IGF 2022 Day 3 WS #260 Protecting Shared Computation (Cloud Security)

The following are the outputs of the captioning taken during an IGF intervention. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid, but should not be treated as an authoritative record.

***

 

>> GABRIEL KARSAN:  Good evening, my name is Gabriel Karsan moderating our workshop.  To think about Cloud security and the Cloud itself, it's an emerging technology, it doesn't have more than 20 years, but to break abstraction of what the Cloud means we need to understand what society is.  Cloud computation is about sharing, it's about the devices being connected in an infrastructure where the computational ability of it can be accessed through all.  In our race of creating an Internet for all, Cloud computation is a way and mechanism that can actually improve how we get there.  Our workshop is based on policy questions that reflect the Internet, and the Internet has three major principles, open to boost accessibility, decentralized in a matter that each and everybody can have access to it and end‑to‑end which means a secure pathway to get there.  It's the same as understanding that you need to go somewhere and get something, you need to know how you get through the road, the data, and also the mechanisms to get you there.  What I'm trying to say is that there are standards and protocols in any mechanisms that can assure security, and security today is a beginning to everything, we secure our thoughts, we secure our homes, and how do we secure data, especially on the Internet.  We have a list of incompetent credible speakers today who will be taking their time to actually dissect the topic and give us different perspectives on what we mean with we say Cloud security and actually why it is important.  To begin with Juliana what is important of incentivizing more security that accessibility of the Cloud is ambiguous to everybody and that each and everybody can get that end‑to‑end data that they want.

   >> JULIANA NOVAES:  Thank you very much for the invitation to be here today and pleasure to talk to you all about this topic, especially after COVID in which we can meet in person.  As Gabriel rightly said in the last few years, Cloud computing shifted from a buzz word to becoming an actual practice, mainstream practice in the industry.  There are of course a lot of reasons for this.  It's a convenient model of computing because it allows organization to basically use on‑demand, servers, networks, software, which they can maintain without having to be the owners of this technology, so it is possible now days for a startup to have a scalable business model without having to own an entire warehouse of servers or without having to build software from scratch, it is a very important business model for startups and growing businesses to save money on resources and to be able to scale up their business models.  This is the importance of Cloud security today because when we outsource your infrastructure, you're also going into risks for privacy, from a privacy standpoint and also from a cybersecurity standpoint.

I'm not here saying that the risks only exist because of Cloud.  Some of them already existed before in more traditional ways of computation.  However, many of them are potentially because of the Cloud in the way the architecture of the Cloud is designed, so for instance when we're talking about storage, if you're storing data remotely, you're running into the risk of doing cross‑border data flows and there are a series of liability discussions around this.  When we're talking about network, if you're using or building resources on a remote server, you we lie on the Internet infrastructure and you are subject to network risks there associated with using Cloud infrastructure as well.  And without mentioning as well, authentication, identity management risks because when you don't own your own servers, you have to trust your Cloud provider that there will be enough security in the premises so that people won't physically have access to the infrastructure without the right to do so, but as on your own right as Gabriel rightly mentioned, this is a shared architecture and you need your own protocols for identity manage am.  So not only the Cloud provider should comply to cybersecurity best practice, but the companies that rely and organizations that rely on the infrastructure and service in general.

So, answering your question, I think when we're talking about a shared responsibility, we cannot only say that Cloud providers are the ones that should comply with protocols and good practices.  They obviously should, but they're not the only agents involved in this, so the organizations and the individuals using Cloud services should have also at their own end, the right protocols and best practices on how to deal with this infrastructure, and there are already a series of regulations and frameworks being developed at a global level that deal with how to have a secure, shared infrastructure for computational resources.

The ITU, for instance, is one of the organizations that works on building standards for cybersecurity on the Cloud and in shared infrastructures as well, but as this needs to consider the sizes of organizations because with we have a startup of 10 developers working 12 hours to maintain a service, cybersecurity should also be inserted into their list of priorities, and if the standards and the models that are built globally are too abstract or hard to implement for small companies and companies coming from the Global South, then you're only protecting one end of the equation there and you're only protecting Cloud providers that are able to comply with the standards and able to implement them on a practical level.

