The newly formed EuroCloud UK
group held their first member meeting a week ago at the Thistle City
Barbican Hotel – a panel led group discussion on Cloud standards and
security. Chaired by Phil Wainewright, the panel experts were Dr. Guy Bunker, independent consultant and blogger, formerly Symantec’s chief scientist and co-author of ENISA‘s cloud security assessment document, Ian Moyse, Channel Director of SaaS provider Webroot, and Adrian Wright, MD, Secoda Risk Management, formerly global head of information security at Reuters.
In the spirit of cooperation we had invited Lloyd Adams from Intellect and Jairo Rojas from BASDA
because we want to ensure that the three UK Cloud and SaaS vendor
groups keep in close contact and try to coordinate their various
deliverables and activities as much as is practical. In addition we
invited Richard Anning who heads the ICAEW’s IT Faculty. As I’ve reported before, Phil, Jairo, Richard and I have been in discussions, triggered by Dennis Howlett, about trying to achieve some form of pragmatic standard
or quality mark on security and best practice. We decided to use this
discussion to identify if there are any sensible, existing standards or
initiatives that we could adopt or incorporate in to our thinking.
Philip framed the discussion in to three areas – operations, security
(including risk and governance)and interoperability. As is often the
case with the current status of the Cloud topic the group started on definitions of what is or isn’t SaaS, as well as highlighting the different issues and elements that come in to play with infrastructure (IaaS) and platform (PaaS) solutions. In the early part of the discussion two things became clear. The first is that there are some standards like SAS 70
(Statement on Auditing Standards No.70, which is an internationally
recognized auditing standard developed by the American Institute of
Certified Public Accountants in 1992) which may be appropriate for some
vendors to enhance their credibility, but that’s just one of many
competing standards initiatives. Even with SAS 70, the worry is that
the cost of accreditation means that many smaller vendors would be
excluded, even though they may have excellent quality, perfectly viable
and lower cost solutions. The second is that, in most cases, the
customers and buyers don’t actually know the kinds of questions they
should be asking their potential SaaS and Cloud vendors.
The discussion covered topics like vendor lock in, how to get your data out if the supplier goes bust, should you worry about Escrow agreements.
At one stage somebody talked about the fact that there was no
significant Microsoft equivalent to set the standards yet, but surely
that’s simply vendor lock in of a different kind. Richard talked about
ICAEW members worrying about availability, and what happens if your
broadband goes down. One good sequence of the meeting covered the Data
Protection act and the fact that issues to do with data location have
become a potentially serious offence. It was mentioned that Salesforce,
one of the major Cloud providers, have two data centres in the USA and
now one in Singapore, so where does that leave a European customer with
the current legislation?
Phil talked about online banking and the fact that the public Cloud
can be firewalled, and made more secure with encryption and use of card
readers, or SMS tokens sent to your mobile phone. In complete
contrast, people regularly send confidential data in emails across the
Internet, which is hardly very secure. There was a point in all of
this discussion when you might begin to get disillusioned with the
whole security topic, but it is clear that standards are being talked
about and that best practice is emerging. Companies need to have good
processes and remedies in place. As an industry we need to show what
people are really doing as an antidote to the occasional SaaS and Cloud
scare stories.
Ian Moyse talked about the Cloud Industry Forum
(CIF) who are trying to produce a form of “kite mark” or a code of
practice – something which covers transparency, capability, and
accountability. Lloyd from Intellect highlighted that there are already checklists in existence, like the one on page 16 and 17 of Intellect’s own Business Case for SaaS.
However, what the CIF are doing has significant overlap with the
Standards initiative that we were hoping the ICAEW would help with.
They see the possibility of two levels – lower cost self certification,
and then a more comprehensive and expensive compliance or accreditation
procedure, but that would need some form of accountability or an
ombudsman. Their initiative looks very promising, and we’re certainly
going to find out more detail before our next step. Watch this space
for more on this soon.
To give you a flavour of the event, take a look at CloudVision‘s edited highlights:
(Cross-posted @ Business Two Zero)