Adherents to a cloud code of practice could be prohibited from advertising a service as a "cloud" offering if it does not conform to the dictates of the voluntary code now under consideration.
The draft version of a proposed New Zealand code of practice for Cloud computing has been issued for comment. The New Zealand Computer Society has been coordinating development of the code, known as the Cloud Code, since September last year.
The approach and structure of the code were shaped by a series of public meetings and the content by a set of expert panels. New points brought up at the public meetings, such as the need to specify ownership of the user's data during and after the period of service provision and the locations where data is kept, have been included in the current draft of the code.
There is still debate over how to represent a number of services from the same provider, some of which may be compliant with the code and some not; whether such a provider should be allowed to advertise themselves as "compliant with respect to such-and-such a service", or whether compliance should be an attribute of the service, not the provider.
The definition of Cloud computing has been reduced for simplicity to five principles:
- On-demand self-service;
- Ubiquitous network access (the reference to "network" rather than "Internet" is a request made by a number of public submissions);
- Location-transparent resource pooling;
- Measured service with pay-by use.
The often cited (and sometimes disputed) requirement that a cloud service be "multi-tenanted" does not figure in the simplified definition.
Cloud providers are required to specify the country where both the primary and backup data are stored and specify treatment of the user's data after cessation of the service period, including rights of access and any payment for access after the service finishes.
Rights of the customer to audit the service must be spelled out.
Backup arrangements, including regular testing of the restored data, are required to be specified. Under "geographic diversity", a provider must specify whether their alternative server sites are at least 150 kilometres apart
Much of the crucial security requirement is referred to the Cloud Security Alliance's STAR registry; participation in this will be the minimum security requirement. This is in accordance with a core principle that the Cloud code should "not reinvent the wheel", but use existing codes where available.
Though the Cloud code has no legal force, the document makes the point that making false or misleading representations about goods and services is against the law as specified in the Fair Trading Act.
Responses to the draft code are sought by 5pm on April 10.