2011 Cloud Symposium

Symposium Agenda

*subject to change


MONDAY, 10 OCTOBER | Symposium Opening Day



Peter Brown, Official of the European Parliament (on leave) and Member of the OASIS Board of Directors

During the first annual "International Cloud Symposium (ICS)," attendees will discover how very different this Cloud event really is.  ICS brings together a wide range of people from the global standards' community, including practitioners, government agencies, vendors, as well as policy makers.  With much of the responses to the need for policy and standards in the Cloud being driven primarily on a national level, members of the ICS programme committee felt strongly about broaden the dialogue to a more global level.  Expert speakers from the U.S., Canada, South Africa, India, China, Japan, and many countries throughout Europe have been invited to share their views -- offering attendees a truly global perspective.  

Assisted by a key speakers featured during the next few days, Peter Brown, will tell the story of how and why the decision was made to bring such a diverse group of people together, and highlight the core message that every major success story in technology deployment today does involves Cloud Computing...



Ian Osborne, Project Director, Intellect UK  |  Chiemi Hayashi, Associate Director, The World Economic Forum  
Marnix Dekker
, Application Security Officer, European Network and Information Security Agency (ENISA)

Respected international experts agree that the main advantages of Cloud Computing are reduced cost of ownership, no capital investment, scalability, self-service, location independence and rapid deployment. So what continues to prevent faster Cloud adoption? One of the main issues is lack of "TRUST." Trust is not easily defined, but most people agree that when it comes to Cloud Computing, transparency is essential to creating trust. Governments and businesses must be able to see that Cloud service providers are complying with agreed security, privacy, and data management standards and practices, while suppliers of Cloud technologies and services remain well equipped to provide the necessary controls.

This session will examine the top barriers and risks identified in recent reports by two leading international organisations that are preventing the wide spread Cloud Computing adoption, as well as their proposals and recommendations on mitigating those risks.

15.00 Refreshment Break


John Borras
, Chair, OASIS eGov Member Section  Joe Baguley, Chief Technology Officer, EMEA, VMWare   
Andy MacLeod
Head of Policy and Strategy Public Sector, Cisco Systems 
|   Chris Parker, Managing Director, CS Transform  |  Marnix Dekker, Application Security Officer, European Network and Information Security Agency (ENISA)

In using Cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues. This loss of governance and control could have a potentially severe impact on the organisation’s strategy and therefore on the capacity to meet its mission and goals. The session addresses these concerns and looks at ways that the client can remain in control of its assets.

Topics to be covered:

  • Governance Policies and Structures – What are the additional policies and organisational structures that need to be put in place to mitigate the possible loss of control and governance?
  • Loss of Control – Loss of control and governance could lead to the impossibility of complying with the security requirements, a lack of confidentiality, integrity and availability of data, and a deterioration of performance and quality of service, not to mention the introduction of compliance challenges.

  • Governance Standards – Certification processes and standards for Clouds environments.

  • Risk Management – What should be the key aspects of a client’s risk management strategy for Cloud Computing?

  • Lock-in – There is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled. In addition the Cloud provider may outsource or sub-contract services to third-parties (unknown providers) which may not offer the same guarantees (such as to provide the service in a lawful way) as issued by the Cloud provider. Or the control of the Cloud provider changes, so the terms and conditions of their services may also change.
  • Business Continuity – Providing continuity is important to an organisation. Although it is possible to set service level agreements detailing the minimum amount of time systems are available, there remain a number of additional considerations. a. Does the provider maintain a documented method that details the impact of a disruption? b. What are the RPO (recovery point objective) and RTO (recovery time objective) for services? Detail according to the criticality of the service. c. Are information security activities appropriately addressed in the restoration process? d. What are the lines of communication to end customers in the event of a disruption? e. Are the roles and responsibilities of teams clearly identified when dealing with a disruption?
  • Impact on Policy and Business Objectives – What is the impact of Cloud Computing on the policy and business objectives of an organisation, eg their Green IT targets? Does the introduction of a Cloud based service provision require changes to current policies and business objectives?

