Balboni was speaking during a panel discussion session on the challenges of high performance computing (HPC) in the cloud, which proved to be one of the highlights of last month’s ISC Cloud ’12 conference in Mannheim, Germany. His assessment of the situation reflects the views of the entire panel, who agreed that if scientific research institutions and small-to-medium-sized enterprises (SMEs) are to embrace HPC in the cloud on a large scale, there are still major privacy-related issues which first need to be overcome.
Giles Hogben, European research director for The Cloud Security Alliance, was also on the panel. He says: "If we want to see not just big science organizations, but also SMEs and people who are developing commercial intellectual property (IP) in the cloud, security and trust are going to be two of the most important factors.”
“One of the biggest barriers for SMEs is that their IP has to be stored in a trustworthy environment," he adds. "It's very likely that you will have a working environment where you crunch your data and then an external data hub on your network. You need to be able to segregate the two in case you're processing highly sensitive scientific data.”
Hogben highlights in particular the privacy issues surrounding organizations which deal with highly sensitive data, such as genome-sequencing labs: “You need to make sure that once you’ve used the physical resources, such as hard disk storage, that the next customer isn’t going to be able to run some fancy algorithm on the disk and then actually see your data. You need a secure way of deleting, de-provisioning and even destroying hardware at the end of its life-cycle.”
However, even if these technical difficulties are successfully overcome, there’s still a legal minefield to negotiate before data privacy can be crossed off the list of potential barriers to HPC in the cloud, as Balboni explains: “If you are running an online business, there is no 100% compliance with the law… the technology is moving much faster than the regulation.”
“On the other hand, you need to be very careful,” Balboni warns. “If you look into sanctions which have been issued by local data protection authorities, these have generally been pretty high. In the EU Data Protection Directive there is a clause that actually states that sanctions can go up to 2% of the worldwide revenue of the corporation. So, I think you should be pretty careful when it comes to compliance with data protection law.”
A large part of the difficulty, Balboni explains, comes from attempting to comply with the patchwork of national privacy laws which exists across individual EU member states. “It’s a real challenge for cloud service providers who want to offer services throughout the European Union. I think that nowadays the big issue for multinational companies with branches in different EU member states is to comply with data security and protection laws across individual countries. To me this seems absurd, since we have the common market.” Nevertheless, Balboni is optimistic that EU-wide legislation could be passed as early as 2014 to set out common ground for data protection and security across member states, thus going a significant way to solving this particular issue.
Yet, data transfer between European member states isn’t the only problem organizations face. Transfer of data in and out of the EU as a whole can also pose major legal challenges. “You need to read in the cloud service agreement whether your data will be transferred outside the European Economic Area,” says Balboni. The general principle is that a lot of sensitive data has to stay inside the European Union. In some member states, it’s not even allowed for some types of data to travel beyond the national borders, such as in the UK for instance. Consequently, it’s extremely important to see what the data flow is like.”
“In specific sectors, like the healthcare sector, you really need to look into the data flows within the cloud, because, as a general principle, if a European organization wants to migrate healthcare-related data to the cloud, then it needs to stay within European boundaries, regardless of whether your cloud service provider is a European or a US one.”
Software licensing is another legal issue which poses a major barrier to the adoption of HPC in the cloud. "The license models of independent software vendors (ISVs) are not yet adapted to the cloud environment… it’s a fundamental issue,” says Wolfgang Ziegler of the Fraunhofer Institute for Algorithms and Scientific Computing. ISVs are restricting what can be done, he argues, saying that they’re bound to the current license infrastructure, because they fear a loss of income.
Max Lemke, deputy head of the unit for embedded systems and control at the European Commission, agrees: "If we want to get SMEs as users, we need 'one-stop shopping' . They don't want to go to multiple providers, they want one provider who can give them everything and who they can feel safe with. That includes application licenses, dynamic access to whatever resources they need and that also includes the expertise they need to help them to use both the application software and what is underneath as well."
This need for simplicity is the real key problem in Lemke's opinion. "There's a huge number of SMEs in manufacturing and other industries that don't look into HPC or cloud because it's just too difficult for them," he warns.