Computer societies mull Asia Pacific cloud code

A New Zealand-born code of practice for cloud computing services could be extended for use in Australia and across the Asia Pacific by the end of the year, according to sources.

The 18-page code (pdf), released in May, was developed by the Institute of IT Professionals New Zealand (the former New Zealand Computer Society) as a voluntary benchmark for disclosure of key information on infrastructure security, location, and data portability.

The code was funded by the likes of New Zealand-based Gen-i and Xero as well as Salesforce.com and Google, though it remains unclear whether the latter providers have registered compliance with the code.

However, a similar code could be launched in Australia after Australian Computer Society president Nick Tate recommended its adaptation to local legislation and cloud providers last month.

The code could also be adapted for use elsewhere in the Asia Pacific, pending discussions with counterpart computer societies in Singapore, Malaysia and Hong Kong.

Development of such a code is one of several results expected from the National Standing Committee on Cloud Computing, a government-endorsed panel of consumer groups and cloud vendors established last year by think tank Global Access Partners.

It sought to establish a "trust mark" for locally- and foreign-hosted cloud services based on concepts similar to the New Zealand approach, while determining the potential impact of overseas legislation like the US Patriot Act on cloud services from US-based companies.

The committee is chaired by Keith Besgrove, first assistant secretary of digital services at the Department of Broadband, Communications and the Digital Economy.

Committee members include several cloud vendors and consumer group ACCAN.

Sophos managing director Rob Forsyth, who joined the committee in March, told iTnews the group hoped to establish a code by the end of the year to protect small businesses and consumers when they procure cloud services in Australia.

"There’s a different balance of power with bigger companies — bigger companies have professionals to negotiate terms and conditions that suit them for their own needs, they look at the commercial relationship, how much they’re going to pay for something," he said.

"They have a different level of power. Smaller businesses and consumers are disempowered when dealing with cloud applications; it’s a take it or leave it scenario. So getting the right level of confidence in the smaller businesses where there is less power has been seen as much more important that smaller businesses."

The committee would revise the code and introduce any relevant standards within a year of establishment.

If adopted verbatim from the New Zealand counterpart, the code of practice would require providers to disclose information including:

• corporate identity;
• data ownership and security, as well as data location;
• data access, use, backup and maintenance procedures;
• geographic diversity, service levels and support;
• data breach notification;
• data transportability and business continuity;
• data formats; and
• ownership of hosted applications.

The New Zealand version also prescribes that compliant members implement security standards set by the Cloud Security Alliance, but all other aspects are effectively voluntary.

Committee founders Global Access Partners did not respond to a request for comment by the time of writing, while a spokeswoman for ACCAN said details of the code adoption were still being discussed.

However, a cloud forum being held by Global Access Partners in Sydney tomorrow, and addressed by communications minister Stephen Conroy, could become a further push for negotiations on the code.