system to use. Many users use

clouds instead of their IT infrastructure, or are

moving their services to the cloud, and this

brings issues like privacy, security, and so on.

Moreover, there was a call for migration tools

to allow/facilitate this migration to the cloud (big companies also are migrating their services

to the cloud).

What users want is to reduce the costs. For this, they use IoT, cloud computing, and data

analytics. Moreover, it is necessary to offer new services based on new capabilities of the

cloud. Customers need optimisation of processes in order to reduce the costs but they are still

missing the value of the creation for new products/technologies. Business solutions should

come from inside the businesses and not from the outsiders.

A lot of data comes from legacy processes and we need the cloud to process this huge amount

of data, and have interoperability with these legacy systems.

We need standards and regulations in order to be possible to integrate the legacy data coming

from different vendors. The role of cloud today is the integration of these legacy data.

The automation of an assembly line makes it less flexible (more automation implies in less

flexibility). In this context, analytics in IoT could provide flexibility.

Companies are excited to collected loads of data and start analysing them. Yet, there is no

cloud service for data analytics yet, which provides a good opportunity for a new cloud based

system. An infrastructure is needed to run with these large data sets. This raises many other

questions that need to be addressed by the communities: what are the algorithms that are

useful for industry(ies)? What are the services? How do we make them plug and play? How do

we guarantee for privacy purposes that data would be anonymised or pseudomised exclusively

and allows no conclusion on the data being recognized as those of an identified person. Are

they part of a multi-cloud environment to ensure security and safety?

How to federate the old fashioned systems and protect them with cyber security? There are

catalysts that could help all parties out. No one can grasp the entire domain collectively and

deal with it in time to keep out the hackers.