IGF 2017 - Day 1 - Room XXV - OF29 Managing Cloud Computing in the United Nations System

 

The following are the outputs of the real-time captioning taken during the Twelfth Annual Meeting of the Internet Governance Forum (IGF) in Geneva, Switzerland, from 17 to 21 December 2017. Although it is largely accurate, in some cases it may be incomplete or inaccurate due to inaudible passages or transcription errors. It is posted as an aid to understanding the proceedings at the event, but should not be treated as an authoritative record. 

***

 

(Audio technical difficulties)

>> PETRU DUMITRIU:  -- organizations based on quite sophisticated methodology.  I won't enter into details, but we also hear very much from organizations that are not part of the system, we hear, depending on the topics from the private sector, from the Civil Society, and I think Cloud interpreting is a subject on which, indeed, we have to hear from other players.

For those who are really interested to know more about the joint inspection, there are a number of leaflets available at the entrance on the table.

Now, we want to take this review, which we consider that is more and more important for the United Nations Systems.

First of all, we are having in mind a sort of transition from the current situation, in -- in general, in using IT services and in particular, in migrating on -- on Cloud services because -- because these kind of decisions, apparently, they're rather ad hoc, instinctive, you know, driven by the market, not by the real needs.  We do not measure properly what kind of issues you have to deal with, so this is, more or less, an attempt to bring some light into this area.

So the objective number of our project will be to raise awareness about the specificity of Cloud services and inform the decision-making people in the legislative bodies, in the senior management, when -- you know, to help them make informed decisions when they develop any sort of policies and practices on Cloud computing.  We also want to demonstrate that Cloud computing contributes to what some people believe is not an IT method, Cloud computing is a governance method.

We have to deal seriously with issues such as control over data, risk management, the protection of privacy and confidentiality of institutional data, the continuity of services, and the efficient use of services.  I would say that our middle name in GIU is efficiency.  We are supposed, in whatever we do, to recommend to increase efficiency in the use of resources.

Obviously, the first result of the review will be a diagnosis of the existing situation in the sense that it will undertake the comparative analysis of policies, frameworks, practices, and processes in the 28 organizations that are part of our -- of our constituencies.

Then the next, say, ambition of this project will be really to -- to generate preventive policies and action to enhance preparedness in using the Cloud services, how to harness the power of the Cloud solutions effectively, how to maximize investments, how to mitigate risk, how to anticipate the problems before actually entering into concrete transaction.

It seems that these issues are not properly addressed or at least they are not addressed the way any action and policy that uses the public resources available for the United Nations is supposed to address.

And then we -- based on the assumed elasticity of the Cloud services, we'd like to find ways to -- not only to really increase efficiency but also try to see whether we can -- we can pool resources.  One of the problems of the United Nations System is that we are a system, but we still continue to work in silos, so maybe the Cloud computing is yet another door open to the possibility to pool resources and to make concerted actions that will help the organizations individually and the system as a whole.

In terms of specific objectives of this report, yes, we have -- we will examine the level of -- and the potential of the integration of Cloud solutions as they are currently in the system.  We want to see if we can move to a high level of coherence in the Cloud architecture in the UN System.  We'll be trying to develop or at least to suggest benchmarks to support the future developments in the adaptation of business models in our organizations in relation with the Cloud computing, but, then, that would be more or less our automation.

Before ending, I would like to make a precision about the nature of the relationship between the panelists and the others in this case.  Usually you do ask questions to the panelists, you expect answers from the panelists.  I would say that in my case, it is the other way around.  We are trying to hear from you.  We know that the biggest challenge in our review will be to address the right questions, the most pertinent questions, so we are not even ready with the questions that are best suited to the analysis we are trying to understand, so we are much less equipped to respond to that question, but the problems -- the problems faced in relation with the Cloud computing, I think they are common whenever it is -- if it is about United Nations System, which is a group of organizations working together, guided by the same principle and values, and problems faced in individual organizations.  We have the same issues of confidentiality, of privacy, of legal aspects, intellectual property aspects, et cetera, et cetera, so there is nothing in your experience that might not relevant for our own research.

So we are at the beginning of this research.  I would say that we didn't even start the research.  This panel is one of the occasions we created just to hear from people, from experts like you, and thank you very much, Jovan, for giving us the possibility. 