So, differences in size and also in the region where organizations are located should also be taken into consideration so there should be more incentive for these organizations who are smaller who have less resources can also invest and maintain a reliable system using shared computational resources.  I probably already spoke more than time allows, so I'll give the floor back to the fellow moderators.

   >> GABRIEL KARSAN:  Thank you very much.  That's quite interesting the importance of regulation and cross‑data flows across the globe.  We'll go to Ihita, if you heard what Juliana said it's important to note that today we have billions of devices connects, IoT devices and phones, et cetera, and you have experience in working with the IoT architecture.  Do you think that the framework that exists in terms of the OC model in terms of the TCBIB protocol model is made or designed in a secure manner and what should we do to actually integrate it into a mechanism that can actually promote the basics of security?  Ihita are you online?

   >> IHITA GANGAVARAPU:  Yes.  Thank you, Karsan.  Unfortunately, I couldn't be there in person in Ethiopia.  Yes, so I am Ihita and work in IoT security and Cloud happens to be very important component when we're dealing with IoT and data and storage and processing.  So, you know, even in classes when I was doing my Bachelor's we were told that TCPIP was initially just designed for networks purposes and security aspects are more or less dreadful for solutions.  I think as we're moving forward, we're burdening the TCPIP architecture protocol stack with solutions to security solutions based on our use cases based on our requirements and applications.

But just since I'm coming from a very technical point of view, I just wanted to clarify the audience as to what do we mean by where does IoT come from when we're dealing with Cloud.  IoT devices you could consider your smart refrigerator or baby monitor, for example, or devices that you talk to, Alexa and a lot of others, and I'll refrain from taking names.  So, all of these devices are IoT devices that are generally dumb devices, you know, usually just gather the data and they don't do any ‑‑ most of the time don't do processing on site and then kind of send the data to a server or database where the data is stored, analyzed insights generated, and after which based on that the end user receives the insights and based on the queries that the end user has put they get the required services.

So, in Cloud in simple terms for anyone, it would mean the Internet, right.  So, generally, if the Cloud architecture, you will have a front end and back end and a lot of software engineers doing front end and back-end engineering, so front end is basically the client, end users, look at a user interface and type a query and requesting a page, for example.  Back end is where the data processing management and access controls are implemented.

So, when we talk about security for cloud from a technical point of view, you are not just looking at Cloud computing, Cloud computing meaning not just the servers, the database, and anything that comprises of storing of data and its management.  You're talking about from the very beginning the source of your data that could be on an IoT device itself.  A IoT basic use case would be a device, a bunch of sensors, the sensing nature that gathers levels, CO2 levels, and sends it to a particular server for storage.  The insights using machine learning and deep learning algorithms is where the intelligence happens.  When you talk about security, you're talking about these end hardware devices, you're talking about the kind of communications protocols that devices use, 5G, India recently 5G, and you have a lot of communication technologies which are different in the way that they are made and operate.  After which this data goes to the Cloud for processing and then apply some intelligent algorithms and you have some insights.  So, for this entire stretch, you need security, you need security perspectives for the entire stretch.

And when you look only from a Cloud security point of view, you have like as just mentioned, it's not just the organization that is running the Cloud computing services, but you have everybody else who is liable for the data, for the security of the services and applications because as let's say for example, if you look at a Cloud infrastructure that says you also need access to policies, first of all, it's important be it authenticate who is sending the data, right, so there is no fake data generated and stored on systems.  Then you need authorization controls, you need to know who is authorized to what role, and for example do they have the authority to modify the data, delete the data, or do they just have the authority to retrieve and send the data?

So this is, and you also need some controls with respect to regular internal and external audits, and you need mechanisms and tools for visibility into your network, into your computing storage, and your entire infrastructure, basically.