...featuring AS4: A Communication Standard for Cloud-based Integration Services
Flame Computing Enterprises cc  |  Cisco  |  Axway

In OASIS, the ebXML Messaging Services (ebMS) Technical Committee (TC) has the responsibility for the research, design and specification of Web Services-based messaging protocols for B2B data exchange. In 2002, the TC developed the version 2.0 of ebMS. Since then it has continued to respond to emerging requirements and newer technologies and standards which in 2007 resulted in the OASIS standard approved version 3.0 Core Specification.
Most recently the TC has produced two significant new deliverables:

  • The ebMS 3.0 Advanced Features Specification : extends the ebMS 3.0 Core Specification with support for ebMS intermediaries (multi-hop), efficient high-volume messaging (bundling) and exchange of very large messages (splitting and compression).

  • The AS4 profile: a light-weight profile of the ebMS 3.0 Core Specification. AS4 is designed with input from GS1 and is a Web Services-based functional super set of both ebMS 2.0 and of the EDIINT AS2 standard.

AS4 has the potential to become the standard for inter-cloud integration. From an integration perspective there are two key layers that make up an integration stack, these are the messaging layer and the payload layer. Even integration teams within companies like Cisco are looking at messaging standards like AS4 to facilitate inter-cloud interaction.  A key challenge in cloud computing is the interoperability among various cloud providers. This will continue to be a challenge until interoperability requirements are standardized to support business exchanges. AS4 helps to address this challenge for the messaging layer. The combination of standardized transports and message content will help facilitate critical adoption levels, continuing to drive down costs, and improve time to capability for business exchanges over the internet.

During this demonstration, members of the TC will provide:

  • A recap of ebMS 3.0, its main features and advantages over the earlier version
  • A brief overview of AS4 and the new Advanced Features specification
  • An interoperability demonstration showing use of AS4 in support of the OAG Order to Invoice process for use in the mid-market. 
  • This demonstration will involve multiple independent AS4 implementations.

Reference links: ebMS TC public home page

17.30 Symposium Adjourns for the Day, shuttle service will be available


08.30 Morning Coffee & Announcements


Martin Sadler, Director of Cloud and Security, HP Labs  |  Ian McCormack, Technical Director IA Policy and Risk, UK Government's National Technical Authority for Information Assurance, CESG  |  Yves Le Roux, GRC Expert in EMEA, CA Technologies  |  Joe Baguley, Chief Technology Officer, EMEA, VMWare Scott Algeier, Executive Director, Information Technology-Information Sharing and Analysis Center (IT-ISAC)

The secure storage of government data is one of the most significant responsibilities of government officers. There are a range of laws which mandate how the information must be protected and who may access them. These laws often extend to mandating the physical geography in which data must be stored, e.g. in the United Kingdom. The interpretation of these laws is the basis for the set of policies which guide the decisions of the senior officials who set the standards to be applied to the data they are responsible for. In the UK, these are designated Impact Levels on a scale from 0 to n, where 0 is of low risk to the government, e.g. generally published information and n is where data is of national security importance and highly confidential. The measures taken to secure these data vary by risk and in the extreme are protected by force.

However, moving government data into shared facilities and even public Cloud introduces new levels of risk in the equation. What are the practical concerns which would dictate the decision to store data, e.g. the "Swine Flu" database in the public Cloud? On what basis can personal medical records be stored in shared facilities and possibly exported from the country? How can sets of personal data be shared between professionals across departments without compromising the laws applying to privacy? And how would sharing services across multiple departments affect the "hosting" department decisions on information risk management?

The UK G-Cloud programme prepared inputs on several of these topics in its work reported in 2010, URL. However, there are no firm conclusions or changes in policy as of yet which would guide the Senior Information Risk Officer (SIRO) in her/his decision making in this area. Some further work and clarity is required to identify the key principles and assumptions which apply. For example, what are the key security concerns for government in transmitting and storing data beyond the firewall? What principles apply to the location of storage and exportation within the current jurisdiction, e.g. UK versus European Economic Area (EEA) versus global operations of service providers?

This interactive session seeks to bring the community up-to-date on thinking in this area and provide practical examples in the public domain, for example the Police UK database of crime statistics.
10.30 Refreshment Break


Mike Small, Senior Analyst, KuppingerCole |  Tomas Gustavsson, Chief Technology Officer, Primekey
Matt Rutkowski, Senior Engineer, Master Inventor, IBM  |  Babak Sadighi, Co-Founder & CEO, Axiomatics 
Brendan Peter, Deputy Commissioner TechAmerica Foundation, CA Technologies  

The move to Cloud Computing brings with it a number of special challenges when it comes to security. One particular area is that of identity and access management - managing who can access information is fundamental to information security. Cloud computing has introduced two key changes: firstly although responsibility for access management still lies within the organization, the IAM technology is physically distributed; secondly individuals now have significant presence in IT systems outside of the organization. In this session, the panellists will address some of these concerns including:

  • Identity Related Risks in the Cloud - Impersonation or theft of the identity of employees and individuals can lead to losses through fraud, theft and damage to reputation. When the system is hosted in the Cloud it is implicitly open to access through the internet and so extra measures are needed to ensure security.