>> JOVAN KURBALIJA: Thank you, Petru.  Therefore, we'll have questions, and that is probably the key, and that could be the key outcome of our discussion today, to add to some issues that Jorge and Petru and their colleagues will have to answer when they start officially their work on the report in 2018.  It will be most likely in March 2018, Petru? 

>> PETRU DUMITRIU: It will start even earlier.  So mentally -- although formally, it's not there, but mentally we started to prepare, so we can engage in dialogue as of today. 

>> JOVAN KURBALIJA: Thank you.  Great.  Now we set the stage for -- for discussion, and you -- I'm sure you will get some questions now after the -- after the Prado's presentation on technical aspects on Cloud computing and what the UN ICC is doing and what we can expect from them and other official providers from Cloud computing worldwide.

As you know, one of the dilemmas in Cloud computing is should UN agencies outsource it to big Cloud computing providers like Amazon, Microsoft, or have it more in-house provided by, among other players, UN ICC, United Nations International Computing Centre.  Prado, please. 

>> PRADO NIETO: Thank you very much.  Thank you very much, Jovan and thank you very much Inspector Petru for the opportunity to be here and share what we are doing, so I'm very grateful.

So the idea now will be very quickly who we are, what is Cloud, some information about Cloud, what is the evolution of the state of Cloud we see in the UN System, and options for the UN System Cloud deployment.

Let me start.  Who is UN ICC?  We are not the International Communal Court, like everyone may think, we are the United Nations International Computing Centre, and we are a United Nations organization created by the -- by a resolution of the General Assembly in 1970s with a clear mission of providing ICT services for the UN System, for the UN family, with the goal of maximizing infrastructure, maximizing skills, knowledge across the UN family, and, therefore, generate an economy of scale to benefit the UN System.

Therefore, our parlance founders, they had this advanced mind-set.  Without maybe them knowing it clearly, they created nearly 50 years ago a UN private Cloud because you see our mission is the mission of the Cloud, but we think UN.  Therefore, our data centers have UN jurisdiction and protect privileges and immunities within the UN.

We have offices in Europe, Switzerland, Spain, Italy, as well as in U.S.

While the UN ICC has a key position, we need the UN System to know what is happening in terms of technology, in terms of Cloud technology.  The reality is that all our -- all our partners are sitting on our board.  They are our clients and they are also our board.  They serve with us, their strategy, where they want to go, and they asked for help to go there, and so all of them are our partners, and these are partners and clients because we are also supporting -- supporting international nonprofit organizations worldwide.

We started as an organization 50 years ago, only with a couple of clients, partners, WTO, UNDP, UN, where we were setting mainframe services.  It was a time of mainframe services, and the General Assembly was trying to avoid that each organization were building their own mainframes, so we started in this kind of Cloud offering, and we have, of course, moved from mainframe to much more advanced IP services.

So what is Cloud?  Everyone knows that Cloud -- Cloud is a big number of servers sitting in a location that is not expensive where we can serve resources between different end users to maximize cost-effectiveness.  Very important is to realize the Cloud delivery model, the difference between on-premise delivery model where yourself, you manage all the stuff, all the services from up to down, and we are familiar with Infrastructure as a Service, Platform as a Service, Software as a Service that -- the difference between both of them -- all of them is just where this starts between what is your responsibility and what is the Cloud provider responsibility because even when you go to Cloud, depending on which model you are using, you are still responsible as part of the service.

So this is the Cloud delivery model.  If you see UN ICC service delivery model, you will see that a big part of our portfolio we are already calling Software as a Service, Platform as a Service, Infrastructure as a Service, because as I've said before, we are providing Cloud services, UN Cloud services to UN, and a part of that portfolio, we have services to integrate with that public Cloud, so we have the UN private Cloud that can be integrated, needs to be integrated in some cases with the public Cloud, and also there is an important component for advisory services because our partner needs to know what is the risk of going to the Cloud.  They may need help for doing Cloud assessment, they may need help to do security assessment before going there and so on.

Okay.  So what is stopping the UN System to move forward to the Cloud?  I think my colleague, Christina, may go more in-depth later on this topic, but the main ones would be, okay, the fear, the risk that the service provider could be misusing information obtained and also that they are not honoring the UN privileges and immunities, and, of course, there is a more exhaustive list provided by Cloud Security Alliance, and, of course, the risk that a potential state actor could be accessing through legal means, between quotes, information to the public Cloud provider. 

