New Zealand may beat US to cloud code of practice

Grazed from ComputerWorld.  Author: Stephen Bell.

New Zealand could be leading most of the world in the evolution of a code of practice for cloud computing.

Looking around the world, says project coordinator Joy Cottle, it appears there is only one fully-fledged code, in the UK. The US National Institute of Science and Technology (NIST) has developed terms of reference towards a code, a process that took two-and-a-half years. New Zealand’s code, scheduled to be issued in version 1.0 by the end of March next year, could well arrive before the NIST code is finalised, Cottle told a consultation meeting in Wellington. There is interest in the New Zealand code of practice effort from Australian parties with a stake in the cloud…

About 30 cloud providers, users and other stakeholders such as privacy commissioner’s office representative Simon Rae testified to the Wellington community’s willingness to participate in the evolution of the code. This series of meetings is directed to outlining the structure and approach of the code, with detail to be filled in on another round of meetings in January.

The initiative is being steered by a committee from a similar range of organisations, though the practicalities are being organised by the NZ Computer Society.

The meeting started with a note of disagreement, with talk of a “standard” for cloud computing being firmly swatted down by Xero CEO Rod Drury. The intention was not to provide a standard “saying you shall use this sort of server”, he says. Instead the industry and its potential customers should come to agreement on a general set of principles of good behaviour by cloud vendors, to avert the danger of a single careless cloud provider damaging the collective reputation of an emerging industry, Drury says.

The meeting, like others around the country, came out in favour of a simple set of disclosures of practice by each company, rather than a detailed list or a prescribed set of minimum standards. Self-assessment against a checklist might work just as well as a more expensive process of third-party assessment, the meeting reflected, though third-party assessment and even regular audit might be more appropriate for larger providers.

What should be in a code of practice? Good security and privacy came top, with assurance of availability and business continuity also figuring highly. Easy accessibility is another necessary factor, the meeting decided, following a discussion sparked by a representative of the NZ Foundation of the Blind.

Most of the detailed criteria could be summed up in the concept of taking good care of the customer’s data, Don Christie of Catalyst and NZRise suggested. However, the meeting debated some haziness around the borderlines of responsibility. Should it be the customer’s task to take regular backups of their data, for example, or is it one of the attractions of the cloud that the provider can be trusted to do that?

There was also some discussion on what measures of good service should fall within the scope of a general code of practice and what belongs in the service-level agreement clauses of an individual contract or existing consumer law.

Defining “cloud computing” is an essential prerequisite to a code and this has always been difficult, the meeting agreed. Definitions from NIST and the European Community were criticised as too complex – the European definition refers to “multiple granularities” of service.

Cottle had shown a definition to random people in central Wellington with all reference to the cloud deleted and asked them what it described. Few identified “the cloud”; answers included “the internet” and “Gmail”.

A candidate New Zealand definition has been drawn up, but the meeting took that apart, debating whether “scalable” was a necessary part of the definition or whether “on demand” covered that base; and if so, how fast the response had to be to meet the description “on demand”. It could take a day or two to provide a large increase in bandwidth for example.

The results of several meetings in Wellington and Auckland and one in Christchurch will be summarised and put back to attendees and other interested parties for comment. A “draft skeleton model” will be put out for further public comments in December, before meetings start on the detail of the code.

A deadline of March 30 next year has been set for the emergence of a firm first version of the code.

Draft NZ definition of cloud computing

“Cloud computing is on-demand scalable resources which are provided as a service, such as networks, servers and applications that are accessible via the internet by the end-user and can be rapidly provisioned and released with minimal effort or service provider interaction. Users do not need to have specialist knowledge of the technology and infrastructure that support them.”