So, when you talk about this securing of your infrastructure, you have to enforce compliance, you need to practice due diligence, even the employers in your organization need to be aware of the best practices, and they shouldn't fall prey to fishing attacks and any kind of attacks that affect availability and confidentiality and integrity of your data and services.  Then you need moderation, then you need authentication protocol, so there is a lot of things going on and this is where you have standardization, and Juliana mentioned LTU and there is also the European telecommunications standards constitute and ETSI, that has Cloud standards coordination working group that is working particularly on Cloud security and then ISO standards that most of you might have heard of ISO the international organization for standardization that has this particular control called ISO27001 which I personally worked with and know how to comply and create systems and organizations that comply with this standard, which provides the security techniques and also has a particular aspect that focuses on cloud and non‑cloud applications in the security.

Then there is also ISO1944, and I won't get into the details and such, but this particular standard talks about Cloud computing and basically computing of distributed platforms, how is the data ‑‑ how is the data supposed to flow, what are the categories of data, you need to have separate controls for sensitive data, and how do you define the users, and how do you define a particular access to a particular data, and who are the Cloud service vendors, how are they accredited, so all of this is defined in a standard and this way there are lots of standards that the organization can comply to, to incorporate security and security best practices and the kind of services they're providing in the infrastructure.  Thank you.

   >> GABRIEL KARSAN:  Thank you very much.  That was important what you said, there is so much that goes into the Cloud infrastructure and it's not just the role of the technical community that is actually building it.  There is also the policy and the standards setting that is important.  Sarah, if you could just pick up from what Ihita said and basing of the simple parameters that confidentiality, integrity, and authenticity are quite important in any security.  Do you think that the Cloud infrastructure that's available now in Africa and now considering that ICANN has raised or developed a new route server in Nairobi that can put more Cloud accessible to the people.  Do you think that the infrastructure that's available is actually built by security by design and what are the gaps that exist in actually improving this that the people can actually use likewise and innovate upon?

   >> SARAH KIDEN:  Thank you.  Gabriel.  So just to pick on what Ihita was talking about, the Internet, so if you think about the Internet to date, millions of connected nodes, communicating with each other, and then you have another layer with IoT devices, and I've seen like in the billions, people are connecting jackets to the Internet, connecting things that you would not even imagine that could be connected to the Internet.  They are not ‑‑ you need the core of the Internet to be secure in order for you to do information exchange securely.

If we think about the African couldn't continent, you've gone to panels at this IGF and heard people say that we still have a very long way to go, I heard people estimating just people connected between 20% and 30%, and that means we still have a long way to get people to reach that level where people are connected.

We still I think I heard in one of the session, people were saying some African countries don't even have data protection laws, so that's another layer that you need to think about.  We don't have the laws, don't have connectivity, still have issues around digital literacy, and literacy can be on many levels, the first level of literacy where you have the basic understanding to use these technologies, and then the other layer is the understanding to legislate so you cannot even do legislation if you don't understand how these technologies work.  So, we still have a really long way to go, though I think there is opportunity for us to, you know, convene and put something together, and when that will happen or through which body, it's something that I think we have to discuss at this forum.

   >> GABRIEL KARSAN:  Thank you.  Just to add on that, the Cloud itself is actually quite connected to the Internet and TCPIP protocol is included in that.  Downing IPsec and DNSsec is important in the mechanism to ensure that Cloud security is quite functional?

   >> SARAH KIDEN:  Yeah, so I think I would say that security is not a black and white thing.  You can never be very secure or you cannot be not secure.  It's a bit more nuanced because if I do a pull right now and poll the people on the panel right now or the people if the room and ask them what does security mean to you, everyone has their own understanding of what they think security is.  The challenge with these different levels of understanding, so to some people it may be two‑factor authentication, to some people security may mean having a public key and private key to verify identity.  To some people it may be having a level of trust in a manufacturer and so on and so forth.  The challenge with having this kind of differentiating in what security means is that is what happens at manufacturing level, so manufacturers also have their own understanding, and they will just do what feels most comfortable for them.  So, what feels comfortable for a manufacturer may not necessarily be something that is good for end users, and I think that's why we need to have some sort of best practices, so we have a level at which we all agree that this is what security means to all of us, and then start from there, and then we start to push some of these things from there.  Right now, I think the challenge we have is that everyone is just doing what they think is best for them and security at that level.  I hope that answers the question.