But it's clear that we have strong benefits to go to the Cloud.  Agility.  There is -- the services are standard, the deployment -- the provision of services are very quickly done, performance and resiliency, the public Cloud providers have data centers worldwide replicated.

Security.  Again, the standardization of their offering makes it easier to secure it because you don't have legacy system with operating systems that are outdated that you cannot have budgets to support them and so on.

Innovation.  Of course, they have strong expertise that can be up to the latest technology.  It's very difficult for each of the UN agencies to have these skill sets at home.

As I have said before, cost-effectiveness, and this is key for UN because UN is having a hard time -- it's always having hard time related to budget, so this is a very important benefit. 

And risk mitigation, because it's more and more important to be aware that the -- the public -- the different providers that we are using in terms of technology, they want to push UN to the Cloud, and they are suggesting that in the future this and this and this technology may not be offered on premise, so there is -- we need to be aware that we could mitigate risk if this technology is not on premise but in the Cloud, so this is a fact.

But we also need to be aware of challenges that the organizations that has moved to the Cloud are facing.  There is a very important report that is being done every year, I think that for the last six or seven years related to the use of Cloud.  This is a report not for the UN System because UN System is not so advanced in that evolution, but for the -- for all the business, and they have identified what are the top five challenges within the Cloud, depending on the maturity of the organization.  It's very, very significant to see that although security is very important for the Cloud beginners, it's not so, so, so important when -- when our organization is Cloud focused because I would say that they have done the homework to be ready to go to the Cloud, but managing costs, that it was not so important originally, it becomes one of the top five challenges, to the point that they have found that the challenges -- the challenge of managing costs in public Cloud is important and there is an actual waste between 30% to 40% of the -- of this, and this is very, very important.

Also --

>> PARTICIPANT: (Off microphone)

>> PRADO NIETO: So, yeah, let me maybe give a clear -- a couple of clear examples.  So it's clear that when a business unit within the UN System needs -- I don't know, needs to do an event and they need a server to be -- to be prepared for the event, they notify the IT -- the IT department, and they request they turn on the server in the Cloud.  It's also frequent that they are not so agile notifying that the event has ended, so the server can be there up and running without nobody using it.

Another clear example that we are seeing, when there is a new staff in the organization or a new consultant or a new internship, the HR notifies to the IT system to create an account, an email account.  When -- when the colleague leaves, sometimes it's not so agile, that notification, and we have seen email accounts that they are leaving without nobody using it, and the organization still pays for it.

>> (Off microphone)

>> PRADO NIETO: Yeah, because if you don't decommission the account, you continue paying for it.  You continue paying for it. 

>> PARTICIPANT: (Off microphone)

>> PRADO NIETO: Yeah.  It happens everywhere.  So this will be very important.  I will highlight later why it's so important, this fact.

Also, I wanted to share with you, as part also of the RightScale report, the distribution of the evolution of the state of the Cloud.  I need to insist that this has not weakened the UN System because the UN System is much risk covered because of these specific threats that are specific for them, but as you see, I would say that the big conclusion that they are taking is that the hybrid Cloud is the preferred enterprise strategy.  There hasn't been a very big evolution from 2016 to 2017, and still all the organizations out there, they are realizing that they need an hybrid Cloud because there is data they are very comfortable to move to the public Cloud and that there are other data that they are not so comfortable to move to the public Cloud and they would like to keep it on premise or in a private Cloud.

So a reflection allowed with all of you is, okay, UN -- UN System will have to go to the public Cloud, will go to the public Cloud.  We need to do it because we are constantly under pressure to provide high-quality services and innovative solutions under a continued budget reduction, so as Cloud cost-effectiveness is one of the -- of the benefits, we need to evaluate that, but we need to be very careful because as we have seen already, there is the challenge to manage these Cloud costs, so if we are moving to that path because cost-effectiveness is key for us and there is this risk of not being able to manage that cost, there is a red warning there for UN.

Also, we need to be aware that we would need an hybrid Cloud in general within the UN System because there will be always data that we cannot have it in the public Cloud. 

