An industry template for trust in the cloud
Cloud computing and SaaS, for all their successes and rapid growth, remain relatively new and unfamiliar to most computing buyers. Even when prospective customers are keen to take advantage of the low initial cost, rapid time to deploy and constantly refreshed technology of cloud services, they often find themselves stumped simply because they have no experience of buying cloud services and therefore don't know what questions they should be asking.
The industry has a responsibility to help buyers out here. There's now more than enough collective experience of the buying process to know what questions buyers have been asking. We probably also have a good idea by now, knowing what has gone wrong in the past, what questions they should have been asking but didn't. Several industry bodies have therefore launched initiatives to set up certification and auditing processes that will give buyers more confidence when evaluating providers — as well as giving providers some standard benchmarks for how they implement and manage their services.
We're not out of the woods yet, though. With several different initiatives coming out, how are buyers (and providers) supposed to know which ones to rely on? The next challenge for the industry is to provide some harmonization so that ultimately we can arrive at a broadly accepted template that can act as a solid foundation for trust in the cloud. Some customers will want more certainty than others, and therefore I can imagine that there's scope for several different programs to co-exist, serving different segments of the market. But the industry as a whole needs to send out clear messaging about this segmentation to avoid additional confusion.
I'll be at an open meeting this week in London that will bring together representatives of two new certification schemes to look at some of these issues. Hosted by EuroCloud UK (and co-located with SIIA OnDemand Europe 2010), the meeting will hear from Andy Burton, chair of the Cloud Industry Forum, which launches its Code of Practice for Cloud Service Providers next month; and from Andreas Weiss of EuroCloud in Germany, which is developing an Audit Seal for SaaS.
The meeting will aim to work out how these two initiatives will co-exist and whether they cover all the ground that's needed to deliver confidence in the cloud. One point of contention is going to be over self-certification versus external auditing. The CIF Code, which aims to set down some baseline requirements for all cloud providers, is largely based on self-certification and therefore depends on providers being honest and open (although the scheme's operators will actively police participants for compliance). The advantage of this is a low outlay for providers to sign up, which should encourage broad adoption. The EuroCloud SaaS Audit, in contrast, is specifically designed for SaaS providers and is much more detailed, including an independent audit of the data center. This makes it much more costly for providers, which could limit participation. On the other hand, customers may value it more because of the investment the provider has to make and the extra comfort that comes from external auditing.
In such a young and innovative industry, there are bound to be many participants and entrants who cannot fund expensive audit requirements from the outset. We must therefore be realistic and recognise that some perfectly reputable providers will chose not to pay for certifications or audits. What is vital, therefore, is the point I started out with — that we rapidly establish a common understanding of the basic questions any cloud services buyers should get answered as part of their due diligence during the buying process.
What are your views about certification and auditing of cloud and SaaS providers? If you can't make it to the meeting, post your views in Talkback below.