   >> GABRIEL KARSAN:  Yes.  Thank you very much, Sarah.  It's good that you shared that security now does not have a single meaning, but security in its sense should be ubiquitous to everybody and we need to be able to ‑‑ if you can't secure our lives and properties and thoughts, it's important to say that the least basic effort we should define the nomenclature and structure of what security means.

We have been discussing about this Cloud‑age computing and I would like to welcome Nancy here just to give us a brief of what Cloud computing means, age computing means and share reflections based on what you heard from all the speakers, and what do you want to share and what is more important in creating more understanding as we see there is a big capacity gap and competent see gap based on big emerging technology terms we're discussing now.

   >> NANCY NJOKI WACHIRA:  Thank you for this opportunity.  I would share most organizations have adopted Cloud computing to a varying degree within their businesses and organizations.  However, with this adoption of the Cloud is a need to ensure it's capable of protecting threats that come up with the Cloud security.  And some of threats include misconfigurations, unauthorized access, malicious attacks and cyberattack.  Most of the time when people in organizational businesses are not well equipped with necessary skills on how to mitigate this risk, there is usually a problem, and especially to our continent in Africa, we are still developing and we still have a long way to go.  With organizations facing such security concerns regarding Cloud computing, despite the fact at that these organizations have moved their sensitive data to important applications in the Cloud, most of them don't have access to the infrastructure part of the data.  So, they still have less control of what they can really do and in terms of security.  Thank you.

   >> GABRIEL KARSAN:  Thank you very much for that.  You come from academia and also a technical background.  So, what do you think is a signage mechanism that can happen to create better understanding in terms of secure infrastructure or security by design when deploying Cloud infrastructure, especially in the African context?

   >> NANCY NJOKI WACHIRA:  One, I will say one obvious one.  We need to be more aware of, first of all, the mechanisms of data that we expose to the Cloud, and if our people with well-equipped to understand and to know the risks involved and how well we can mitigate, we'll be able to prevail.

   >> GABRIEL KARSAN:  Thank you very much.  That is quite interesting.  To learn about the Cloud as mother technology, we have to understand that it represents a core structure that brings a lot of these emerging technology, AI, 5G together.  But when you have these technologies coming together without an understanding, the user mostly faces the biggest difficulties.  So Innocent, I want you to speak from a user perspective, knowing that the user is the biggest error point in all the security chain.  As an end user, what do you think is your responsibility in ensuring that when you're accessing the Cloud, you are accessing it right and in a mechanism that can actually ensure privacy as well as potency and authenticity of the data that you share and services that you want.

   >> INNOCENT ADRIKO:  Thank you very much.  My name is Innocent and so just before I answer that question, one thing I would love to say is that Juliana mentioned that the Cloud here is actually convenient, yeah, but we also realize that it is a cheaper option, yeah, compared to having to build an infrastructure, data centers, and all of that.  But at what cost to we get this convenience and low cost?  Yeah.  As a user, of course, most of us don't take that initiative to actually know where our data goes or who keeps it or if there are laws that are governing its protection and all that have.  I just can give an example, for example, in storing an app.  Yeah, there are usually terms and conditions, but mostly we don't read them.  But as even though we read them, I mean you don't have a choice.  Right, you don't have a choice in most cases.  If you don't accept, then you don't get access to the application, and so definitely when you're really in need of the app, you end up accepting.

So as a user, it starts with you're learning about what is at stake here and we do agree that there are so many loopholes because for example like for Africans, our data is not being stored here, no, but to what extent be do we trust the one who is keeping the data, or where the data is actually going.  It is a question and I think it is a question of or we cannot trust, and then if we cannot trust then what do we do about it?

