Cloud computing – the unregulated wild west!

It takes more in licensing, training and continued education to become a motor mechanic, a hair dresser or to gain a diploma than it does to become a cloud based provider.   A cloud provider can invest thousands of dollars in an infrastructure, do a vendor based course, get hundreds of clients, store hundreds of peoples confidential data and have no more training and certification than a level one diploma in art.

In addition to that there are no standards in storage and security and worst of all, in most cases, the provider is the owner of the information ( have a look at the T’s and C’s for dropbox sometime) and data that you have put in their care.

With the huge uptake of cloud based services, thinking this through, there could be major problems on the horizon.   Most companies will do their due diligence on the migration to a cloud solution, but some will not.

It is easy enough to get testimonials (look at fiver.com), both video and written for your business, it is easy enough to set up a cloud based environment and once you have the clients you can pull the rug and hold those businesses critical data to ransom.

Is there a solution?

At present there a two schools of thought, government regulations or industry standards.   To tell you the truth, government regulations will probably not work.   Government regulations always seem to be reactionary, something that happens after the technology or environment has been proven to work, or someone has complained ( think, the noisy minority) or the government coffers want filling.   By being reactionary, it puts the government in the position of playing catch up, something none of them are good at.

Industry standard on the other hand has a way of moulding and forming the industry into a compliant and consistent delivery.   In addition to this we have to get away from vendor based certification, just because a business is certified with a technology does not make it a viable concern as a cloud provider.

The notions of ethics, honesty and integrity have to also be a consideration when it comes to looking at a cloud provider managing other businesses critical data.

All of these components when combined point to an industry based certification process.  This process will need to look at a number of business criteria for the certification process.   Financial viability, third party access to data, data location and accountability are just a few of the areas that have to be considered in a certification process.

These criteria will ensure that all cloud providers have a standard that they work to.   Although a certification process will protect the clients of the cloud provider it will also ensure that the cloud provider cannot deviate from a standard that everyone has agreed on.

There are only two area I can see a failure of industry standards: little providers get caught up and have to play catch up.   A small provider, supporting 10 to 20 high end clients, in a boutique type of delivery may be considered outside the standards because of one of the set criteria, this has to be considered.

Some types of innovation will be stifled in a standardised cloud provider environment.   If innovation is stifled then investment could be as well.

I am not sure if these are the solutions but the delivery of cloud solutions and the management of cloud providers is something that will need to be sorted out sooner rather than later.   I think the article by Charles Weaver CEO of MSPAlliance is something akin to a road map for the delivery of a certification process.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.