  • Privileged User Management – The infrastructure upon which the Cloud is built needs to be managed and the management tools and accounts pose a particular risk. This is especially true where the administrators are outside the direct control of the owners of the information being processed.

  • Compliance - Organizations are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. How can an organization using the Cloud ensure compliance with the laws and regulations that they are subject to?

  • Authentication and Authorisation – How can you trust the identity of the many people who have access to the Cloud? How can the identity of people making access be assured and how can access to the data in the Cloud be controlled in a granular way? This session will explore new paradigms for authentication and authorisation in the realm of public sector.
12.15 Luncheon


John Sabo
, Director, Global Government Relations, CA Technologies  |  Alissa Cooper, Chief Computer Scientist, Consumer Privacy, Center for Democracy and Technology  |  Christine Runnegar, Senior Policy Advisor, Internet Society (ISOC)  |  Steven Johnston, Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada   Herbert Leitold, EGIZ Director, E-Government Innovation Center EGIZ  |  Gershon Janssen, Independent Architect and Member of the OASIS Privacy Management Reference Model TC

Cloud Computing represents a paradigm shift on the scale of the mainframe, distributed Computing, the internet and the web. This transformational quality is explored in a 2010 study by the World Economic Forum, which found that global adoption of Cloud technologies enables radical business innovation, new business models and significant improvements in the efficiency and effectiveness of IT. But the study also identified disruptive aspects of Cloud Computing, concerns and barriers. Data privacy and security were the top barriers cited by stakeholders in the WEF study. Issues such as data location, legal and policy compliance, government access to personal information, user control and access to their personal information, data deletion and other factors all contribute to concerns about privacy trust in Cloud Computing services.

This session will focus on privacy and trust issues associated with Cloud Computing environment, particularly those Cloud-based services where global, public sector data protection and privacy laws, regulations and policies impact the Cloud service providers and users. Specific areas of interest are privacy and related trust issues among citizens, customers, and the business sectors utilizing Cloud-based services.

Session scope and topics to be covered:

  • The nexus between privacy laws, regulations and policies and the technologies that make Cloud Computing possible - do policymakers and industry have a clear understanding of how to adapt regulations to the Cloud and how Cloud technologies can provide privacy trust?

  • International perspectives on privacy and approaches taken as part of international policy communities - OECD and APEC

  • The need for "framework-level" management standards that can serve as guidance to both policymakers and implementers as they build policy and technical architectures in support of Cloud based services.

  • Technical standards under development to enable the implementation of Cloud services that will help support the requirements of data protection laws while ensuring interoperability and maintaining the benefits of Cloud Computing

  • Major government and private sector Cloud Computing initiatives in which privacy management integration is a core component

  • Privacy and data protection gaps and barriers that need greater attention and resources in planned Cloud-based infrastructures and policy models
14.45 Refreshment break


John Borras
, Chair, eGov Member Section  |  Tim Cowen, Partner, Sidley Austin  |  Steve Mutkoski, Regional Director for Interoperability and Innovation, Microsoft  |  James Bryce Clark, General Counsel, OASIS

Customers and potential customers of Cloud provider services should have regard to their respective national and supra-national obligations for compliance with regulatory frameworks and ensure that any such obligations are appropriately complied with. This session identifies the most common legal aspects that need attention in the development and operation of Cloud based services.