As a user, you're empowered to influence how that data is being stored or the laws that are governing it, and might be so limited because you don't have authority, like you're not a policymaker and the best I can do as user is influencing policymaking or influencing awareness as they said, to the right channels, yeah, if it is for example, my ministry that is responsible for ICT and all of that, yeah.  Do they know that actually the citizen's data is being stored outside of the country and it could be at risk?  Do they know that the privacy of those citizens can actually be infringed?  Yeah.  So, I think that is the starting point for me as a user, who now knows what is at stake.  And from that we can go to the next stage, yeah, of now having for example on our own systems, yeah, locally we can localize it and then we can be able to have our own data be stored right here on our own soil.

And also, to the capacity bit of it, how many people actually now of countries now understand Cloud computing and to what extent do they understand the benefits and the doubts?  That's for me.  Yeah.  Thank you.

   >> GABRIEL KARSAN:  It is quite great you mentioned the role of digital security literacy in a communal sense because when we say shared computation, it means we're sharing the resources.  And before you can share something, you need to know the sense of duty that you have to it.  An example is how ownership is important.  When you own something, you can actually have more precedent to secure it.

So, ownership of the infrastructure is naturally boost more and rally more societal engagement in pushing forward security.  But I'd like to say that what is the role of ownership and of Cloud infrastructure that has to play in actually creating a secure framework that people can actually trust and engage with, and this is open to anyone here on the panel.  Maybe we'll begin with you, Julia.

   >> JULIANA NOVAES:  Thank you, Gabriel.  I think I really like the comment made by Sarah on we have different perspectives to make a difference in security.  Maybe a coincidence or not but yesterday my mother called and told me her SIM card was cloned and hackers had access to her bank account and so in Brazil, for instance, this layer of security of having your SIM card to receive a text message to value at a time your access might not be enough because we have different sorts of attacks and different threats that might not exist in other parts of the world, so security needs to be built from bottom up, as I already said.  Different places have different context, and when you build a standardized thing that you think applies to every part of the world, you may be not seeing gaps that are very local in nature.  And I think ‑‑ I think well most of the Cloud services, their nature, like at least the big ones are meant to be international, but they should also consider the local aspects of their functioning in order to be effective, and also the users and organizations that make use of the services have a very important role in this because they know their context, they know their clients, they know the limitations of their environment in terms of resources and know‑how as Innocent rightly mentioned that some users don't even understand what's the concept of Cloud computing when they accept to have data transferred to another company or shared with a third‑party company that's not directly involved in the transaction that's being done there.

So, I think as all of us as members of the Global South, we have an important role as well to build awareness on this topic in our local context, because if we always rely on the protocols and standards that are built from ‑‑ well to be held in Europe or the U.S. or developed countries that have such different context, we might be missing some things that are right in front of us when it comes to security and awareness among users and organizations.

   >> GABRIEL KARSAN:  Thank you for the comment.  How do you build up of what was said and importance of having local context mechanisms to build the security protocols and being somebody actually in Europe and you seeing the GDPR in play, what do you think is the role that legislation plays in actually ensuring we have that local mechanisms of security by design when it comes to Cloud services?  Yauri?

   >> YAWRI CARR:  Hello.  Can you hear me?

   >> GABRIEL KARSAN:  Yes, we can, please proceed.

   >> YAWRI CARR:  Hello, everyone.  Thank you very much for having me.  Yes, I totally think that this is a very important topic.  I have seen it here as well as I'm studying in Germany currently.  I have seen it is very wide topic in the country.  It is a kind of technology that the public sector is using a lot.  The ministries, the even schools and universities in terms of health and like all the hospitals as well as the people that need to be or to have Social Security, for example, security services such as the Army and even the police are using these kind of technologies in Germany, at least.

