The newly formed EuroCloud UK group held their first member meeting a week ago at the Thistle City Barbican Hotel – a panel led group discussion on Cloud standards and security. Chaired by Phil Wainewright, the panel experts were Dr. Guy Bunker, independent consultant and blogger, formerly Symantec’s chief scientist and co-author of ENISA‘s cloud security assessment document, Ian Moyse, Channel Director of SaaS provider Webroot, and Adrian Wright, MD, Secoda Risk Management, formerly global head of information security at Reuters.
In the spirit of cooperation we had invited Lloyd Adams from Intellect and Jairo Rojas from BASDA because we want to ensure that the three UK Cloud and SaaS vendor groups keep in close contact and try to coordinate their various deliverables and activities as much as is practical. In addition we invited Richard Anning who heads the ICAEW’s IT Faculty. As I’ve reported before, Phil, Jairo, Richard and I have been in discussions, triggered by Dennis Howlett, about trying to achieve some form of pragmatic standard or quality mark on security and best practice. We decided to use this discussion to identify if there are any sensible, existing standards or initiatives that we could adopt or incorporate in to our thinking.
Philip framed the discussion in to three areas – operations, security (including risk and governance)and interoperability. As is often the case with the current status of the Cloud topic the group started on definitions of what is or isn’t SaaS, as well as highlighting the different issues and elements that come in to play with infrastructure (IaaS) and platform (PaaS) solutions. In the early part of the discussion two things became clear. The first is that there are some standards like SAS 70 (Statement on Auditing Standards No.70, which is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants in 1992) which may be appropriate for some vendors to enhance their credibility, but that’s just one of many competing standards initiatives. Even with SAS 70, the worry is that the cost of accreditation means that many smaller vendors would be excluded, even though they may have excellent quality, perfectly viable and lower cost solutions. The second is that, in most cases, the customers and buyers don’t actually know the kinds of questions they should be asking their potential SaaS and Cloud vendors.
The discussion covered topics like vendor lock in, how to get your data out if the supplier goes bust, should you worry about Escrow agreements. At one stage somebody talked about the fact that there was no significant Microsoft equivalent to set the standards yet, but surely that’s simply vendor lock in of a different kind. Richard talked about ICAEW members worrying about availability, and what happens if your broadband goes down. One good sequence of the meeting covered the Data Protection act and the fact that issues to do with data location have become a potentially serious offence. It was mentioned that Salesforce, one of the major Cloud providers, have two data centres in the USA and now one in Singapore, so where does that leave a European customer with the current legislation?
Phil talked about online banking and the fact that the public Cloud can be firewalled, and made more secure with encryption and use of card readers, or SMS tokens sent to your mobile phone. In complete contrast, people regularly send confidential data in emails across the Internet, which is hardly very secure. There was a point in all of this discussion when you might begin to get disillusioned with the whole security topic, but it is clear that standards are being talked about and that best practice is emerging. Companies need to have good processes and remedies in place. As an industry we need to show what people are really doing as an antidote to the occasional SaaS and Cloud scare stories.
Ian Moyse talked about the Cloud Industry Forum (CIF) who are trying to produce a form of “kite mark” or a code of practice – something which covers transparency, capability, and accountability. Lloyd from Intellect highlighted that there are already checklists in existence, like the one on page 16 and 17 of Intellect’s own Business Case for SaaS. However, what the CIF are doing has significant overlap with the Standards initiative that we were hoping the ICAEW would help with. They see the possibility of two levels – lower cost self certification, and then a more comprehensive and expensive compliance or accreditation procedure, but that would need some form of accountability or an ombudsman. Their initiative looks very promising, and we’re certainly going to find out more detail before our next step. Watch this space for more on this soon.
To give you a flavour of the event, take a look at CloudVision‘s edited highlights: