Should cloud providers be certified?

The cloud may well be the word on every enterprise's lips, but words don't always translate into action. Could a lack of cloud certification be holding back real world deployment? Davey Winder investigates...

You only have to take a look over at our sister publication Cloud Pro to realise that the cloud is something of an enigma: every business is talking about making the move into it, but many are still holding back on pressing the deployment button due to fears surrounding data sovereignty, security and reliability.

The cloud FUD-factor (Fear, Uncertainty, Doubt) continues to run high , not least courtesy of rogue operators within the industry who happily participate in what has become known as cloudwashing: making claims about security and data protection that are nothing more than hot air.

I'm not suggesting that these cowboy cloud providers are commonplace; the truth is I just do not know who they are. And that's precisely the problem: without some kind of independent accreditation to identify the good guys, neither do you.

The cloud may be the buzzword of the moment, but that doesn't mean that CIOs suddenly lose all business acumen and change the tried and tested method of adopting new technology: slowly, once they have become proven in the market and are therefore low risk.

"It’s similar to the VHS versus BETAMAX debate in the early 70’s where those who invested early in the technically superior BETA product were left behind as the market adopted VHS as the standard," Stephen Ennis, director of services at Avnet Technology, in Europe, the Middle East and Africa (EMEA) told IT Pro.

"CIOs wish to make the right choice for their immediate IT requirements and more importantly, the right choice for the longer term. CIOs need help with the selection of a cloud service provider; certification, where it exists, can be used as one of the criteria to distinguish between providers."

Real-world need or cloud marketing ploy?

And there's the rub, the cloud service provider (CSP) market is a hugely competitive one and such all the players are looking for ways to stand out from the crowd and distinguish themselves. The danger is that certification becomes less about providing a real world need to customers and more about being a marketing ploy.

We put this very concern, very directly, to a number of players within the cloud marketplace. And most were keen to point out the benefits of 'credible' certification for CSPs.

Simon Rutt, services and solutions director at Trustmarque, argues that cloud service consumers could spend less time "looking under the bonnet of these organisations before buying" or "blindly signing up to services where their important data or end user service is at risk" and adoption rates would increase as confidence in the market grows. Rutt also insists that certification would improve the reputation of the industry and help shake off the "wild west image".

Peter Allwood, information and technology risk manager at Deloitte, insists that credibility is entering the certification market with the likes of the Cloud Security Alliance (CSA) collaborating with the International Organisation for Standardisation (ISO) in an effort to define a consistent security standard for cloud providers. Something that helps both cloud provider and consumer, Allwood adds. "Certification is desirable for customers sourcing from a crowded and competitive marketplace, and cloud provider with a recognised certification is better positioned in the eyes of their customers," he says.

Not everyone we spoke to agreed though, with some seeing some considerable negatives. "Certifications usually involve a huge amount of investment, not only financially, but also in critical resources, and do not actually achieve an awful lot," says Richard Davies, CEO at ElasticHosts. He added: "While large companies have these at their disposal and will be able to get that badge on their website with speed and ease, regardless whether their product is good, this may not be so easy for smaller and in particular specialist providers."

Davies worries that smaller companies that have built expertise and experience in the market delivering a first rate service may end up being overlooked because they do not have this 'official' seal of approval. "In this way, such certifications could actually do more harm than good as these cloud providers are forced to divert funds away from critical business operations so that they can have a shiny new badge to add to their marketing material," he added.

DIY certification

If the cost of certification is a stumbling block, perhaps self-certification is the answer? Charles Weaver, CEO at the MSP Alliance, prefers the term 'self-regulation' and considers it to be a feasible and effective solution. "Self-regulation moves faster than official governments ever will due to the fast paced nature of technology," he says. "All professional organisations have this mechanism of self-governance!"

Most of the people we spoke to were less enthusiastic, it has to be said. Take Adrian Simpson, chief innovation officer at SAP UKI, who says that self-certification does prove a valuable purpose for cloud adoption as there's still a validation process whereby applications need to be approved. But he also admits that such certification is likely to be an afterthought or response to competition with no one knocking at their door to remind them. "Whilst self-certification is fit for purpose at the moment as the industry continues to get to grips with cloud and the portfolio of offerings expands, I expect it won’t be viable," Simpson concludes.