And now I will say with you a couple of options of what could happen in the future.  Well, it's clear, as I have said, my prediction is that the UN System will go to the public Cloud, no matter what we do.  The only thing we do is to help them, to help them in the risk assessment, to help them doing the IT strategies, the Cloud strategies, security checks, and so on, and we are already doing that.  The UN ICC is already helping our partners go to the Cloud, doing migrations, making sure they have enough expertise, but this is a UN organization that will have still their -- this is the primary data center connected to the disaster data recovery center, and even if they go to the Cloud and say we still need -- they will still want to keep some data outside the public Cloud, they will still have their own data centers in place.  Maybe they don't need so much capacity.  Maybe they will be able to negotiate the rent, reduce electricity, but they will still need the cooling, electric, the management of the data center.  Again, they will have connectivity to the public Cloud, one public Cloud providers, even two public Cloud providers, and -- because they are an offering out there.

We have the same one for the second organization and so on for the rest.  We will end like that, still our data centers, still connected with our DR, and all of us, even if we are sitting in the same cities, connected independently to the different Cloud providers.  To not confuse more the diagram, I have not drawn here that all of them are also connected with UN ICC, with the UN private Cloud already, and I have not also drawn here that all of them are connected with all of the countries.  Sometimes those countries are in the same location, like Organization A that is sitting headquarters in the same location as organization B and is in the same location as other one, but they all have independent line.

So this is the strategic what we can do, so I -- I couldn't stop putting my drink here because -- okay.  UN has a great goal and UN System senior management has vigorous responsibility, so I thought, okay, let's do it.  So UN has the UN private Cloud with a UN jurisdiction.  We can integrate information there, private information that we don't feel comfortable putting in the Cloud, and consolidate connectivity to save costs for UN.  So that's all.  Thank you very much. 

>> JOVAN KURBALIJA: We have one -- one clear option, which my guess -- my sort of intuition is that it will become increasingly important because you mentioned some key words, "cost efficiency," "risk avoidance," "reliability," but what we're seeing in global affairs is institutions and individuals are increasingly concerned about not only cost efficiency but there is a slight shift towards the question, what is happening with my data, how do they protect it, and I will say the UN System will probably have to address some issues like immunities and privileges.  And I can see a few colleagues in the room who can reflect.  I know that Mr. Markovic, who's over there, he's now working with UNDP in Serbia on some sort of Cloud computing; therefore, some of these issues in some form will be addressed over there, but you may reflect later on it.  And other colleagues whom I don't know well.

One of the issues will be what to do with data legal statutes, whether it is privileges and immunities, whether it is data of European citizens, and now Christina will help us to guide us through the challenge, completely speaking of the new European general data protection regulation and how UN can address it, what we can do. 

>> CHRISTINA VASALA KOKKINAKI: So, good morning, everyone.  Thank you very much, Jovan.  Thank you very much, Petru, for the invitation.

My name is Christina Vasala Kokkinaki, and I work with the legal department of the International Organization for Migration.  I'm particularly happy to be here today to talk about Cloud computing, but also because it's the 18th of December, and it's International Migrants Day. 

(Applause)

In my presentation, I will be bringing a legal perspective to Cloud computing for international organizations.  I'm not a technical expert, I'm a lawyer.  I'm an international lawyer.

I will be focusing on two legal matters.  First of all, the issue that has been already brought up, the issue of privileges and immunities, and second, some considerations in terms of data protection and the issues concerning the general data protection regulation of the EU, the GDPR, an acronym we will be using during this presentation, will be addressed on the second part.

Just to mention briefly in terms of what Jovan already referred to earlier, I held data workshop in May in which we had about 35 international organizations present.  It was a workshop that lasted a day and a half.  It was co-organized with the European Data Protection supervisor.  We addressed different issues.  One of them was Cloud computing.  Another one was the GDPR.  Another one was the processing of health data that are very often classified as sensitive data.  And another issue was the role of the data protection officers, just for your information.

If we're going to start with the status of international organizations, so international organizations enjoy privileges and immunities in order to ensure that they can function in an independent way.  Privileges and immunities are given to international organizations by state.  Most international organizations, such as the United Nations, enjoy P&I, that's called privileges and immunities, P&I, because of multilateral treaties.  There's a 1946 Conventions on P&I, 1947, one for the UN and one for specialized agencies, but there are also other conventions on P&I.  Some organizations, including IOM, enjoy P&I based on bilateral agreements that are signed between the organizations and the states.

I've just put here examples of two P&I, immunity from jurisdiction and unavailability of archives because these two come up very often in the Cloud computing discussion.

