Gjør klar exit-strategi fra amerikanske skytjenester
www.khrono.no
Datatilsynet vil at norske virksomheter skal planlegge for en fremtid uten amerikanske skytjenester. Ved Universitetet i Oslo jobbes det med en exit-strategi.

The Norwegian Data Protection Authority wants Norwegian organizations to plan for a future without US-based cloud services. An exit strategy is being developed at the University of Oslo.

The potential consequences of Trump administration policies for usage of US-based cloud services remain unknown, but alarms were sounded the world over when the database for biomedical and health research PubMed experienced downtime at the start of March. The downtime lasted only a few days, but the resulting unrest spoke to the fear that exists among researches wholly dependent on American databases.

Donald Trump has turned the world of American academia upside down with a torrent of new executive orders attacking academic freedoms, since he took office as US president in January. The tense uncertainty for what these attacks might mean for Norway and Europe, where researchers are reliant on databases stored and maintained in the USA, led Norway’s Minister of Research and Higher Education Sigrun Aasland to arrange an emergency meeting.

But the future of research databases is not the only thing causing headaches for Norwegian organizations.

The Norwegian Data Protection Authority recently warned that the political situation in the USA is also creating uncertainties around usage of US-based cloud services, like those of tech giants Google, Amazon and Microsoft. The agency highlights that the transfer of personal information to the States depends on approval by the European Commission, and requests Norwegian organizations to prepare exit strategies.

Own solutions

The University of Oslo’s IT department is already hard at work. In a status update which [was] presented to the university’s administration on Tuesday, IT director Gard Thomassen states that an overview is being developed for how an exit might look like.

He explains that the university uses US-based cloud services for administrative data first and foremost, and secondarily for research data. Thomassen points out that the University of Oslo has a long tradition of developing its own IT services, such as Educloud and TSD, which will make a potential future withdrawal from US-based cloud services less dramatic.

—“At the same time, several of the University’s service providers are deeply ingrained in the cloud, and it’s a difficult landscape to navigate. A more comprehensive report on exit possibilities is therefore being developed,” Thomassen writes.

Although the work is not yet finished, Thomassen still makes a few preliminary recommendations, namely that the University should restrict its usage of US-based cloud services, and consciously consider the extent to which external cloud services should be used for less sensitive data.

Growing more advanced

Thomassen also describes a steadily increasing challenge with regard to privacy and information security at the university, noting that over the past five years, the number of inquiries to the University of Oslo Computer Security Incident Response Team has grown from 2,500 to 6,000. He notes four main challenges: Use of unapproved cloud services, need for better training, regulatory demands, and challenges relating to international research cooperation outside the European Economic Area.

He also notes that cyber-attacks are growing more advanced, with the University of Oslo experiencing several attacks that evaded multi-factor authentication. He also warns that artificial intelligence could make so-called “phishing e-mails” — a form of online fraud in which the attacker attempts to deceive the victim into sharing sensitive information — even more advanced.

Director of the University of Oslo IT department Gard Thomassen was not available for comment Monday afternoon.