What Is The Role Of Cloud Trade Associations And Codes Of Practice?

We're all now used to seeing the reports published by the big market research firms highlighting the phenomenal growth in the Cloud computing industry. In a report published at the end of 2010, Gartner estimated that "over the course of the next five years, enterprises will spend $112 billion cumulatively on software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS), combined".

Back in 2009 the revered cloud blogger Reuven Cohen published an article titled 'The Case for a Cloud Computing Trade Association', in which he discussed how the cloud industry, with its huge growth and revenue, might benefit from the creation of a cloud computing trade association. Since writing that article the industry has moved on and a small number of cloud computing trade associations, and perhaps more importantly their codes of practice, have appeared. That said, like the cloud industry itself, they are still relatively immature. Like Reuven, I strongly believe that in order for cloud computing to grow as predicted the role of the cloud trade associations and the codes of practice they introduce should not be underestimated.

At this point, and just to ensure we are all aligned in our understanding of the two terms I thought I’d provide the Wikipedia definitions:

- "a trade association, is an organization founded and funded by businesses that operate in a specific industry. An industry association participates in public relations activities such as advertising, education, political donations, lobbying and publishing, but its main focus is collaboration between companies, or standardization."

- "a code of conduct (practice), is a set of rules outlining the responsibilities of or proper practices for an individual or organization."

So let’s be on clear on one thing – this is not a technology conversation and nor should it be. Organisations have generally accepted cloud technologies; however there is a still great deal of concern and uncertainty when it comes to the selection of cloud service providers and solutions. It is in this area I believe the trade associations can be of most use. In November 2010 the Cloud Industry Forum (CIF) launched its long awaited Code of Practice. More than 200 organisations were involved in the process of drafting the code and it has been widely welcomed by an industry in desperate need of standards.

There are three main pillars to the CIF code of practice – transparency, capability and accountability.

For transparency, CIF states: “The Code does not specify best practice in cloud computing except with respect to transparency. Organisations complying with the Code shall conduct themselves in an open and transparent manner which facilitates rational decision-making and management by purchasers of their services.”

CIF then measures a company’s capability to “perform essential management functions” and ensures they are “accountable for their compliance with the code and for their behaviour with customers.”

To gain certification, companies can opt for either annual self-certification, subject to spot checks by CIF, or go for independent certification by the organisation. Those who pass will then be allowed to use the independent certification mark and be listed on CIF’s website.

With most providers likely to opt for the self-certification many might argue that it is a pointless exercise, providing worthless certifications, however I strongly disagree. What CIF have done is create the first ‘standardised’ list of service requirements/components organisations can use to compare providers. It is also in the interest of the CIF to spot check these certifications as these days it only takes a few well published non-compliance cases to ruin their reputation. Once the self-certification has become established, in order to differentiate themselves from the rest of the pack I believe more providers will look to achieve the more advanced certification level.

From an industry perspective, CIF certifications are likely to drive further adoption in two ways. Firstly, the industry as a whole will gain new levels of trust as the weaker providers disappear or are forced to improve their services in order to comply. Secondly, with certain levels of due diligence already performed on the service providers, potential cloud customers can accelerate the process of selecting and ultimately provisioning cloud services.

There is no doubt that security and regulatory compliance are seen as two of the biggest barriers to cloud adoption. The Cloud Security Alliance (CSA) was formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

So, although they do not formally certify cloud providers or services, the CSA has united representatives from a wide variety of disciplines in order to:

- “Promote a common level of understanding between the consumers and providers of cloud computing regarding the necessary security requirements and attestation of assurance.”

- “Promote independent research into best practices for cloud computing security.”

- “Launch awareness campaigns and educational programs on the appropriate uses of cloud computing and cloud security solutions.”

- “Create consensus lists of issues and guidance for cloud security assurance”

Let’s be honest, a few too many people have tried to squeeze ‘cloud’ into their professional title in the last 12-18 months but that doesn’t mean they are all experts – far from it in fact! In a first of its kind within the industry, last year the CSA launched the Certificate of Cloud Security Knowledge (CCSK). Unlike the CIFs certification, the CCSK is focused on individuals and is designed to ensure that professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud. Again, these certifications should go a long way to help ensure that cloud solutions, both private and public, are implemented to best practices, thus reducing the risk of failed/poor implementations and increasing the levels of trust across the market.

In this article I’ve only highlighted the work of two of the leading cloud trade associations and there are of course others (such as EuroCloud), but whatever their focus they all have similar intentions – to promote the benefits of cloud, encourage cloud adoption, develop industry wide standards, ensure best practice and educate the wider community. Whilst it’s true that trade associations in other industries and IT sectors aren’t always considered to be working to the wider audiences best interests, if they can achieve the majority of the intentions detailed above it will be a huge benefit to the cloud industry as a whole.