And it is also something that I compare with my country of origin, which is Costa Rica, I think the Cloud has also been increasing in my country, and the things that we, of course, have different realities, and we do not have a GDPR or like really strong regulation in terms of data protection, and we do have a law, but it is very weak, actually, by 2020 from 237 ‑‑ from 236 complaints that the data protection agency received, just one of them were answered by the data protection authority, so we really see that there is a huge ‑‑ yeah, there is a total lack of protection for the citizens and also for (?) ‑‑ and law enforcement is not really working in the country at the moment.  And we have been living this the last 8 to 5 years, and we had different problems.  And even though also with COVID, I think the situation has been worsened because many company, even my university weren't using Cloud, but we had also very a lot of issues with the Internet, so infrastructure risks such as that we didn't have more access to the Internet at some times, and as the university or other institutions had all the information in the Cloud, it was a big problem because they couldn't work, they couldn't attend the people or population in general that needed services, so it was a huge problem and it's one of the issues that I think Cloud security needs to improve at least if the context of my country.  I think, yeah, the solution is trying to provide maintenance to these kind of services.

Also, I think we should try to promote regular security audits of the services, also trying to at the moment of having a contract with a Cloud service provider, trying to really see the responsibilities of each part and trying to see what person or which part has to do with which function so everything is clear and at least in a moment of crisis, or in a moment in which there is not more Internet or not more access to the Cloud, there is like another solution or plan B to protect the citizens and they are not affected by these kind of risks.  Yeah.

Also, one aspect that I think is very important in terms of Cloud is that there is not a parameter like in local environments in which there is a parameter, and by this, I mean it cannot be controlled.  Like when we are using the Cloud, we cannot control the company that is providing us from the service, and we have to many of the times just think this company is doing what is right.  But we cannot control sometimes if the appropriate security measures for each of the cases.

So, in this case of Cloud computing at least if my country, I really recommend it is necessary to enforce the data protection law so that we can at least, if we cannot control the service provided, if we cannot have control of the measurements and management that they are doing, at least if they are at risk, we can control the protection of data of citizens that they have in their Cloud.

Yes.  This is something that I wanted to add.  Yeah.  I will be glad to answer questions.  Thank you.

   >> GABRIEL KARSAN:  Thank you for your wonderful comments.  We use user‑centric multi‑layer security is important in every level of technological develop am, and we're happy to be joined here by Mr. earnest who is actually involved in the ITU.  Mr. Earnest could you share what other security implications and considerations that the ITU considers when they're deploying Cloud infrastructure?

>> Earnest:  Hello, everyone.  Currently chairing the affordable Internet access at the Internet Society and as well as member of SG15 of the ITU study group which develops standards.

All right, so to your question and answer allow me to explain a few things in how standardization is being deployed.  In my country, I sit on what we call the technical committee, that adopts and develops standards for the ICT sector.  So how we develop these standards is that we follow recommendations that are set on international level, like ITU.  Yeah.  So, we have different standard group settings like Cloud computing and future networks which is SDG is a and I'm sewer Juliana has an idea about that.  Yeah.  So, in terms of security, we work with regulators from different parts of the world, private sector, all stakeholders involved, and we come together to find and mitigate how we can eliminate threats that exist on Cloud computing.  When it comes to security, it's not something that we can just say we eliminated because every day different threats are born every day on the Internet.  Like everyone is born every day with different mindsets and they have way of penetrating architecture, design, and security.  What I can say is that even though I'm not an expert in standardization, I think it's very important to focus more in developing standards of security and how we can ensure Cloud is secure for use and trusted.  Because one of the challenges that we have right now is the lack of trust in the Cloud.  It's a great tool and platform that I really encourage everyone to use, but the lack of trust out there is so huge, and how do we come together to ensure that everyone trusts the Cloud computing services.  So, I will leave the answers to the room.  Thank you.

