Cloud Industry Forum moves to drive clarity in cloud with new code of practice
November will see the full launch of the Cloud Industry Forum code of practice for clarity on cloud computing.
Chairman of the Cloud Industry Forum (CIF) is Andy Burton, who is also CEO of cloud computing company Fasthosts. He told SC Magazine on the launch of the draft of the code of practice that ‘the market needs a credible and certifiable Code of Practice that provides transparency of cloud services such that consumers can have clarity and confidence in their choice of provider'.
Consultation was closed in August and now three months on, I asked Burton what had happened over the past three months as the complete code of practice was developed.
He said that the public consultation raised a number of issues where people were raising basic questions back to the cloud and how it performed in the public consultation process.
“We needed to go through and determine whether or not it needed to impact the code, or that we needed to re-educate the market about what the code was about. Or indeed, that we needed to change aspects about how the cloud actually works alongside other activities,” he said.
“I would say the key issues that came out of it are around governance and integrity; so one of the things that was very heavily mentioned in that public consultation process was the need to ensure that there was a fair balance in terms of the people that oversaw the Cloud Industry Board to make sure it wasn't seen as some kind of industry junket.
“So we've made sure for example now that we've got a balance between industry members, end users, law practitioners around IT and independents such as organisations like BASDA, Eurocloud, Intellect, etc., involved within in the overall governance of the Cloud Industry Board.”
This governance board will oversee the integrity, ethics and the operation of the code of practice. Burton said that one thing it is trying to champion is transparency and from the official launch on the 22nd November, a web process will be launched.
Burton said that listing with it is similar to a self certification process. He said: “You will go on, register with us, download your assessment pack, go offline and do your own assessments internally and determine what your statements are going to be about compliance with the code.
“Then when you're ready you come back to being online and you complete the information online. So all of that now is managed in an online process.”
Another industry-driven compliance model is the PCI DSS standard, I asked Burton if that had been a particularly good model for the CIF to draw from? He said: “Yes, I think PCI compliance is an industry standard in its own right, so we don't need to reinvent that. In terms of an experience, I would hope people would look at the process they go through for the cloud certification for the code of practice, I think they will find they will have a very similar experience in terms of going online, registering, going offline, doing your work, coming back online and filling in your declarations online. So I would say we have followed some of the logic of proven practices like that.”
With a few weeks until its launch, I asked Burton on what areas in particular the code of practice will be covering. He claimed that there is a ‘preoccupation in this market place at the moment that Software-as-a-Service is the cloud and the cloud is Software-as-a-Service' and that areas such as Platform-as-a-Service and Infrastructure-as-a-Service get overlooked and this has led to a lot of confusion in the market as to what cloud is.
He said: “One of the first things that you do when you go through the registration process with us is you are identifying as a vendor what are the services that you offer and that can range anything from Infrastructure-as-a-Service, to Platform-as-a-Service to Software-as-a-Service. In which case you drill down into whether it is an email service or a security service or a portal service, whatever the case may be.
“That information is declared upfront at your point of registration, so when you complete the self assessment that is applied to the scope that you have set upfront. Then we provide from our website (which launches in February) the ability for end-users to then search from a list of vendors in those sectors and see the comparative information between them.”
He said that the remit is not to determine to state whether somebody is good or bad, it is make sure that consistent information is presented to help people make informed decisions.
“What we're trying to do therefore is provide information that's relevant to making a business decision; so who am I dealing with? What's their real legal entity? Where are their operations? Where are their people based? Who are their key people? Are they financially stable? Are they owned by another company? What trading names do they operate under? What are their website addresses? What capabilities do they have? What service level management terms are they offering? All that kind of stuff that you take for granted in the real world if you were buying on-premise product that you would, you'd get a feeling for an organisation, you want to do the same for someone trading with someone on an online experience,” he said.
He also confirmed that a ‘CIF badge' will be provided to an accredited provider, with a ‘certified plus' logo will be available for independently certificated vendors. As for the future, Burton confirmed that spot checks will be done on every submission that comes in while the code of practice is set to be revised on an annual basis.