In the traditional setting where you would have an organization having its servers on premises in case there would be an interference and you would have government or state -- state authorities, law enforcement agencies trying to access this data, an organization would argue that this is not possible because the archives and all documents of the organization are unavailable.  This is the legal wording that would be used.  And because the national legislation of the state would not be applicable to an international organization because of the immunity from jurisdiction.

Just very briefly, the challenges, I don't want to mention them as risks because they're challenges and they can be mitigated, the challenges that are related to privileges and immunities and Cloud computing.

First of all, the location of the servers.  This is a question that all international organizations have to answer at some point, which is the best location for the servers to be located if the data are going to be stored in the Cloud?  Should these servers be stored as close to the premises as possible, for example, if we're talking about an organization based in Switzerland, should they be stored in any country in which the organization enjoys good privileges and immunities, especially immunity from jurisdiction, or in which other location?

Apart from the location of the servers, another important concern is transmissions, transmissions of data.  By using the Cloud, transmissions are increased.  When transmissions are increased, the -- the possibility of interference is increased as well.  In addition to that, when an external Cloud service provider is used, it's very often likely that the server provider will be using subcontractors, so the more subcontractors you have, be the more the transmissions are increasing.

Another issue linked to transmissions is that with the use of public Cloud, for example, very often it's not possible to tell in one specific moment where the data is.  Even the Cloud provider themselves, they might not be able to answer this question.  Therefore, the challenge is increased.

We have a request from law enforcement agencies.  This happens quite often to international organizations.  We will have a request from the police to have access to a specific data set.  Again, an international organization would be arguing immunity from jurisdiction, and the same would be done if there would be a request coming from judicial authorities; however, when we're using an external service provider, that external service provider cannot argue immunity from jurisdiction.

It is more difficult to argue as well unavailability of archives because the data are being stored by the Cloud service provider and not by the international organization themselves.

In overall, the big challenge for international organizations is the fact that they feel that they have no control over the data.  In the traditional setting of having the data on premises, control is more clearly defined and it's more -- the feeling of control, at least, is bigger; whereas, in the Cloud setting, especially in the public Cloud setting, there is a

In terms of data protection, I have just put here the logos of some organizations that already have in place some internal guidance on protection of personal data.  As you can see, the UN is appearing first.  The UN has a GA Resolution from 1990 in which states and international organizations were encouraged to apply data protection principles, so that was in 1990.  IOM issued its data protection policy in 2009, INTERPOL in 2011, ICRC and UNHCR in 2015, ILO, WFP in 2016.  Other organizations, to my knowledge, do not have an internal data protection policy in place. 

Data in the Cloud.  This was already mentioned by Prado, and which data should be stored in the Cloud?  If we're talking about public Cloud, which data can international organizations store in the Cloud and which data shouldn't be stored in the Cloud?  For example, should personal data -- personal data of beneficiaries, for example, in the case of IOM, or personal data of staff, sensitive data, should they be stored in the Cloud?  What about confidential data?  The way that international organizations -- and I'm sure the private sector is saying the same thing -- is addressing this question is by having a very clear classification policy; however, even nowadays there are organizations who do not have a classification policy, and even if there is a classification policy in place, there is no Cloud computing policy to say these types of data, for example, in the case of IOM, secret and confidential cannot be stored in the Cloud; whereas, restricted data and public data could be stored in the Cloud. 

The data protection issues linked with Cloud computing.  First of all, the jurisdiction of the Cloud service provider.  If the Cloud service provider is operating in a country that has good data protection legislation, international organizations feel generally more comfortable, and from my experience, I've seen that international organizations would say, as soon as -- as long as the servers are based in a European Union country that has strong data protection rules, then we're all right, that's the safest place to have the data.

There is the issue of data controller and data processor.  International organizations want to be clear that they are the ones controlling the data, telling the Cloud service provider what to do; however, this is not always possible, and in many cases, Cloud service providers might be data controllers themselves.

This legal image concerns the legal basis for processing data in the Cloud.  For international organizations to process personal data in particular, it's necessary to have a clear legal basis.  The basis for storing this data in the Cloud is separate from the basis of collecting the data, and this is always a very tricky issue.  For example, in the case of humanitarian organizations, should a humanitarian organization be requesting consent from its beneficiaries, be it migrants, refugees, and so on, in order to store their data on the Cloud?