   >> GABRIEL KARSAN:  Thank you, Mr. earnest.  It's important you say that the trust is important.  We honor that we want a common resilient and trustworthy Internet.  We see it's important to have the multistakeholder approach building in each and every angle and facilitating the security is quite something that is personal, private and operational.  If I leave questions to you, audience, is the security a standard or quite an objective?  I want to hear your perspective and questions based on this matter?  What do you think we should do to secure the Cloud and computation knowing we're in the age of consumer 3.0 where everything is based on sharing and success?  Please, you're welcome.  Any questions?  Reflections?  Recommendations?  Don't be shy, please.  Would you like to?  No?  Nancy anymore reflections based on the subject?

   >> NANCY NJOKI WACHIRA:  I would say regulation is a big part.  If we look at the data protection, the GDPR from the European, I think the European Union, there is a lot of regulations on the data that can get out of their continent, compared to other continents like our own in Africa, whereby we don't have regulations.  It's a lot to deal with, first of all establishing standards that we actually need regulations in our continent.  It's an ongoing conversation that we need to think about and really come up with solutions that can favor our own.  Thank you.

>> Thank you for the comment.  I would like to add.  Of course, regulation is important in building standards on a global level is quite important as well.  One of the gaps that we have in the market today is that people have difficulties translating what's in the regulation into actual practice, so when we're talking about Cloud, we know that people that are developing services are probably the software developers, the software architects, the infrastructure engineers, and these people need to be aware of how to turn regulation into actual, concrete lines of code and actual technical material that allows for security to be spread out throughout organizations, so regulations, of course, are quite important but if they only exist in the abstract, then they have no practice.  Together with that, we should also have authorities that enforce the standards and regulations, such as data protection authorities that are starting to grow now around the world but still lacking in many parts of the Global South as we're well aware being part of the Global South ourselves.

So, regulation, of course, is quite important but we should not forget the practical implementation of it so that the people who are designing the technology themselves, know how to incorporate these standards and principles into the very architecture, so this is when we're talking about security by design, this is the idea, so security by design should be spread out in the technical world, not only if the legal world, not only in the policy world.  There should be better means of communication between these channels because right now, we have a lot of beautiful things written on policy frameworks, on international regulations, but is this really being translated into actual practice, into actual code, and from Latin American and African perspective, I think there is still a lot of gaps we still immediate to address.

   >> GABRIEL KARSAN:  Inclusive decision‑making is important in that aspect and architecture itself should be in terms of regulation.  In Africa we have something called the Convention, do you think it considers Cloud security?

   >> INNOCENT ADRIKO:  Thank you for that question.  I was actually going to mention the convention and my complements about it, one thing is that we do agree that regulation and policies are so important, but to what extent are we actually willing to put these regular educations and policies on the ground.  The convention, the last session in there, for it to be ratified, we need one more country to sign.  Can you imagine one more African country failed to sign the Malibu convention on data protection and cybersecurity.  In a sense it is not ratified, it is of no use to us when it is not ratified, yeah.  So, I should say that for now as Africa, we are left in that aspect and we don't expect to have ‑‑ we don't expect to have argument about privacy and how our data is being managed without having something on the ground that we can actually relate to, which is a policy that we have all agreed to.

And then also, how sure are we when actually the Malibu convention is actually ratified, I'm very sure there are so many parliamentarians and I'm sure that some have pledged to convince their countries to actually sign.  At least we should get at least maybe Tanzania to sign and we can make the number to get the convention ratified, but how sure are we that as a continent, we actually agree to make use of this convention, yeah, especially in the aspect of Cloud.  Yeah.  Because we've seen so many conventions that I should call them limp, and the implementation is a very big problem, yeah, and we all know our challenge as ‑‑ okay, as our challenge with the governments, especially here in our region, and governments have this mindset that they should be owning citizens.  They want to know what you do, they want to know what organization ‑‑ what kind of data every organization has and what ‑‑ so, even though we are to, for example, say we now have our own infrastructure, our Cloud infrastructure in Africa, to what extent are we going to trust our countries?

