CIF Code of Practice: Seeking Transparency in the Cloud
On 22 November 2010, the CIF launched a Code of Practice ("Code") in the hope of improving standards in the industry and promoting confidence in cloud services.
The UK's Cloud Industry Forum (CIF) is an industry body that was established in 2009 to advocate the adoption and use of cloud-based services by businesses. On 22 November 2010, the CIF launched a Code of Practice ("Code") in the hope of improving standards in the industry and promoting confidence in cloud services. The CIF did this in response to a general wariness of cloud computing among UK businesses, stemming in particular from issues such as security, data portability and a lack of trust in cloud-based solutions.
The scope of the Code covers all organisations offering remotely-hosted IT services of any type, including multi-tenanted cloud-based services. The two main aims of the Code are, firstly, to encourage transparency within the industry through a self-certification process, and secondly, to promote trust of cloud services among customers by the use of a certification mark on participants' websites.
Organisations that join the CIF and pay a self-certification fee can conduct an annual self-certification process against the Code and confirm the results to CIF in order to receive the self-certification mark. An independent certification process will also be available in 2011, although the CIF only expects a limited number of larger organisations to opt for this process due to the higher fees.
CIF states that it will conduct random audits of companies that have self-certified, and will investigate complaints from parties challenging an organisation's self-certification status. If it finds that there has been a false declaration or material non-conformity with the Code, the CIF gives itself the discretion to suspend or terminate an organisation's use of the certification mark and to publicise its actions.
The Code incorporates three principles, transparency, capability and accountability, and sets out the requirements that service providers must meet and continue to adhere to in respect of each
The first, and arguably the most important, principle of transparency, requires the organisation to make certain information available and separates this into two categories: (1) information such as corporate identify, scope of operation and its compliance with the Code, which must be located on its website in a required format; and (2) confidential information that should – as best practice - be disclosed to potential customers, including commercial terms, financial stability, personnel profile (including pre-vetting of employees), IT security, the ability to conduct audits of the service provider and the location(s) where data will or may be processed.
Customers should conduct due diligence before choosing a particular provider in order to manage their risks when moving to cloud-based solutions. The Code is intended to help make this process easier, as in theory more information should be available on cloud providers' websites and on request. However, some cloud service providers are uncertain of whether the Code will deliver the intended benefits.
Michel Robert, Managing Director of Claranet UK, a leading managed services provider, considers that "a key benefit of any certification is to help customers to make more informed buying decisions. From our perspective as a cloud service provider, we're not convinced that the self-certification offered by the CIF would do this for our prospective customers. Even if we were certified, our potential customers – who are usually medium to large organisations that are considering placing a substantial proportion of their IT infrastructure in the cloud – would want to conduct proper due diligence on us and our services. This means that the utility of the self-certification to us would be limited to its potential use as a marketing tool."
The benefits may, however, be more compelling for small businesses choosing between cloud providers, or for small or start-up providers offering low-end cloud services. Robert agrees, saying that "where purchase decisions do not require extensive vetting of things like service level agreements and service descriptions, the self-certification may prove relevant, and worth the investment."
Ultimately, though, there are doubts as to whether the Code is the best approach to tackling the issues facing both customers and suppliers in the industry. This will only become evident once the certification process has been tested – and suppliers' interest in the scheme has been gauged – over time.
Robert instead suggests that established, market-relevant certifications should be updated to apply to cloud services. For example, in his view, "standards such as PCI DSS and SAS70 should be amended to factor in virtualisation and cloud services". This would "enable service providers to tailor their cloud offering to ensure compliance with these standards, and in doing so provide services that are more relevant, and therefore more compelling, to their customers."
Nevertheless, the principles of the Code are sound, and any move to increase transparency in the industry should be welcomed. It is doubtful whether the Code provides the complete solution, however, and a reassessment of existing industry standards in light of the cloud would also be beneficial.
Until the law keeps pace with emerging technologies, the challenge will be to use the existing legal framework to support their adoption.
"Customers should conduct due diligence before choosing a particular provider in order to manage their risks when moving to cloud-based solutions"