Pressure to comply with best practices around cloud gains ground

Recommendations from Gartner and ICO add to the debate

Guidance will help establish secure business relationships

The pressure to comply with a series of ‘best practices’ around the cloud is mounting, with several recent announcements contributing to the debate.

A report from Gartner yesterday argued that cloud providers should make a number of promises to customers and stick to them. It proposed six rights that all cloud computing customers should demand from their providers.

These include the right to retain ownership, use and control one's own data; the right to demand service-level agreements that address liabilities, remediation and business outcomes; the right to demand to receive notification and choice about changes that will affect the consumers' business processes; insight into technical limitations or requirements of the service up front; and the right to know what security processes the provider follows.

Daryl Plummer, managing vice president of Gartner's Global IT Council for Cloud Services, said that adhering to the principles will help both parties " establish and maintain successful business relationships".

"If cloud services are commoditised, providers should offer stronger customer guarantees. However, service providers either do not offer protections or vary greatly in the protections they do offer," said Plummer.

Richard Stone, cloud computing manager at Compuware, a company that provides software that can manage speed of service from the cloud, argues that although the Gartner recommendations are helpful, customers will leave a web site if it isn’t performing quickly enough. "Actually performance is as important as guaranteed availability,” he said.

In a report released last week by the Information Commissioner’s Office, Personal Information Online Code of Practice, the office outlined a series of questions a company looking to procure cloud services should ask of its provider.
These included the following:

• Can the provider confirm in writing that it will only process data in accordance with your instructions and maintain an appropriate level of security?
• Can it guarantee the reliability and training of its staff wherever they are based? Does it have any form of professional accreditation?
• What capacity does it have for recovering from a serious technological or procedural failure?

The report also provides guidelines around data protection to companies offering cloud services.

According to Iain Bourne, co-author of the report, the driver for creating the document was that there is considerable legal uncertainty around the Data Protection Act, particularly with regard to online operations.

This is the first report produced by the ICO containing guidance around cloud computing. Bourne argued that although companies must comply with the Data Protection Act, there is no compliance guidance within the act. "We attempt to close the gap,” he said.

“Most organisations using cloud services are determined to look after their data properly and so will have put measures in place to do so, this guidance is more aimed at companies providing services and those thinking about making the move into cloud,” he added.

Bourne also said that the legal issues around online data protection would be addressed by the Data Protection Directive. The directive is currently in the consultation phase.