Rich Lowe, CEO of BT Engage IT, is adamant that self-certification cannot be the answer, and rarely is in IT. "External exams and certifications ensure that the expertise and service provided is fit for purpose for the task at hand," he said, adding "there isn't currently an effective policing or recourse process in place, so it would be hard to see how this wouldn't turn into more confusion for CIOs."

And Orlando Scott-Cowley from Mimecast was even more damning, insisting that "self-certification is essentially rubbish; it is no more reliable or better than marketing copy. It is no use unless there’s a body of authority giving a scale to the rating.".

Certificate authorities

OK, so who is out there giving a scale to those ratings? Who, if anybody, is setting the industry standard? Well there's the MSP Alliance which has had the Unified Certification Standard out there for eight years, and both CIF and CSA pushing their respective schemes hard. Or perhaps you might consider the various vendor certification schemes such as Microsoft Cloud Services Certification, IBM certified solution provider – Cloud Computing Architecture or Red Hat Premier Cloud Provider Certification? And let's not forget the broader ISO technology certificates such as ISO27001, for example. The problem should have already become quite clear, but if you need a little more clarity, then Ian Moyse a director at Workbooks, is happy to offer it: "There is no one all encompassing cloud certification and it will be difficult to apply one that fits both all the cloud forms and the relevant parts," he says.

Not least as 'cloud' itself is a very generic high level description of all the Internet-based services that are available.

Viable alternatives?

So if not 'certification' broadly speaking, then what?

Sam Johnston, director of cloud and IT services at Equinix

solutions, helped develop something called CloudAudit which is now part of the CSA and allows cloud consumers to programatically access audit-related information from providers so as to be able to make decisions about where to deploy. "An administrator could interrogate a cloud service using a console like enStratus (who were the first to implement CloudAudit) or an automated agent could select from a number of cloud providers on the fly," Johnston says, continuing "the challenge is that this assumes that cloud providers are willing to release sensitive information (e.g. firewall logs) to outsiders and that it makes sense for every consumer to audit every cloud service they want to use."

A better approach would be to publish assertions made by trusted third parties (e.g. auditors) about compliance with established security standards (e.g. PCI-DSS) rather than the raw data required to make those assertions, according to Johnston. "That way the cloud provider can be confident in the limited release of sensitive information under strict NDAs while the consumer can be confident that information has been viewed and verified by someone they trust."

Davies has a more straightforward alternative: user education. "What is needed is end-user education of what cloud is and what to expect from their cloud provider - i.e. scalable, PAYG, on-demand and self-service - anything less and you are walking into fake cloud territory," he insists.

"Before signing up to cloud hosting and beginning to move applications across, organisations need to carefully analyse the cloud credentials of a provider. The key is to not only look at the offering they are promising but also to ask questions - such as around the process involved in scaling server capacity up or down. Any mention of calling the hosting provider or waiting 24 hours at this point means that the offering is not actually cloud. In this instance, the organisation should simply walk away rather than be sucked into a fake cloud offering".

In conclusion

We will leave the final word to Ennis, who agrees that certification of cloud service providers is something of a mixed bag today, and one that can be confusing with technology vendors, security organisations and some network organisations all providing certification of their part of the solution but generally not the entire solution and not the service provider.

"On top of this, a number of organisations are attempting to create and promote a standard certification for cloud service providers but there is no clear, single, winner yet," he says. "When there is a single recognised standard for cloud service providers it will certainly help CIOs in their selection process".

Cloud certification 101

Mac Scott, associate director at KPMG CIO Advisory gives IT Pro readers the lowdown on cloud certification:

What is it?

"I would define cloud certification as the publishing of an agreed set of standards for a cloud service (for example, back up) and/or an industry sector (for example, retail banking), plus the implementation of cloud systems and services that meet those standards and can be audited against them."

How do you get it?

"At the moment, this varies. For security, most cloud providers state which security standards they comply with and then publish an audit by a single third party on their implementation of those standards. This works for a lot of generic requirements but fails to meet the detailed requirements of a number of industry sectors in an acceptable fashion (for example, financial services). The exception here is local and central government, where a set of standards and a

certification process has been defined and agreed, with a number of vendors already implementing cloud services to meet these criteria."