Encryption.  Encryption is a very often mentioned tool in order to ensure greater data security, and encryption is very useful because in the cases of attempts of interference with the data of international organizations, it's -- it's deemed to be that if the data is encrypted and there are no back doors, then if the data are handed over to government authorities, then they will not be easy to read; however, encryption cannot be used on its own.  There are many other controls that need to be put into place and have access control authentication and so on.  And then another issue about encryption concerns whether we're talking about end-to-end encryption, about encryption of data in transit or on-site.

Auditing.  In most Cloud computing contracts, international organizations would really argue to be able to audit the Cloud service provider at any time, and sometimes it's -- this clause will be accepted.

In terms of data security, encryption was already mentioned, but an important issue here concerns retention of data, how long should data be kept in the Cloud, and what would happen if the international organization decides to stop using a specific Cloud service provider?  How will it be guaranteed that the data are absolutely deleted?  Can data be absolutely deleted nowadays?  Is it possible? 

And, of course, in the end, the issue of privileges and immunities, in a contract on Cloud computing, there would be generally a close saying that the Cloud service provider needs to respect the privileges and immunities of the international organization; however, how does this work in practice?  If we're talking about a Cloud service provider that needs to follow some national legislation, usually the two issues are in contradiction.

Very briefly to touch upon the GDPR, the GDPR is of relevance to international organizations for two specific issues.  First of all, concerning applicability.  Article 3 of the GDPR has a very broad -- describes a quite broad territorial scope of the GDPR; however, even if the territorial scope of the GDPR is very broad, international organizations still enjoy immunity from jurisdiction, which means that they're not subject to the national legislation of states, in this case of EU Member States, because the GDPR as a regulation, it will be directly applicable as national law to the Member States on the 25th of May 2018; however, the GDPR has a Chapter 5, and Chapter 5 is very much relevant for international organizations because it talks about transfers to third countries and international organizations.  So international organizations are mentioned specifically inside the GDPR, and Chapter 5 is listing specific legal basis under which data controllers can transfer personal data to international organizations.

If we have a quick look through this legal basis, the one that seems to be more appropriate would be the derogation of public interest because international organizations are created for public interest purposes, and it makes sense that all transfers of personal data to them are to serve -- are taking place in order to serve the public interest purpose. 

>> JOVAN KURBALIJA: Thank you. 

>> CHRISTINA VASALA KOKKINAKI: I'm just leaving you with these observations and challenges for you to read.

>> JOVAN KURBALIJA: We have ten minutes.

>> CHRISTINA VASALA KOKKINAKI: Thank you very much.

>> JOVAN KURBALIJA: Thank you very much, Christina for -- I'm sure that -- as I know Petru and Jorge -- how long you planned your report, it will take three years with all of these aspects coming into the -- it will be really, really demanding work with the legal, technical, and data aspects which Prado and Christina brought up in such eloquence.  Thank you very much.

What is probably the first question that you can answer later -- and I'll open the floor for questions from our online public and colleagues here in the room -- is practically speaking on 26th of May, can Italy send their data -- personal data to IOM without any sort of considerations about the GDPR and others?  That could be -- it's always good to answer concrete issues.  That could be one question, what IOM can use as concretely speaking and any other organization in that context, but you may answer it later on when we collect the questions and comments from our audience.

The floor is open, please.  Could you introduce yourself, if there is any question or comments?  Jorge, please. 

>> JORGE: Yes.  I would like to have a comment because on the legal part, I'm not that worried about that yet because it's about sharing knowledge and taking the right decisions, and the UN has enough offices to carry this out.

On the first presentation, I'm extremely worried because knowing how the UN works -- and I'm trying to open this so I get some input on our report because I can't visualize how we're going to do the legal part.  And I know it's complex, but I think that there's really clear ways to go about it.  You mentioned in 1990 the resolution, and it's very easy to follow up to now, but where I'm very concerned is, as you know, the UN works mostly with a regular budget and extra budgetary contributions.  In the extra budgetary contributions, there will be no resources or very little for this aspect, meaning that there's some resources for UNHCR.  Those resources will be for program delivery, but they will not include the cost for data protection.  But when we talk about the regular budget of the UN, it's shrinking, and to make it clear -- for instance, in 1976, when ITU introduced the first ERP package, there were a potential for the UN to have one ERP for the whole system, and what we found was that even in one organization you're having then, the three players, which was Microsoft, Oracle, and the (?)

