Keeping the bastards honest
Contracts are all well and good, but how do you know whether the cloud services are actually being provided as the contract specifies?
"I'd actually argue, in the case of traditional outsourcing, that the customer needs to be conducting regular on-site audits anyway," says Logica's Ajoy Ghosh. "That doesn't change in the cloud scenario, except perhaps that you may choose to do it more frequently."
However Microsoft, to choose just one example, does not permit visitors to its datacentres. Even Microsoft's own staff are banned unless there's an approved business need. The company is secretive about the locations and even the number of its datacentres, saying publicly only that there are more than ten but fewer than a hundred.
"How do you audit something which is part of somebody's private infrastructure?" asks Sophos' Paul Ducklin. He points to Google's Wi-Fi privacy disaster, where even Google didn't know that its code had breached regulations.
"When the provider themself says, 'Hey look, that was just a blunder', it does start to raise questions," Ducklin says. "How can I put my hand on my heart to my customers and say, 'I am looking after your data to the standard X or Y or Z?' All you can do is take the word of your cloud provider for it and, as experience suggests, even they may come up short in understanding exactly what's going on where because of all that nimbleness and flexibility."
Microsoft's response is that openness, or at least partial openness, builds trust.
"The thing we do to allow that trust is to publish our compliance framework," says Mark Estberg, who leads risk and compliance management for Microsoft's online services. "You can see the specific control objectives and control activity we measure ourselves against, and we bring in a third party to measure ourselves against that."
In the case of Microsoft's ISO 27001 certification, for example, that measurement is conducted by the British Standards Institute, and the documentation is published online.
Both Amazon and Microsoft run SAS-70 auditing standards certifications. However, all that says is that the organisations are meeting their own standards. Whether those standards meet your business needs is a separate question, and again it points to your purchasing team having a good understanding of the details.
Ducklin, meanwhile, is sceptical of these audits.
"I'm just not sure how you can have that same level of what you might call 'scientific comfort' with a pure cloud service, where you're trusting the provider, and the provider's network, and anybody who's ever had a look at how that service works," he says. "So I think it's great to have that external scrutiny, much better than 'Hey, trust us, she'll be right.' But on the other hand the idea of maintaining that certification and correctness with everybody's data, it does seem to beggar belief that that sort of promise could reasonably be made by a pure-play cloud provider."