Topics to be covered:

  • Contracts: Most legal issues involved in Cloud Computing will currently be resolved during contract evaluation (ie, when making comparisons between different providers) or negotiations. The more common case in Cloud Computing will be selecting between different contracts on offer in the market (contract evaluation) as opposed to contract negotiations. Unlike traditional Internet services, standard contract clauses may deserve additional review because of the nature of Cloud Computing. The parties to a contract should pay particular attention to their rights and obligations related to notifications of breaches in security, data transfers, creation of derivative works, change of control, and access to data by law enforcement entities. Some of the key legal questions the customer should ask the Cloud provider are: - In what country is the Cloud provider located? - Is the Cloud provider’s infrastructure located in the same country or in different countries? - Will the Cloud provider use other companies whose infrastructure is located outside that of the Cloud provider? - Where will the data be physically located? - Will jurisdiction over the contract terms and over the data be divided? - Will any of the Cloud provider’s services be subcontracted out? - Will any of the Cloud provider’s services be outsourced? - How will the data provided by the customer and the customer’s customers, be collected, processed and transferred? - What happens to the data sent to the Cloud provider upon termination of the contract? - If a PaaS or SaaS provider goes into bankruptcy, how is the customer protected?
  • Service Level Agreements: At the present time, most of the legal issues involved in Cloud Computing will be resolved during the evaluation of contracts, ToUs, User Licensing Agreements (ULAs) and SLAs by the customer. It is important to differentiate between the case of a small to medium sized organisation which would make a choice between different contracts offered on the market, and a larger organisation, which would be in a position to negotiate clauses. In the legal analysis of this paper, we take the perspective of the small-to-medium sized organisation which is assessing different contracts, SLAs, etc, offered on the market, since this is the more common case. This is because the business model of Cloud Computing differs from that of outsourcing: in order to deliver some of the benefits to its customers, Cloud Computing relies on the economies of scale from providing a low cost, commodity service, as opposed to a service specifically tailored to a customer’s needs. Larger organisations may however use the same considerations when negotiating contracts. While past experiences with similar Internet technologies provide some guidance to allow customers and Cloud providers to assess the security risks involved in Cloud Computing, it is necessary for both to consider the unique nature of Cloud Computing when evaluating these risks. 
  • Intellectual Property: As with all intellectual property, if not protected by the appropriate contractual clauses problems can arise. What are the specific IP issues that need to be addressed when operating in a Cloud environment?
  • Liability and Taxation Issues: Providing Cloud based services can raise some difficult questions about liabilities and taxation, particularly where these services cross jurisdictional boundaries. What aspects do clients and Cloud providers need to be aware of before committing to a new service? 
16.45 Symposium Reception, shuttle service will be available


08.30 Morning Coffee

Silvana Muscella
, Technical Director, Siena Initiative  | Lee Badger, Computer Scientist,Computer Security Division, National Institute of Standards and Technology (NIST)  |  Luis Busquets Pérez, SIENA EC Project Officer, European Commission  |Jerry Horton, Chief Information Officer, U.S. Agency for International Development (USAID)
Gregg Brown, Senior Director, Interoperability Group, Microsoft

Europe and the United States have taken a leading role in defining Cloud standards roadmapping that is aligned in terms of requirements, recommendations and future steps as part of an effort to foster complementary global solutions. This session will examine some of the interoperability issues that are addressed by both the SIENA European Roadmap on Grid and Cloud Standards for e-Science and Beyond, and the NIST Cloud Computing Standards Roadmap.

The session will explore how expertise and knowledge in the European eScience community can be harnessed to address current barriers such as trust and security as well as bring benefits to public services and enterprise. It will also address horizontal issues such as virtualization and data handling issues. Interactive discussions will ensure multi-stakeholder perspectives and help define a clear action agenda moving forward.

Session scope & topics to be covered:

  • Exploring the value-add of European assets and expertise in eScience in public services and enterprise by highlighting use cases to public administration representatives and CIOs.
  • Capitalising on EU-US collaboration on Cloud standards roadmaps aligning eGovernment requirements & future recommendations.
  • Setting a 1, 3 and 5 year call to action for Industry & eGovernment stakeholders
Refreshment break

Carol Cosgrove-Sacks, Senior Advisor, International Standards Policy, OASIS  |  Anil Saldhana, Chair, OASIS IDCloud TC and Lead Security Architect, Red Hat Inc.  |  Chris Francis, Manager, Technical Relations, IBM UK   | Chris Swan, Director of Technical Coordination Committee, Open Data Center Alliance   |  Daniele Catteddu, Managing Director EMEA, Cloud Security Alliance  |  Mike Edwards, Chair, UK BSI Mirror Committee for JTC1/SC38 and Head of the UK Delegation

Moving forward from the focus on Roadmapping, this Session looks towards the needs of policy-makers and CIOs in addressing the core issues of the Symposium, namely, standards and best practices for interoperability and trust in the Cloud. Representatives of selected standards bodies will respond to the challenges outlined in the road maps and provide further insight into their activities, as well as plans for standards in support of Cloud based services.

