Sony PlayStation Network’s security incident and Amazon’s operational outage are not about the Cloud!
Recent market issues underpin need for standards and transparency in the Cloud
There is a clear temptation for the nay-sayers of Cloud computing to say “I told you so” when high profile events the like we have seen over recent days with Sony and Amazon come to light. However, the issues that impacted these businesses are not heightened because they are online services rather than on-premise, quite the contrary in fact, most credible online services take availability and security incredibly seriously as it underpins the essence of their businesses. The reason they are high profile is the level of public awareness of their brands, driven by historical growth and successes, and therefore, compounds the potential number of individuals and organisations impacted. But what lessons should we learn.
Andy Burton, chairman of CIF commented: “In no way should we make light of these operational failings, but neither should anyone assert or mislead the market with FUD (Fear, Uncertainty and Doubt) in to believing the delivery model is the issue when the operational and security practices were at fault and the issues are just as relevant for the on-premise business as they are to the online business.”
Andy continued “It is clear that there is still a lot of confusion in the market about exactly what cloud services are, how they can be deployed (private, Public, SaaS, Iaas etc), how secure or resilient they are etc. Yet at the heart of both these recent issues (and the lack of timely updates from the vendor’s) is the need for clarity and transparency, a topic championed by the Cloud Industry Forum through its Code of Practice for Cloud Service Providers. At the end of the day, for most people today a 100% availability and security guarantee is seen as a commercial statement of recourse and not a pre-determined operational fact. In the Amazon example it would appear that only customers with a specific geographic focus and data centre dependency were impacted whereas other customers subscribed to and using the full flexibility of their platform capability were not. This is an awareness and educational issue for their customers as it is obvious to most that hardware and applications can and will fail, but it is in the architecture, deployment and operation of the services where the Disaster Recovery capability has to be achieved, and could have been for these customers had they chosen a different basis of implementation.”
“Likewise, when it comes to security, what precautions had Sony PSN (or Epsilon whilst we are on the subject) got in place regarding public standards such as ISO27001, the Payment Card Industry Data Security Standard (PCI DSSS) or the Cloud Security Alliance CAIQ? In the age old truth of ‘caveat emptor’ (buyer beware), it is the absence of clear understanding that gives rise to concern and leads to the irrational post-event behaviour of ‘if only I had …’. It is possible that once all the facts are disclosed that the issue impacting Sony could have impacted any number of businesses on-premise or online. However, to be clear, the protection of data whether on-premise or online, will always be a point of innovation and change brought about by determined hackers and security professionals alike and there is no room for complacency. At the Cloud Industry Forum we want end users to have confidence in the cloud as a viable, efficient, secure and economical IT supply model, and we want them to have clarity in what they are investing in by requiring credible Service Providers to self certify against an industry Code of Practice that provides the users with the essential information they need to make an informed decision on both the risks and benefits associated with working with any particular Cloud Service provider vs an on-premise deployment.”
“Organisations complying with a CoP should have documented management systems, processes and resources in order to deliver services consistently for their customers 24/7 and enable service level information to be accessed by them.”
“It is important to be aware that these incidents are not typical occurrence within the cloud sector. It also emphasises the importance of a Code, which ensures CSPs offer transparency on their capability and accountability. We, at CIF, would welcome Sony PlayStation Network and Amazon Web Services to apply for self-certification through our CoP, to further validate their commitment to the market,” concluded Andy.
-ENDS-
NOTES TO EDITORS
About the Cloud Industry Forum (CIF)
The Cloud Industry Forum (CIF) was established in direct response to the evolving supply models for the delivery of software and IT services that has expanded well beyond the traditional on-premise method to one that now embraces hosted and/or, pay-as-you-use Cloud solutions.
CIF’s purpose is twofold: To drive a common and public level of transparency about the capability, substance and best practices of online Service Providers (SaaS, PaaS, IaaS, Web hosting providers etc) through a process of self-certification to a Code of Practice. Second, this Code of Practice, and the use of the related Certification Mark on participant’s web sites, provides comfort and promotes trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that the Cloud based and hosted solutions can offer. CIF is ensuring the integrity and governance of the self-certification process through regular random audits as well as investigating complaints from parties that challenge any specific participants self-certification status.
Our ambition is to bring business consumers and suppliers of Cloud and Hosted Services closer together in a trusted, sustainable and rewarding ecosystem.
http://www.cloudindustryforum.org/
Press Contact:
Georgina Heaume
Spreckley Partners Ltd.
T: 020 7388 9988
