Cloud computing has been a game changer in the technology space, organisations no longer need to provision their own data centres, maintain their own hardware, operating systems and levels of application infrastructure. Hosting all of these with a cloud provider does however attract a level of risk – the stability of the cloud provider, location and security of their service, robustness of service level agreements (SLAs) and disclosure of information to name just a few.
In recent months OptimalBI has provisioned a SAS’s Visual Analytics hosted service using Amazons cloud platform AWS, this has thrust me into the centre of understanding not only the AWS offering, terms and conditions from a commercial perspective, considering how we dovetail our contracts and service offering (SLA’s and the like) but also understanding who the other players in this space are. What I have discovered are blogs, articles and forums all over the internet discussing different providers and the level to which they disclose these details, even down to who carries out full background checks on their staff and who doesn’t – indicating there is a transparency question in the minds of consumers.
New Zealand has recently developed and published the Cloudcode a Cloud Computing Code of Practice and complaints process collaboratively developed by local and international organisations, you can see a list of who has signed up to the Cloudcode here – list of signatories – this includes who is currently in the process of signing up as well. The telling, telling thing from my perspective is who hasn’t signed up (or isn’t in the process of signing up) neither the local heavy hitter Datacom or the global big players like Google, Amazon or Microsoft are present on this list. Why wouldn’t they sign up I wonder????? Well looking at the list of principles the practice encompasses (below) may tell us something – especially in light of recent media coverage on the Law Enforcement one.
- Corporate Identity including full contact details and details of which jurisdictional laws and regulations apply;
- Ownership of Information outlining who owns information once its been uploaded, including Metadata;
- Security standards and processes in place;
- Data Location including where backup data is stored (and thus what legal jurisdiction might apply);
- Data Access and Use including who can access it and what happens at the end of the service provision;
- Backup and Maintenance including how data is backed up, where and whether restorations are tested;
- Geographic Diversity of service;
- SLA and Support including when and how service is typically offered;
- Data Transportability focusing on how to get data in and out, especially when the service ceases;
- Business Continuity including redundancy and failover;
- Data Formats for data import and export, where relevant;
- Ownership of Application including whether it may be used locally;
- Customer Engagement including client audit, acceptable use policies and a privacy policy;
- Data Breaches outlining what will happen in the event of a data breach;
- Law Enforcement including what is disclosed without a warrant;
- In the case of New Zealand, confirmation of whether or not the provider will follow the NZ Privacy Commissioner’s guidelines on breach notification.
Australia is looking to leverage the NZ cloud code although I note the media have fallen silent on the topic recently. This blog contains links to the relevant bodies in Australia pursuing governance, standards and strategies at present.
Here is my advice if you are looking to sign up with a cloud provider:
- Know what you are willing to compromise on – data location? transportability? outage times? cost?
- Do your homework – research the provider, read the forums and blogs
- Ask questions – if their FAQ’s don’t answer your questions, ask more, follow all of the links and keep reading
- If you are in NZ consider the providers who have signed up to the Cloudcode – another good question to ask if they haven’t signed up
- If you are in Australia – ask whether they will be signing up to the code once developed
- Assess the risk – take the time to complete a risk assessment on this provider, can you mitigate with a dual provider strategy perhaps?
I won’t get started on cost and other associated pet topics like All Of Government initiatives driving up cost to the taxpayer instead of realising the cost benefits they proffered to achieve – a topic for another blog.
I am impressed with the work that has gone into the NZ CloudCode and tip my hat to the organisations and individuals who contributed and signed up to this code! Thanks folks. Vic.