Topics to be covered:

  • How selected Standards bodies are addressing the needs for best practices or draft guidelines, rather than actual standards

  • The types of standards architecture that seem most relevant and useful relating to Cloud issues

  • How might new partnerships between Standards bodies [de jure, fora and consortia] develop to meet the needs identified by the Siena and similar initiatives

  • And how the industry perceives its needs.
12.30 Luncheon

Megan Richards, Director of Converged Networks and Services, INFSO, European Commission
Dawn Leaf, Senior Advisor, National Institute of Standards and Technology (NIST)


Bob Marcus, Leader of Cloud Standards Customer Council, Government Cloud Working Group |  Megan Richards, Director of Converged Networks and Services, INFSO, European Commission  |  Lee Hing Yan, Program Director of National Grid Office, Infocomm Development Authority of Singapore  |  Mark O'Neill, Head, HMG Skunkworks, Government Digital Service, UK Cabinet Office  |  Jinzy Zhu, Senior Vice President, Huawei Technologies
M.R. Rajagopalan, Director C-DAC, The Chennai Unit of the Centre for Development of Advanced Computing (C-DAC), India | Jerry Horton, Chief Information Officer, U.S. Agency for International Development (USAID)

Many governments are planning Cloud deployments in the next few years. As Cloud technology and standards mature, there are serious concerns about Cloud robustness and proprietary lock-ins that could delay the progress of public sector Cloud computing. International public sector Cloud leaders will come together in this session and discuss their plans for deploying Cloud resources (e.g. data, computing, application) including requirements such as data portability and interoperability. Each panelist will provide a short overview of their current Cloud activities, concerns, and requirements. This will be followed by an interactive discussion among the panelists and the audience about possible next steps. There will also be opportunities for continuing conversations after the Session.

15.30 Refreshment break


David Bernstein, Managing Director of Cloud Strategy Partners and Founder & Working Group Chairman, IEEE Guide for Cloud Portability and Interoperability Profiles  |  Hiroshi Sakai, Global Inter-Cloud Technology Forum  |  Seungyun Lee, Director of Service Convergence Standards Research Team, Electronics Telecommunications Research Institute (ETRI), also representing ISO/IEC JTC SC 38 Cloud Project   | Jens Jensen, International Grid Trust Federation (IGTF)

To build national and international public sector Cloud utilities, it will be necessary to interface across multiple Clouds. The interoperability and standards needed to build an Inter-Cloud as an extension of the Internet are now emerging. Public sector Cloud implementers will need to learn more about Inter-Clouds to build trusted deployments. Leading experts in this session will present Inter-Cloud use cases, challenges (e.g interoperability, federation, roaming, cross-provider identity, standardized units of measurement and SLA's, global cloud infrastructure governance, universal service directories, peering and exchange, cloud to cloud trust infrastructures) and possible solutions for public sector Clouds.

Panelists will describe the benefits and challenges for interfacing Clouds to form a public sector utility. There will be an overview of the status of standards and testbeds. The audience will be able to explore possible opportunities for leveraging Inter-Cloud activities in future deployments.



17.30 Symposium Ends, shuttle service available

THURSDAY, 13 OCTOBER | Related Meetings & Workshops

08.30 Morning Coffee
ROUNDTABLE: Privacy Standard Experts
By Invitation
meeting adjourns at 13.00

10.00 WORKSHOP: Security Parameters in Cloud Service Level Agreements
Open To All ICS Attendees
workshop adjourns at  12:45

12.30 Break for Lunch
13.00 TECHNICAL COMMITTEE MEETING:  Transformational Government Framework (TGF) TC Face-to-Face
OASIS Members Only
meeting adjourns at 15.00

15.00 STEERING COMMITTEE MEETING: eGov Member Section StC Face-to-Face
OASIS Members Only
meeting adjourns at 17.00

15:00 Refreshment break
16.00 TECHNICAL COMMITTEE MEETING:  Privacy Management Reference Model (PMRM) TC Face-to-Face
OASIS Members Only
meeting adjourns at 17.00

17.00 Workshops & Meetings Ends, shuttle service available