You can always tell when a new technology or development is getting some serious traction in the market: it’s when moves start to be made to regulate and manage it. That is now the case with cloud computing.
Such moves are a good sign that the cloud is now being taken seriously as a long term contributor to the future development of business, as well as showing that all sides understand that the need is to make it work effectively and efficiently for the long haul, rather than be a vehicle for turning a `quick buck’. Though there will no doubt be arguments about detail in these early attempts, they at least demonstrate an outbreak of early-onset maturity is occurring in the cloud community.
The UK’s Information Commissioner’s Office (ICO) has launched a Personal Information Online Code of Practice, which is being actively supported by another UK body, the Cloud Industry Forum.
Over in the US, market analysts Gartner Group has set up a Global IT Council for Cloud Services which has, as its first pronouncements, defined six basic rights and one responsibility that cloud services customers have. The aim is to help both service providers and consumers establish and maintain good business relationships.
The target for the ICO code of practice is how the Data Protection Act applies to information processed online. This sets out how a service provider should operate with such data internally, and in its relationships with its customers. It recommends, for example that both providers and customers should ensure there is a written contract between them. In particular, it suggests that this should stipulate that the same level of data security be applied to outsourced data as is maintained internally.
This does, of course, raise an interesting side issue in contract terms, if only because a reasonable percentage of customers are likely to have lower levels of security internally than those offered as a matter of course by most service providers.
It also sets out best practice for the thorny problems surrounding collecting personal data using online applications forms, the use of cookies to target marketing content at users and the general use of the data to market products or services to individuals.
The Cloud Industry Forum has come out strongly in favour of the ICO’s announcement, with its chairman, Fasthosts boss, Andy Burton, stating that the Forum had been arguing for some time that users have needed a form of certification for potential suppliers that will accurately and define the services being offered in a simple way.
With the ball now starting to roll, Burton plans to see the Forum pushing it harder so that users get clear and unambiguous information on how cloud computing will impact business, how it can be integrated with existing on-premise investments, and more comprehensive help for users struggling to understand how to judge the differences in services match their specific business needs.
The six cloud services user rights set out by Gartner’s Council for Cloud Services are as follows:
The right to retain ownership, use and control one's own data. Service consumers should retain ownership of, and the rights to use, their own data. The Council insisted on the importance of data security in the issue of ownership and control. The provider must specify what it can do with the consumer's data. Lack of clarity on this point can lead to costly legal battles. Lastly, the consumer could lose control of its data if the service provider goes out of business or is sold to another company. The original contract or service-level agreement must provide for the clear disposition of the service consumer's data, in case the provider can no longer provide service.
The right to service-level agreements that address liabilities, remediation and business outcomes. All computing services — including cloud services — suffer slowdowns and failures. However, cloud services providers seldom commit to recovery times, specify the forms of remediation or spell out the procedures they will follow. To make service-level agreements relevant to the business, providers do not have to customise them for every consumer; rather, the agreements should comprehensively address the business issues implied in the type of service offered. The provider's contract should not simply guarantee a certain turnaround time for adding capacity; it should specify how it will deliver that capacity.
The right to notification and choice about changes that affect the service consumers' business processes. Every service provider will need to take down its systems, interrupt its services or make other changes in order to increase capacity and otherwise ensure that its infrastructure will serve consumers adequately in the long term. Protecting the consumer's business processes entails providing advanced notification of major upgrades or system changes, and granting the consumer some control over when it makes the switch. Such changes might include upgrading a SaaS application, introducing new versions of services, changing the location from which the service is provided, entering or exiting a business, shuttering a facility, and so on.
The right to understand the technical limitations or requirements of the service up front. Most service providers do not fully explain their own systems, technical requirements and limitations so that after consumers have committed to a cloud service, they run the risk of not being able to adjust to major changes, at least not without a big investment. Service consumers and providers must do a better job of keeping each other informed about their technical limitations, particularly for complex, long-term projects or complex architectures and systems.
The right to understand the legal requirements of jurisdictions in which the provider operates. If the cloud provider stores or transports the consumer's data in or through a foreign country, the service consumer becomes subject to laws and regulations it may not know anything about. Service providers have not done a good job of explaining which jurisdictions they put data in and what legal requirements the service consumer must, therefore, meet. The service consumer needs reassurance that the provider does not violate any country's rules for which the consumer may be held accountable.
The right to know what security processes the provider follows. With cloud computing, security breaches can happen at multiple levels of technology and use. Service consumers must understand the processes a provider uses, so that security at one level (such as the server) does not subvert security at another level (such as the network). Without this knowledge, service consumers risk security violations caused solely by the provider not accounting for the ways in which consumers might use a service. Service consumers also need to understand a provider's business continuity plans, so that they can ensure that their own operations continue in an emergency. Service providers are not consistent in explaining either their security processes or their business continuity plans.
The one responsibility they have been given is this one:
The responsibility to understand and adhere to software license requirements. Providers and consumers must come to an understanding about how the proper use of software licenses will be assured. On the one hand, providers must be held harmless, if the service consumer puts the software it licenses from a third party in the cloud yet violates the licensing agreement. On the other hand, the provider should not agree to an audit directly by the vendor, if the consumer owns the software licenses. The service consumer must take charge of the audit, because it needs to consider the whole context — both what the consumer runs in the cloud (perhaps using several service providers) and what it runs on its own infrastructure.
Post new Comment