Cloud Industry Code of Practice: useful or cloudwashing?

I’ve said on many an occasion that the SaaS/on-demand/cloud (pick your favourite buzzword or just choose SOC) has done a poor job in stemming the flow of fear, uncertainty and doubt (FUD) or dealing with the endless stream of inane posts or comments on topics like security, reliability or that great catch all ‘standards.’ Some months back, I had hoped that might change for reasons I’ll explain shortly.

As I ended my travels, I spotted a note from David Terrar that said:

I wanted to mention that the 3 UK SaaS vendor groups (Intellect SaaS Group, Eurocloud UK and BASDA Cloud SIG) have been talking about security standards together with ICAEW, but have decided to work with the Cloud Industry Forum, which was instigated by the Federation Against Software Theft, but now has many of the major industry players involved.  The intention is to have 2 levels of quality mark, or standard incorporating a code of practice.  Part of the intention is to make any accreditation practical and affordable for the smaller vendors and start ups, as well as the big boys.  Find out more, and join in the public consultation here:

http://www.cloudindustryforum.org/

I was more than a little miffed. Some months back I had encouraged the three groups to enter discussions with ICAEW to achieve exactly the same thing because in my view, ICAEW could act as the neutral body capable of bringing credibility to the table in the interests of the buyer. All I was doing was acting as the ‘dot joiner.’ David reckons he told me about the CIF decision but I cannot recall and given my interest in the topic I think I would remember something that important. Be that as it may. It seems that CIF was already in process of thinking about this and so the vendors hitched to that particular wagon. Even so, I was miffed because as I asked David: ‘Where’s the voice of the customer?’ After a few moments of awkward silence, David agreed that something needed to be done.

Who is CIF?

The Cloud Industry Forum (CIF) is an industry body that champions and advocates the adoption and use of online (cloud based) services by businesses.

We use our resources to support a credible self certifying Code of Practice that provides transparency of Cloud service supplier operations and capability such that consumers can have clarity and confidence in their choice of provider.

If you look at its registration form, nowhere does the word ‘user’ appear. Ergo and regardless of grand statements about ‘stakeholders’ this is a sell side only body. If it is claiming to act in the interests of users then it would have pro-actively co-opted representatives from ICAEW, ACCA, CIMA, UK Business Forums and a clutch of other large industry representative organizations. That does not appear to have happened although I am led to believe ICAEW has been nudged on this one. Why should it matter? Let’s start with why codes are important.

1. Apart from the FUD stuff, there is no industry leader with enough clout to lay down any standards or codes. In the 80s/90s Microsoft defined much of what we see today but there is no 21 st century equivalent.
2. Even if you argue that Google or Amazon represent powerhouses capable of setting some sort of standard you quickly run into all sorts of issues that directly impact the applications space. Therefore something needs to be done.
3. SOC is different in that buyers are trading service for infrastructure they’d otherwise manage as part of the overall package. Without some sort of code in place, users are flying blind with no means to directly compare one service offering from another.
4. As services scale issues will arise. No-one wants to see a repeat of 90′s style disaster stories because in a SOC world, what affects one affects all. Codes will not eliminate the likelihood of problems but they can go some way towards preventing outright disaster.

Why is the voice of the customer important? When I argued for ICAEW taking a central role I saw this as a way for a neutral body with a slight leaning towards the customer taking a lead. That should help the development of higher quality codes along with opportunities for ironing out misunderstanding or allaying fears. So what’s happened here? The industry has reverted to its default position of trying to work something out that will almost certainly end up representing the lowest common denominator in thinking.

A common thread between what CIF is doing and what was thought of at ICAEW is the notion of delivering a code that can be quickly embraced by even the smallest players. That’s a good thing as it helps even the playing field on the sell side. However, without the voice of the customer then I fear this will end up as something vague and of dubious value. David was at pains to point out that the document is meant to be open for public comment. I can find almost no publicity such that customers might take an interest. Saying ‘it’s out on the web’ doesn’t cut it when as far as I know, CIF is unknown outside its industry roots.What was even more surprising, the consultation date was initially closed as at yesterday though now is extended through to 15th June. I don’t see that as anything more than a sop. The initial consultation period was one month, barely enough time for the ink to dry. Even then, there is no commitment to incorporate comments, only to consider.

All of which leaves me less than hopeful that whatever they turn out, it will be wholly skewed to industry needs. That would represent a significant lost opportunity while opening the treasure chest for consultants advising on cloud computing. At worst this could end up a new variation of cloudwashing.

Tagged as: CIF, Cloud computing, Cloud Industry Forum, cloud washing, Federation Against Software Theft, ICAEW, standards