The National Australia Bank, parent of the BNZ Bank, will be the first test bed for a common cloud-provider security assurance model, defined by the international Open Data Centre Alliance – an alliance of customers and ICT companies designed to ensure user input into planning for long-term datacentre requirements. A particular emphasis for the one-year-old alliance is to help ensure that customers purchasing cloud computing services know clearly the characteristics of what is being offered and the integrity of the supplier so they can judge how well their requirements will be matched.
The provider security assurance model is one of eight models devised by the alliance to introduce greater certainty to cloud requirements specification and contract negotiations. It provides standard definitions of security for cloud services, details mechanisms for service providers to demonstrate compliance, and “gives organisations the ability to validate adherence to security standards within cloud services,” says the alliance specification.
There are a number of reasons for taking a role in proving the concept of cloud provider security assurance, says NAB CIO Adam Bennett. “One I think we all recognise: cloud is emerging as a force in technology across many [application fields],” he says. “It’s very seldom you get a chance to get in at ground level and shape how something as important as the cloud develops.
“The other interesting thing about ODCA is that it represents the business customer’s perspective rather than that of the vendors - while they may have a legitimate view on how cloud computing develops, it is a different view.
“The cross-industry nature of the alliance means not only will we be working will people from global industries who have a stake in this; we will be learning from them. We reserve our right to get smarter,” Bennett says
“Lastly, getting in on the ground floor of cloud computing is a real plus for our people in their career opportunities.”
Other models developed by the ODCA cover such aspects as monitoring legal and regulatory compliance in the cloud; virtual machine interoperability control; input-output control and measurement of carbon footprint associated with cloud operation.
[On March 1] the ODCA announced the release of “RFP language” associated with the models. The customer ticks boxes to describe the cloud factors sought in the RFP and a software routine picks the right phrases, incorporating industry-standard definitions, for insertion in the RFP text.
Among the more-than-300 ODCA members are relatively few providers. These are mostly providers of general ICT services, such as Dell and EMC, and general consultancy, such as CAP-Gemini. Cloud provider Rackspace is also a member.
The scarcity of provider involvement should not be seen as a shortcoming, says Jason Waxman of Intel, which sits a little outside the alliance as its technical advisor.
The aim is to provide a “centre of gravity” for customer requirements and so to persuade the providers, in time, to work with those requirements in mind, he says. Standardising RFP language is a particularly potent weapon in that regard.
There is no regret in not having large public cloud providers like Amazon and Google on board, says alliance board member Petteri Uljas, CEO of Capgemini Gemini Finland; they are predominantly business-to-consumer providers, while the alliance is a business-to-business operation.
The only non-member provider the alliance would very much like to have on board is Oracle, several board members say. Overtures to that company are continuing.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.