Italy is ready to launch its national cloud. It will do so while being mindful of protecting sensitive data, by means of entrusting the State with the “keys” to prevent them from ending up in the hands of third parties only.
It’s all in the new Italian National Cloud Strategy, presented on Tuesday by Franco Gabrielli, the Undersecretary of State overseeing the Intelligence Department. Alongside him were Roberto Baldoni, director of the National Cybersecurity Agency (NCA), Digital Transition Minister Vittorio Colao and Paolo de Rosa, CTO of the Department for Digital Transformation (DDT).
The development of a national cloud is among the most strategic parts of the nation’s Recovery Plan, with €900 million earmarked for it.
It’s a three-staged approach that starts with the creation of a “National Strategic Centre” (NSC) intended to provide, manage and control cloud services independently from non-EU suppliers.
The second step entails vetting public cloud providers to ensure that “stated features and service levels are in line with the necessary requirements vis a vis security, reliability and compliance with relevant regulations.”
Third – and most crucially – is the migration of the Italian Public Administration’s data and services “to the most appropriate cloud solution.”
The classification and drafting of the migration plan will be respectively defined and supported by the NCA and the DDT.
The NSC’s call for entries will be published no later than year’s end, the contract will be awarded by the end of 2022, and data and services must be transferred “by the end of 2025.”
This strategy tackles the most intricate knot of the cloud issue, i.e. data security and control, head on.
Globally speaking, European companies play a marginal role, covering about 10% of the market compared to non-EU companies. American suppliers stand out among the latters as the real key players in the European game (partly due to diffidence towards the security offered by Chinese providers).
“As is known, non-EU legislation can lead […] to unilaterally requiring the Cloud service provider to provide access to the data stored on its systems,” reads the strategy.
The same case is made in the 2018 Cloud Act, approved by the US Congress, which is at the centre of a tug-of-war with the EU because it allows American MPs to access data managed by local companies, even if they operate abroad.
The document states that risk management entails “technological implications, as well as geopolitical impacts on the international scene.”
Please hand the keys over
The strategy identifies three categories of data: strategic data, which could impact national security if compromised; critical data, which could impair those apparatuses necessary to the health, security and the economic and social well-being of the country if compromised; ordinary data, that which would not interrupt the State’s essential services even when compromised.
The Italian government has identified two tools to protect information on the cloud. One is double encryption, which will allow Italy to keep one set of “keys” to access the information, leaving the other with the cloud provider.
More specifically, double encryption will be employed for three types of cloud services: public cloud with on-premise security control (the so-called “encrypted Cloud”), private and hybrid cloud allowing for the localization of data in Italy, and the “qualified private” cloud, subject to national cryptography with key control residing in in Italy. The second is an “exclusive licence” granted by non-EU giants to Italian operators.
The National Strategic Centre
The NSC will be built in Italy, while operational management will be entrusted to “a qualified national supplier.” The latter will have to guarantee “data control in compliance with the relevant legislation” and “strengthen the Public Administration’s position to negotiate appropriate contractual conditions with cloud service providers.”
While the project’s call for entries is pending, the first expressions of interest have already cropped up. This is the case of Consorzio Italia Cloud, which includes companies such as Seeweb, Natalia, Babylon Cloud, Almaviva and Aruba.
Leonardo and Tim, a defence and telecoms giant respectively, are also on the field: a month ago Leonardo’s CEO Alessandro Profumo confirmed the existence of “talks on several fronts, both with [TIM] and with CDP,” which is an investment bank controlled by the Ministry of the Economy.