Comment: Public cloud is only a matter of trust

Enterprises are being asked to rent highly commodised, public cloud services on the basis of trust, according to a report by Truman Hoyle released yesterday.

The paper – available for download and summarised by iTnews – revealed that nearly all public cloud computing providers make no guarantees around security and liability, and often offer terms for transitioning out of the cloud that are far from generous enough for the enterprise.

Truman Hoyle partner Mark Vincent told the audience on several occasions that the few guarantees featured in standard contracts - usually around availability, for example - would “not provide a significant remedy in the contract".

The track record of any given provider is thus going to become the key issue - not just the number of breaches or outages, but how the service provider chooses to respond to them. Vincent expects "transparency" to be absolutely essential.

The consequences of those events are more likely to be played out in the media rather than in the courts.

Efforts like the Common Assurance Maturity Model, which rates cloud service providers on objective criteria, will also grow in importance.

Vincent said enterprises should choose a service provider with "some reputational risk at stake with you - some skin in the game; a vendor that might suffer is there if a security or privacy breach or a significant amount of downtime.”

Raghu Raghuram, senior vice president of cloud at event sponsor VMware told the audience that there was a role for vendors to play in helping to differentiate those providers willing to “have skin in the game”.

VMware, for example, is accrediting its service provider partners based on whether they “agree to certain standards” around security and compliance.

“That’s a selling point they have – putting their reputational risk on the line,” he said.

Whilst he did not anticipate much movement in areas such as liability, Vincent said he expected service providers to offer better terms as cloud computing matures – particularly around issues such as “transition out”.

“Contractually, transition out is a bit on the thin side,” he said. “Those promises the industry makes will have to get better.”

Vincent noted that cloud computing providers have recently been sending out press releases or publishing blog posts based on positive changes being made to their standard terms - Google being a recent example.

For enterprise IT, the challenge is about educating employees about the inherent dangers lurking in these contracts.

Data Centre specialist Sally Parker told the audience that aside from start-ups, it is “lines of business [in the enterprise] with their own funding” that tend to be using public cloud computing - what is often described as "stealth IT".

“The latency of response from the IT department internally to go through procurement and set up systems is sometimes not fast enough for the lines of business responding to competitive pressures in the market, so they take the initiative to go to public cloud” with a swipe of the credit card, she said.

Enterprise IT needs to offer self-service portals, automation and standard operating environments to increase the speed at which they can deploy resources for these users, she said.

“The IT department needs to transition into being a service broker that looks at the requests that come in and makes a decision about how to best respond to this need with the interests of the company front of mind.”