What I feel is that because the legislative bodies, when they're approving their budgets, they will take all the costs, they will take all the benefits from the ERP, but they are -- they don't have a master plan on how to go to the Cloud, and what we will find is that a lot of things that were presented in the presentation of Ms. Prado, there are already redundancies and there are already duplications in organizations that they're already with you, but they're also in the public realm and they're being -- and I don't want to say this -- they're being taken hostage by the private sector on that -- the programs that are already inside the UN.  They're telling them, okay, we'll give you the service in the Cloud, we'll give you the service in the Cloud, and then they're absorbing these little resources that are left, so if people could help us on that, I would really appreciate it. 

>> JOVAN KURBALIJA: I can see some nodding in the room.  Could you -- you agree with the exchange.  Could you just reflect on it? 

>> PARTICIPANT: (Off microphone)

>> JOVAN KURBALIJA: Yes. 

>> PARTICIPANT: The microphone. 

>> PARTICIPANT: You could find cases in which you have on-site hosting, hosting in your ICC, the private Cloud in the UN, as we want to call it, hosting in the Cloud already, so you have the three models sometimes at the same -- at the same time, and it's not manage from an IT governance perspective at all.  I completely agree with you, so there is a risk of losing control of the IT, you know, strategy in the future because you may be taken hostage by Cloud providers.  Some ERPs are already in the Cloud in the model of Software as a Service, so basically not on-site anymore, so it's a risk IT as much as you.  

>> JOVAN KURBALIJA: I think what Jorge also pointed to, there's a need for additional resources, but at the same time there is a huge expectation that there will be a cut in expenses, therefore, you have another catch 22 situation for many organizations where financial people will expect to address some redundancies which exist, which we heard from the presenters, but in the same time, you have to invest for transition; therefore, that will be one of the major challenges which our panelists may reflect.  Barbara, do we have any questions?  Okay.  Yes, there were -- we'll start with you, Prado, please.

>> PRADO NIETO:  (Off microphone)

Oh, okay.  Thank you.  So that gives me the -- a lot of hope that with suitable strategic motivation, we can do it.  I mean, as I said, UN has a very ambitious mission, and UN System managers have a very big responsibility.  We need to be aligned with that mission, but we can do it. 

>> JOVAN KURBALIJA: Thank you.  Christina, what will happen on 26th of May -- well, except the nice morning in Geneva and places all over the world spring? 

>> CHRISTINA VASALA KOKKINAKI: This is not -- I mean, this is a very tricky question to be answered in a simple way, I think, but just to say that in the scenario that you mentioned, if you have a data controller that is subject to the GDPR that wants to transfer personal data to an international organization on the 26th of May, they can very easily do so.  I don't think that they would have a very big challenge.  They just need to pick the right legal basis to do so.

As mentioned already, public interest serves as a very good legal basis to transfer personal data to an international organization, so, yeah, it can be done. 

>> JOVAN KURBALIJA: You don't envisage any sort of major -- big companies are now renting offices in Brussels big time, Facebook, Google, because it will be one of the major battles for their business model, what will happen on 26th of May.

Do we have any other comments, questions?  This side.  Oh, please.  Well, whatever.  You negotiate.  Could you introduce yourself, please. 

>> HAPEE DE GROOT: My name is Hapee De Groot.  I'm from the Netherlands.  I'm from a hosting company.  We provide Cloud services for human rights activists, but I'm also a member of the Dgroups -- a board member of the Dgroups Foundation, which is fighting with the UN all the time to get access to internal and external spaces, but my question in this case -- so two questions, additional consideration.  Environmental impact, is that also an issue on the agenda to choose, whether you're hosting environment neutral or not at all, providing -- looking for green hosting, so to say?  And the other question is, as you're dealing with public services, open source, is that also somewhere in the guidelines?  Thank you. 

>> JOVAN KURBALIJA: Thank you.  Another question.  Could you introduce yourself, please. 

