Cloud computing users are shifting their focus from what the cloud offers to what it lacks. What it offers is clear, such as the ability to rapidly scale and provision, but the list of what it is missing seems to be growing by the day.
Cloud computing lacks standards about data handling and security practices, and even whether a vendor has an obligation to tell users whether their data is in the U.S. or not. And the industry is only beginning to sort out these issues through groups, such as the year-old Cloud Security Alliance.
The cloud computing industry has some of the characteristics of a Wild West boomtown. But the local saloon’s name is Frustration. That’s the one word that seems to be popping up more and more in discussions, particularly at the SaaScon 2010 conference here this week.
This frustration about the lack of standards grows as cloud-based services take root in enterprises. Take Orbitz LLC, the large travel company with multiple businesses that offer an increasingly broad range of services, such as scheduling golf tee times, and booking concerts and cruises.
As with many firms that have turned to cloud-based services, Orbitz is both a provider and user of cloud-based software as a service (SaaS) offering. Ed Bellis, chief information security officer at Orbitz, credits SaaS services, in particular, with enabling the company’s growth and allowing it to concentrate on its core competencies.
But in providing SaaS services, Orbitz must address a range of due diligence requirements among customers that are “all across the board,” and can vary widely to include on-site audits and data center inspections, he said.
A potential solution is a security data standard being developed by the Cloud Security Alliance that would expose data in a common format and give customers an understanding of exactly “what our security posture is today,” said Bellis.
If an agreement can be reached on such a standard “it would be heaven,” said Bellis, and would “cut out a third of our internal work on due diligence.” But he doesn’t know when or if that standard will be reached because of the work it will take to get a large number of users and providers to agree on it.
At the SaaScon conference, in interviews and on panels, the need for industry agreements was apparent. While the idea behind cloud-based services is flexibility, the ability to rapidly scale and provision servers, contracts with vendors may be anything but flexible, as Keith Waldorf, vice president of operators of e-prescription service Doctor Dispense LLC, discovered.
Waldorf spoke of one service provider he previously worked with which upgraded services, but his service-level agreement (SLA) kept him locked-in to using only the software and hardware that he initially signed up for.
The types of agreements offered by cloud providers “are all over the map and it’s really vendor driven,” Waldorf said. He has since moved his services to StrataScale Inc., a Sacramento, Calif.-based firm that gives him dedicated hardware that’s managed virtually.
The big cloud customers, such as the City of Los Angeles, which reached an agreement for unlimited damages with Google when it contracted to use its Google Apps services , should it ever violate its nondisclosure agreements, can negotiate terms that may give them a transparency and enforcement leverage.
But many other users don’t have that clout and, and in a lot of cases cloud providers may not even provide the logging information needed to prove a breach, said Jim Reavis, the founder of the Cloud Security Alliance.
Jeff Spivey, president of Security Risk Management Inc., said the market has to define its needs, because for now “the vendors are driving the service.”
Predicting when the industry will reach agreements that set levels of transparency about data handling procedures and security is not something anyone was willing to bet on.