Institute of IT Professionals CEO Paul Matthews has discounted criticism by Sydney-based Ovum analyst Steve Hodgkinson of the cloud computing code of practice coordinated by the organisation;
Hodgkinson has expressed worry over prospects that the New Zealand “CloudCode” will be adopted in Australia and possibly more widely through the Asia-Pacific region.
The National Standing Committee on Cloud Computing, a government-endorsed panel of consumer groups and cloud vendors established last year by think tank Global Access Partners, is expected to develop a similar code and according to Australian media, it may adopt the NZ code verbatim.
Hodgkinson focuses on the New Zealand notion of a “trust mark” for good cloud providers to display on their websites. This could be counter-productive by drawing attention away from more rigorous international standards, he says.
He says that while any code of practice is a good idea, too much focus on the certification aspects of such a code could give a misleading impression.
“A code of practice is good because it reinforces understanding of what it is to be a cloud provider and what it is to provide cloud services,” he told IT News in Australia.
“Compliance is a bit more of a difficult one; that somehow, somebody would provide cloud services a tick to say whether they are grade A, B or C. That is problematic in my mind because the field is moving so quickly that it’s a bit hard for people in that compliance space to actually be on top of the game,” he says.
ITTP’s Matthews says Hodgkinson is right in saying compliance to a rigidly defined standard is impractical at this stage. “During the first phases of consultation on the structure of the CloudCode it became apparent that an overly vigorous ‘compliance’ focus would cause exactly the problems he has outlined, which is why we ended up taking the disclosure-based approach to the CloudCode” rather than a system of rigid auditing for compliance.
This approach asks cloud providers to disclose, voluntarily, their answers to 10 basic and seven optional questions, covering such factors as security and ownership of the data, backup and maintenance procedures and users’ rights of access to their data, both during the service’s operation and after any failure of the company.
“While providers will shortly be able to be accredited as compliant with the CloudCode, this is essentially a statement that the minimum or better level of disclosures is proactively made to clients. There will be clear documentation accompanying this, from both IITP and the Privacy Commission’s guidelines, to ensure cloud providers understand their good practice requirements and cloud users can make informed decisions,” Matthews says.
“So yes, Hodgkinson is correct. While a full graded certification will no doubt be a good idea in time, implementing such a thing is simply not workable at this stage, which is why the disclosure-based route was chosen.
“But we certainly believe the Code will need to evolve in both form and function over time, as the cloud industry matures,” Matthews says.