As the cloud computing market matures, consumers of cloud services are beginning to realise that successful use of the cloud means more than just getting a cheap and convenient service. Two new documents from the European Union and New Zealand highlight the importance of covering off other factors when buying or using cloud services. The European Network and Information Security Agency (ENISA) has released a document – Procure Secure – which sets out guidelines on how to measure and monitor security of cloud computing services on an ongoing basis. The New Zealand Computer Society is facilitating a Cloud Computing Code of Practice, and has just released a draft for public consultation.
To me, this indicates two things:
- Firstly that organisations are taking cloud computing as seriously as they are major on-premise computing deployments. The ENISA work indicates that the EU public service is taking cloud computing seriously enough to invest significant amounts of time and effort in addressing operational and security issues with the model. The NZ Computer Society will be reacting to member and industry demand for more transparency in measuring cloud services because they are becoming more and more important.
- Secondly, that cloud computing is no longer about the lower cost and convenience of cloud services but is all about what is wrapped up in that nebulous term “as a service”. The promise of cloud (and its various “as-a-Service” flavours) is that it takes the heavy lifting of maintaining and running IT out of your organisation and puts it into an organisation that performs those functions as their core business.
The issue is exactly how much of that heavy lifting is the cloud service provider taking off you? As a large number of people found out last year during the Amazon Web Services outage, it might not be as much as you think. The entire outage scenario was complicated but from an assessment and commercial perspective the central point is that, according to Gartner, no SLA was breached by this significant outage. That is because the SLA is defined as 99.95 availability for multi availability zone deployments, and the outage only affected those who did not have applications using multiple availability zones. In addition the SLA did not cover the services that were affected. The lessons here are salutary: understand what is included in your cloud service (multi-zone resiliency is not included in the AWS service, you have to purchase and architect for that yourself) and understand what your SLA covers.
What the two recently released documents are trying to do is make cloud consumers more critical in how they look at cloud services (both), give cloud consumers ways to check that they are getting what they have paid for (ENISA), and give a greater transparency to the offerings of cloud providers (NZ Cloud Code). In this sense they are both part of a larger move towards clarity, transparency and awareness of what exactly is included in a cloud provider’s service offering – that is a very good thing for the cloud computing service provider industry and the IT industry as a whole.