Mandate of the Cloud License Officer

In the world of information technology, there is a global trend towards outsourcing selected computing services to third party providers hosting such services via the Internet and, especially, the World Wide Web. For CERN, such “Cloud Services” might be more cost-effective than hosting them on-premises. Since Cloud Services are served on a general basis, i.e. independent of the end-user, certain aspects of their “Acceptable Use Policy” related with privacy, data protection/locality & ownership, security, but also linked with CERN’s privileges and immunities might have adverse effects on CERN’s reputation and operation.

It is the mandate of the Cloud License Officer (CLO) to coordinate any purchase or usage of Cloud Services at CERN or by CERN personnel, evaluate whether adverse conditions exist and whether the overall risks are acceptable to the Organization, and to authorize any site-wide purchase & usage of Cloud Services. In particular, the CLO:

  • Assists in purchasing Cloud Services;
  • Coordinates with the Procurement and Industrial Services group (IPT-PI) of the Industry, Procurement & Knowledge Transfer (IPT) department;
  • Verifies whether alternative in-house solutions exist and are appropriate, in order to avoid duplication of similar products, and liaises with the IT Consulting Team of the IT department if needed;
  • Checks any impact on privacy and data protection/data ownership, verifies that provisionings are in place to reimport or transfer “important” data, ensures that data locality is compliant with CERN’s privileges and immunities, and liaises with CERN’s Office of Data Privacy Protection (ODPP) if needed;
  • Checks whether the Acceptable Use Policy (AUP) or any other license conditions are acceptable for CERN, and, in particular, with regards to CERN’s privileges and immunities, and liaises with CERN’s Legal Service if needed;
  • Checks whether the computer security level is adequately elevated and that computer security incident response means are acceptable, and liaises with the CERN Computer Security Officer (CSO) if needed;
  • Evaluates the risk of “service lock-in”, i.e. the risk of losing CERN data in case of Cloud Service change or abandon;
  • Assesses the impact that a loss of confidentiality, integrity, or availability could have on the organization: low (limited effect), medium (serious adverse effect), high (severe or catastrophic effect) and objectively ensures that risks are assumed in a consistent way;
  • Keeps a register, including their risks, of all used Cloud Services.

The Cloud License Officer is reachable via “cloud-licence-officer@cern.ch”.