Can someone please standardise cloud standards?
Confused? No problem, we have 5, no 6, no 7... lots of standards
As with any product, there are myriad ways of selling it and buying cloud services. While this extensive choice for customers means, in theory, they can pick and choose the type of cloud they want from a number of different providers, it also leads to confusion in the marketplace.
If each cloud offering is slightly different to the next, how can a customer compare the different offerings from one provider to another? When presented with too much choice, there is a danger a customer will not buy at all or will make a snap decision. A short-term easy buck for the provider is likely to lead to long-term dissatisfaction of the customer - not just with that particular provider, but with the cloud generally.
One of the major criticisms of cloud is that there is no official, all-encompassing definition of cloud. Despite the generally respected NIST definitions, “cloud” as a term has evolved to cover all things related to the internet. Perhaps this is not surprising since network schematics have often featured a cloud bubble for that aspect of the computer network which was outside the scope of the supplier’s obligations: the internet, the network of networks.
This lazy usage of the term cloud and the massive increase in the use of it as a buzzword and the corresponding cloudwashing has led to confusion over what truly is cloud. In fact, cloudwashing – the cynical rebranding of old services to refer to cloud – works both ways. I have spoken to MSPs and hosting providers who have told me they have had to start using the word “cloud” as customers often don’t take them seriously unless they can say they offer cloud solutions. I’ve also spoken to customers who want cloud but don’t really know what it is or whether they would be better served by buying something else.
The answer to these issues, for some people anyway, is to introduce cloud standards. Perhaps not surprisingly, the European Commission is active in this space. With cloud estimated to be worth $106bn in 2016 and growing at 30 per cent per year, the Commission wants to ensure it is reasonably straightforward for customers to understand what they are buying. It has set up an Expert Group on Cloud Computing Contracts to identify “safe and fair” contract terms and conditions.
While it might be unfair to criticise the aims of the group, it is difficult not be sceptical about the composition of the group: while the members are reputed in their fields, there seems to be a shortage of representatives from the cloud provision community. For the results of this group to have any credibility, they need to engage with cloud providers, not seek to impose rules on them from the outside.
There are other difficulties too. Introducing a one-size-fits-all standard contract would mean that customers would buy cloud on the same terms. However, different types of cloud have different attributes, so each type of cloud would need slightly different contract terms - separate ones for SaaS, PaaS, IaaS, public, private etc. I have spoken with cloud providers of varying sizes about this several times. Each time they show a reticence to use a standard contract since they all sell cloud differently. Perhaps this is why they have not all flocked to join the group.
What kind of standards should we look for?
Indeed, I empathise with their view point; while a standard contract might seemingly be of benefit to customers, it could stifle innovation in a rapidly changing sector. If providers were to be forced to sell on the basis of a contract standardised in 2015, would it still be relevant to cloud services and solutions on sale in 2016, or 2020? For a standard contract to have any value, it would need to be constantly reviewed and, if found out of touch with the current state of cloud, would need to be updated. This would be a mammoth undertaking and one for which the European Commission is ill-equipped.
Instead, therefore, a standard contract would have to be a guide, containing standard principles. For example, the usual flashpoints in any cloud contract are: the choice of law, data control, service availability & resilience, liabilities & indemnities, termination by the cloud service provider, deletion of data and service transfer. Guidelines covering these areas could be a useful step.
There are other avenues of standardisation, though, that might produce better results. The EU Commission established a Cloud Select Industry Group on Service Level Agreements to increase trust and to help business users “save money and get the most out of cloud” through the standardisation of cloud SLAs.
Unlike the Expert Group on Cloud Computing Contracts, this group features cloud representatives including ATOS, IBM, Microsoft, SAP and others and in July 2014, the group produced initial guidelines. They encourage the use of plain language in contracts to cover availability and reliability, quality of support, security and how to manage data. The guidelines are now being evaluated in the market. The Commission recognises that standard guidelines for cloud SLAs will have more credibility if adopted globally. Therefore, the C-SIG is working with the ISO Cloud Computing Working Group to present a European Position on SLA standardisation. If adopted in the market and kept up to date, SLA guidelines could certainly help customers looking to compare clouds.
Then there is data. In every survey I have seen over the last five years which lists customer concerns about moving to the cloud, data security and sovereignty are always in the top five. This is, in part, because of the awareness of data protection laws across Europe. Having said that, data issues are much misunderstood.
A potential customer of cloud in the UK told me (erroneously) that UK law prevents them from transferring their data outside the UK. A US cloud provider contacted me in a quandary saying that they were looking at where to establish the EMEA operation and had been told that they wouldn’t get any German customers if the datacentre wasn’t based there as Germans believe (erroneously) that their law prevents transfers outside Germany.
Some providers play on this and sell cloud with data centres just in the UK or Germany. Certainly, by not transferring the data across borders this might give the customer comfort, but the law does not prevent such transfers. That’s what Safe Harbour is all about.
This lack of awareness could hold back cloud. Data processing and storage are a prominent part of any cloud provision and perhaps not surprisingly the EU Commission has a Cloud Select Industry Group on Code of Conduct focusing on data. The code of conduct will “support a uniform application of data protection rules” and this group is working closely with the Article 29 Working Group, that other EU Commission body that focuses on data.
Then there is ISO which has a number of standards in this area already. There is the Open Virtualisation Format (ISO/IEC 17203), the Cloud Management Interface (ISO/IEC 17826), Information Security Management Systems (ISO/IEC 27001) and, of course the recent Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO/IEC 27018) which grabbed headlines recently as Microsoft and other cloud providers became accredited. Not to forget either the accreditation schemes from the industry bodies.
At this point, far from there being no standards, it is starting to look like there are plenty. So what about standardising cloud laws? I have already touched upon the lack of understanding of EU data protection laws.
The forthcoming General Data Protection Regulation is designed to overcome this confusion while bringing the law up to date for the cloud era. It is unclear at what point over the next couple of years it will come into force but it is supposed to drive greater harmonisation and larger fines of up to €100m. With customers unable to judge whether their choice of cloud is compliant with data protection laws, this harmonisation might assist.
What about outside of Europe
Much of cloud provision is from the US and sold under US laws which are often quite different to European laws, so European customers can become even more confused. In particular, US public cloud is usually sold “as is”, with service credits as the customer’s “sole and exclusive remedy” and with the provider’s liability excluded as far as possible, including for losses of data.
Assuming that most customers don’t read the cloud terms – or that public cloud terms are non-negotiable – this potentially leaves customers exposed to greater risks but without them necessarily knowing it.
If the provider loses a customer’s data including personally identifiable information but has excluded all liability, where does this leave the customer in relation to data breach fines?
In fact, I have spoken to spoken to customers in the private sector and public sector alike who have read these terms and they’re not comfortable with them. Public cloud providers point out that, at the infrastructure level (IaaS), it is up to customers to build in availability and security.
So cloud standards already exist with more to come. But cloud standardisation still feels a long way off. ®