An industry template for trust in the cloud

An industry template for trust in the cloud

Summary: Buyers of cloud and SaaS are often stumped because they don't know what questions they should be asking. The industry has a responsibility to help buyers out with a common template that everyone can use to evaluate cloud services.


Cloud computing and SaaS, for all their successes and rapid growth, remain relatively new and unfamiliar to most computing buyers. Even when prospective customers are keen to take advantage of the low initial cost, rapid time to deploy and constantly refreshed technology of cloud services, they often find themselves stumped simply because they have no experience of buying cloud services and therefore don't know what questions they should be asking.

The industry has a responsibility to help buyers out here. There's now more than enough collective experience of the buying process to know what questions buyers have been asking. We probably also have a good idea by now, knowing what has gone wrong in the past, what questions they should have been asking but didn't. Several industry bodies have therefore launched initiatives to set up certification and auditing processes that will give buyers more confidence when evaluating providers — as well as giving providers some standard benchmarks for how they implement and manage their services.

We're not out of the woods yet, though. With several different initiatives coming out, how are buyers (and providers) supposed to know which ones to rely on? The next challenge for the industry is to provide some harmonization so that ultimately we can arrive at a broadly accepted template that can act as a solid foundation for trust in the cloud. Some customers will want more certainty than others, and therefore I can imagine that there's scope for several different programs to co-exist, serving different segments of the market. But the industry as a whole needs to send out clear messaging about this segmentation to avoid additional confusion.

I'll be at an open meeting this week in London that will bring together representatives of two new certification schemes to look at some of these issues. Hosted by EuroCloud UK (and co-located with SIIA OnDemand Europe 2010), the meeting will hear from Andy Burton, chair of the Cloud Industry Forum, which launches its Code of Practice for Cloud Service Providers next month; and from Andreas Weiss of EuroCloud in Germany, which is developing an Audit Seal for SaaS.

The meeting will aim to work out how these two initiatives will co-exist and whether they cover all the ground that's needed to deliver confidence in the cloud. One point of contention is going to be over self-certification versus external auditing. The CIF Code, which aims to set down some baseline requirements for all cloud providers, is largely based on self-certification and therefore depends on providers being honest and open (although the scheme's operators will actively police participants for compliance). The advantage of this is a low outlay for providers to sign up, which should encourage broad adoption. The EuroCloud SaaS Audit, in contrast, is specifically designed for SaaS providers and is much more detailed, including an independent audit of the data center. This makes it much more costly for providers, which could limit participation. On the other hand, customers may value it more because of the investment the provider has to make and the extra comfort that comes from external auditing.

In such a young and innovative industry, there are bound to be many participants and entrants who cannot fund expensive audit requirements from the outset. We must therefore be realistic and recognise that some perfectly reputable providers will chose not to pay for certifications or audits. What is vital, therefore, is the point I started out with — that we rapidly establish a common understanding of the basic questions any cloud services buyers should get answered as part of their due diligence during the buying process.

What are your views about certification and auditing of cloud and SaaS providers? If you can't make it to the meeting, post your views in Talkback below.

Topics: Banking, Cloud, Data Centers, Emerging Tech, Enterprise Software

Phil Wainewright

About Phil Wainewright

Since 1998, Phil Wainewright has been a thought leader in cloud computing as a blogger, analyst and consultant.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • External accreditation will stifle innovation

    As someone with a SaaS product under development I think it's vital to be able to give customers clear commitments about what will and won't be provided, not least so that expectations are managed about data, service levels and security. To that end an independent standard is highly desirable for both customers and suppliers.

    I have a clear preference for self-certification, and from the drafts I've seen even that would not be a light undertaking for a small vendor. I've seen external accreditation (eg ISO 9000) descend into sham too often, and the high cost of the audit is not always reflected in quality or efficacy. Whilst I am not against external accreditation in principle I feel it's not right for the SaaS industry. It would stifle innovation by locking out smaller startups, however professional and experienced they may be (as we would like to think we are).

    That leaves the danger of self-accreditation being claimed but not achieved. But in this day of instant and global communication via the Internet I think we can now leave it to the marketplace to expose fraudsters and therefore police the system.
    Guy Letts
  • If Its in the Cloud, Get It on Paper

    I recently published an article in Educause Quarterly intended to serve as a resource regarding how to enhance the benefits and mitigate the risks through effective contract negotiation and management. It can be viewed at:<br><br><a href="" target="_blank" rel="nofollow"></a><br><br>This article is intended to highlight some key contract issues that are either unique to Cloud Computing or essential to its effective adoption. Most of these issues don't have simple right or wrong answers, but must be evaluated based on your institution's needs and tolerance for risk. Examples of actual contract clauses in the article suggest ways of contractually addressing these issues.<br><br>Hope this is helpful.<br><br>Best regards,<br>Thomas Trappler
    Thomas Trappler