>> ANDREW SULLIVAN: Yeah.  My name is Andrew Sullivan.  I'm a nerd, I'm not a lawyer, and I'm employed by Oracle, but I never speak for them.  And I guess I have some questions about how -- whether certain features that Cloud service providers, including potentially Oracle, could offer would help you, so in particular, if you had -- if you had good monitoring of -- of costs -- there were three things that struck me, the cost overruns kind of problem, which happens, I think, to every Cloud customer; secondly, the data storage rules, with are things held; and third, how data is passed, you know, both what transit is takes and -- and how it is handled while it's in there, and if there were handles for -- for customers, either private or public-sector or international or whatever, to be able to say, no, no, here are the policies that we want to apply to this, would that be useful or does that just seem like an extra thing that would be in the way but wouldn't actually solve the challenges that you're facing?  And maybe you can't answer that today, but it would be really nice to see that in the report.  Thank you. 

>> JOVAN KURBALIJA: We are fortunate -- thank you very much.  We are fortunate that there is no session after our session because we are now coming close to the -- to the end of the proposed time.  Is that correct? 

>> BARBARA ROSEN JACOBSON: (Off microphone)

>> JOVAN KURBALIJA: There is a session.  Okay.  Okay.  Now, just the quick answer from -- from our panelists, starting with Petru.  You can pick on any of these few questions and then --

>> PETRU DUMITRIU: As I promised, I don't have prepared responses to the questions.  What I can say is that these are very important issues that we should take into account in our analysis, and -- including the issue of environmental impact.  I think that's a very important question.  I -- I've heard recently that just one transaction on Bitcoin, the -- it costs the energy of eight households a month.  That is amazing.  That is amazing.  So we really should not be taken away by the enthusiasms of ITs and --

>> JOVAN KURBALIJA: Any comment on the -- the second question -- the second set of questions? 

>> PETRU DUMITRIU: I -- well, I don't think I have -- I have an answer.  I think most of the answers lies for the time being in the diagnosis that already exists at the level of ICC, which will become a major partner in our review. 

>> JOVAN KURBALIJA: Prado, a few quick comments on the questions, and then --

>> PRADO NIETO: So very quickly, I see that there will be tools to monitor the costs, as I said before.  Once more, do we want to deploy those tools 100 times in each of the UN organizations or can we consolidate the management of the cost of the Cloud somehow to not avoid deploying it 100 times. 

>> JOVAN KURBALIJA: Great.  And Christina, the concluding comment. 

>> CHRISTINA VASALA KOKKINAKI: Yes.  I would just bring it back to the beginning to what Petru already mentioned, that Cloud computing is a governance issue, just to say it needs to be dealt in a holistic way, and environmental impact would be addressed, yeah, there in a more holistic way. 

>> JOVAN KURBALIJA: Good.  Thank you.  Just a final concluding comment.  Jorge, quickly. 

>> JORGE: The answer, very quickly, I think that what -- all companies, private sectors can help, is in getting your act together, meaning the office of Oracle in Switzerland acts completely different than the office of Oracle in New York and the office of Oracle in -- in Italy, for example, and that's something that we're sure we're going to look at because that cannot happen anymore.  Thank you. 

>> JOVAN KURBALIJA: Thank you, Jorge.  Thank you very much.  Just a quick comment.  We have very tolerant speakers for the next session.  They're not complaining yet.  Are you in charge of the next session?  Oh, no.  Great.  As long as nobody complains loudly, we can continue, please. 

>> PARTICIPANT: Just a quick one.  In the decision-making for Cloud models or what an organization should do, there's a good report on IT governance from the GIU, and the principles are there, so, I mean, the decision-making model is there that could be applied to also a decision about Cloud, so let's not forget about this.

>> JOVAN KURBALIJA: Excellent.  Another report which was prepared last year was report on knowledge management and, you know, the whole confusion about data information knowledge could be -- could be used in this context in -- as a sort of more revealing because Inspector Dumitriu prepared a report on knowledge management, which will have some elements related to data and Cloud computing.

I think we have quite a few interesting insights, questions.  We're looking forward to hear from you, Jorge and Petru, how the work will progress, and I'm sure that you will find quite a few enthusiastic responses from colleagues if you ask us for help.  I think it will be extremely important report, not only for the UN but also informative for other global organizations because you will tackle also the questions which we listed from technology to legal, economic, internal organizations, questions of privileges and immunities, and overall, I would say function of international organizations; therefore, that would be interesting way to revisit some of the core issues related to reform of the UN and various balances between efficiency and security, reliability.  Good luck for this work and count on us.  Thank you very much. 

(Applause)

(Session concluded at 11:46 a.m. CET)