When you do some research you find the International Organization for Standardization (their ISO 27001 on IT security is relevant for the data centre) or the IBM backed Open Cloud Manifesto or The Open Data Center Alliance, and many others, but most of their output seems to be about technical standards for set up, programming and interoperability of services – good for the industry as a whole, but not necessarily relevant to the average business trying to decide on a cloud alternative for email management or accounting or project management. Another issue is that some of these standards have a high barrier to entry for the small software provider. If it’s going to cost tens of thousands of pounds (or more) to get a product ISO (or whatever) certified, that guarantees that only the big players will be able to afford it. The smaller, more innovative software developers might have great products, and deploy them on a safe and secure infrastructure making use of the benefits of Cloud architecture, but they’ll be precluded from the shortlist because they don’t have the accepted “quality mark”. We need something that’s focussed on helping the buyer rather than the developer, and which helps the innovative entrepreneur at the S end of SME just as much as helping one of the Enterprise level IT players.
That’s where the Cloud Industry Forum (CIF) comes in – an organization that Business Two Zero and D2C wholeheartedly supports (disclosure – actually I’m on their governance board – see below). CIF, a not for profit organization, was established in 2009 to provide transparency for the industry through certification to a Code of Practice for credible online Cloud Service Providers. The emphasis within the code is on best practice in the approach to service provision, rather than technical standards of programming. The code covers areas like contract terms, Service Level Agreements, data protection, data location, or transparency of the cloud service supply chain. These are the practical things that a buyer needs to know about the service they are signing up for. Organizations that apply for and conform to the Code of Practice get a “CIF Certified” quality mark. The process itself allows for a self-certification approach, although a full external audit can also be done if you want to pay for that. Self-certification brings the cost down to an affordable level (starts at £200 a year) for the smaller Cloud players, but it’s still properly policed by an independent organisation.
Members of the Cloud Industry Forum include Microsoft, Dell, VMware, Rackspace, Fasthosts, Claranet, Ingram Micro, Interxion, Memset, Nominet, Star, Mamut, FrontRange, Unit 4 (Agresso, FinancialForce), UKFast, Webroot, and is supported by vendor organizations like Intellect, EuroCloud UK, the British Application Software Developers Association and the UK Cloud Alliance. The Code of Practice was agreed in 2011, and the first wave of Cloud companies have just gone through the accreditation process. One of those is NexusAB, a 10 person SaaS company – they provide integrated quality assurance and technical inspection services for sub-surface drilling and completion departments. They work with oil field asset data, the most precious data that an oil company has. Their customers trust that precious data to the cloud and to a small company like NexusAB, but if you speak to them you’ll find that having CIF certification was instrumental in providing the level of comfort required to win their recent big deal with BP. That is exactly what the CIF Code of Practice is all about. Go here if you want to find out more. And please tell me if you think there is anything similar that companies should be considering.
Disclosure: I am on the Governance Board for the Code of Practice of the Cloud Industry Forum, a not for profit organisation, and I regularly speak on their behalf. In addition I chair Intellect’s Software as a Service Group, and I am a Director of EuroCloud UK.
A version of this article was first published on Fresh Business Thinking.