   >> GABRIEL KARSAN:  That is quite a fascinating comment.  In a sense that computation, code itself is data, it's someone's thoughts, so I think it's quite personal, user driven and user‑centric, we should decentralize this meaning in forms of operations where each and every user understands the implications of what it means to be connected to the Cloud and any infrastructure beginning with the backbone infrastructure as well as top‑level use cases because most of us just understand the top‑level use cases without the hidden implication, and these other angles or other doors which legislators or governments can actually use to create some sort of confusion or conflict of interest of what security means for the people versus what they do with it.

So, it's important for us as users, us as a community to understand how we create this multilateral, multidriven consensus of what it means to be really secure and to be connected on Cloud, because in the end, caring is sharing, and we're sharing this computational era, and it's important that we secure it for the benefit of the coming generations.  I still open it up to you, audience, if you have any questions and reflections?  Do we have any online questions, Sarah?

   >> SARAH KIDEN:  I wanted to add something to the discussion.  Yeah.  So, the first thing, when you were talking about local context, something we they'd to talk about when we talk about local context is relevance and value.  So what value is this thing adding to me.  If you're saying I want to connect this person to the Internet, I want them to use Cloud services, but what value is it adding to them.  If it adds value, people will use the product for the service, so I think we need to think about that.  And when you're talking about context, there are so many things.  There is language, and is it in a language that I understand, and language from the point of view is very contested, but as in the local language, so I think we need to think about some of these issues as we discuss.

And then in terms of the multistakeholder model, I think Juliana mentioned that designers are missing around the table, and I think we need to before this thing becomes a product, so one thing I've been doing for the last three years is thinking about it at idea level and thinking about the design of IoT while it's still at the idea, so I want to build this, and I don't know smart way skill and how to embed value such as security, integrity, privacy, and trust at this level when it's still an idea before it goes even to be, you know, before you even start doing the sketches and things like that.

And the other part I think I would like to add is that maybe we need to start teaching some of these things in our curriculum at high school and at university level so teaching ethics in the curriculum, so that as people are graduating and going to the job market, they're actually already thinking about ethics and thinking about trust, and thinking about privacy, and some of these other things so that we can get them at the beginning before it actually becomes a product and then we'll be here again complaining again that this does not work the way we want it had to work.  Yeah.  Thank you.

   >> GABRIEL KARSAN:  Thank you very much, Sarah.  It's important be when you said that locality really breathes relevancy.  We have a comment from said this morning Gambia announced it's signing for the convention so at least that one sign you're looking for Isn't is there and there is maturity and importance of having sessions like this and have legislature and parliamentarians come and discuss and feel out pen and passion.  Innocent, we did it.  So, any more questions for the audience?

Good.  After all we have heard, all of the reflections we need, I just want Nancy to do some closing remarks since you were the one who actually organized this.  What do you think are the next steps, critical steps in ensuring Cloud security?

   >> NANCY NJOKI WACHIRA:  Thank you so much, Karsen for being the moderator and bringing in the conversation in an interesting and engaging way.  First of all, I've gotten some insights about Cloud computing from a perspective of not being a technical ‑‑ like I'm a technical person, so but there are perspectives that you cannot get from when you're technical and when you listen to actual users and the things that they bring up and issues that they articulate, like the signing of you called it the Malabo Convention, and I wouldn't have known about that if I didn't join it this meeting.  Thank you so much for highlighting such issues and ongoing conversation of what Sarah mentioned about educating our users from when they are maybe right from school in issues of trust and ways they can grow up trusting that even if we have the Cloud security ‑‑ even if we have Cloud computing in our continent, how do we trust our data to appreciate commonly?

And also going forward, ongoing with how we can collaborate, maybe Europe and America, and we see what things we can improve in our own continent.  So, thank you so much, everyone.  Thank you to our panel of speakers today, and everyone who contributed to today.  Thank you.

(Applause).

   >> GABRIEL KARSAN:  On that note, we are officially done.  Thank you so much for joining us.  Hopefully you will be way more protected when you join the Cloud.  Thank you.