ACS CLOUD COMPUTING CONSUMER PROTOCOL. Response from AIIA

Transcription

1 ACS CLOUD COMPUTING CONSUMER PROTOCOL Response from AIIA AUGUST 2013

2 INTRODUCTION The Australian Information Industry Association (AIIA) is the peak national body representing multinational and domestic suppliers and providers of a wide range of information technology and communications (ICT) products and services. We represent over 400 member organisations nationally, including global brands such as Apple, EMC, Google, HP, IBM, Intel, Microsoft, Salesforce.com and Oracle; international companies including Telstra; national companies including Data#3, SMS Management and Technology, Technology One and Oakton Limited; and a large number of ICT SME s. All of our members, large and small are committed to developing Australia s digital capability and presence nationally and on the global stage. A number of AIIA members, including large multinationals, large national businesses and small and medium sized enterprises offer cloud services. We are therefore very keen to ensure that the views of our members, all of whom are experienced in this area of technology, are given appropriately careful consideration in the context of evaluating the responses to your Discussion Paper: Cloud Computing Consumer Protocol (the Paper). OVERVIEW AIIA welcomes Australian Computer Society s (ACS) promotion of cloud services as an effective and efficient model for driving take-up and development of digital capability. We welcome your recognition of the potential for cloud services to drive productivity and innovation, particularly amongst smaller organisations, and acknowledgement that cloud services provide an affordable and sustainable model for organisations of all sizes to participate more effectively and immediately in the digital economy. We note the concerns raised in the Paper regarding the perceived slow take up of cloud services and also the view that this is driven by a lack of understanding of what cloud services are and a lack of confidence to use them. However, whilst AIIA is very keen to drive 2 P a g e

3 momentum in cloud service take-up, we do not share the view that the current situation warrants the need for the approach outlined in your Paper. Rather, our view is that the imposition of such a Protocol is both pre-emptive and unnecessary, based on broader regulatory arrangements. Our view is that the development of any regulation, codes of conduct, protocols, or special rules whether voluntary or required, that create a unique set of rules/requirements for cloud technology effectively creates an unnecessary and discriminatory regulatory burden on cloud providers. There are no analogous protocols for the suppliers of computers and networking infrastructure or enterprise software, or other secure IT infrastructure, which arguably, require an equally high level of security assurance to promote user confidence. We would argue that suggesting the need for a protocol, implies cloud technology is unsafe, undermines confidence in cloud services and reinforces consumer fears. While we note reference to the recently developed New Zealand Cloud Computing Code of Practice (NZ Cloud Code) as a precedent for a similar approach in Australia, we would point out that its success has not been tested and further, associated compliance costs and proof of compliance have not been well addressed by those responsible for implementing the NZ Cloud Code. Preparing and reviewing disclosures, and monitoring their status and compliance as business models changes, is costly. It is not at all clear that the proposed benefits of the NZ Cloud Code will outweigh these internal costs. We have also observed that the global companies that make up the majority of the cloud computing market in New Zealand have not joined the NZ Cloud Code. AIIA would also strongly argue that differences in the applicable consumer protection law differs considerably in Australia compared to New Zealand and that the justifications put forward for the development of the NZ Cloud Code do not apply in Australia. AIIA s position is that current legal protections such as the new Privacy Act amendments and the Australian Consumer Law (i.e. to address open and honest dealing, privacy protection and consumer protection objectives) already address concerns regarding privacy and transparency 3 P a g e

4 by providers. Australia maintains some of the most rigorous privacy rules in the world and in March 2014, the broad-reach Australian Privacy Principles (APPs) will become effective. The new Privacy Act amendments will require entities who disclose personal information outside of Australia to make this clear in a privacy disclosure. This will necessarily require cloud providers to disclose data location to those entities. AIIA is therefore strongly of the view that it is not necessary to create a new set of rules or protocols for cloud service providers to supplement existing privacy law. The fact that the Protocol is proposed to focus only on public and hybrid cloud services is also of concern. Such a focus implies that these models of cloud services are inherently less secure and/or of lesser quality. This introduces another layer of discrimination and potentially an opportunity for some cloud service providers to promote themselves as more trustworthy and not in need of regulation. If, as the Paper suggests, the issue is about the lack of understanding and knowledge of cloud services, such a misconception will very likely gain traction albeit unintentionally. If the issue is, as the Paper suggests, a lack of overall awareness and lack of user confidence, AIIA is strongly of the view that the stated objectives of the Protocol would more appropriately be met by education, promotional and marketing activities, including by cloud providers themselves. RESPONSE TO SPECIFIC QUESTIONS Question 1: Do you believe a voluntary Protocol in which cloud supplier provide undertakings and information about their services would improve confidence in the market and increase the adoption for take-up of cloud computing services? Feedback from our members is that there is a growing and vibrant market for cloud services in Australia, supported by an extensive range of competing services. This suggests to us that the reluctance or hesitancy of Australian businesses to adopt cloud services referred to in the Paper 4 P a g e

5 may not be as significant a problem as has been suggested. There is no evidence at this stage to suggest any market failure that would warrant intervention of the nature proposed. We therefore believe that any increase in the adoption of cloud services resulting from a Protocol is likely to be marginal. In any respect imposition of the Protocol assumes that users of cloud services understand what it requires. Business customers looking to purchase cloud services are unlikely to spend time considering a Protocol and more time looking at the service benefits and the price of suppliers. Users will also look at the information provided by the supplier and ask further questions if not satisfied as is normal practice. AIIA strongly supports transparency and believes it is incumbent on suppliers of all products and services to maintain a high standard in this regard in all dealings with customers. AIIA believes that rather than guidance to encourage SMEs to leverage the economic and security benefits of cloud services, the Protocol will in fact inhibit progress by implying that the nature of cloud services requires this additional layer of assurance. AIIA does not support this proposition. Q2(b): If you are a provider of cloud services, is the description above of cloud services and the outline of its benefits accurate and comprehensive for prospective users who may know little of the details of cloud computing? The definition and description of services is adequate. However, the distinction between public and hybrid cloud services and private cloud services is unhelpful in the context and as mentioned above, implies that some cloud services models are safer than others. It is unclear why the suggestion is made that the Protocol should focus only on public and hybrid services. The implication is that those particular types of cloud technologies as less safe than private cloud technologies and further, creates an inherent bias against them. Arguably, this serves to undermine the very extensive benefits of public cloud offerings. Furthermore, it creates a bias specifically against cloud providers over other technology offerings. 5 P a g e

6 In relation to benefits, we would make the point that in a competitive market it is incumbent on cloud service providers to adequately describe the service and benefits on offer, including the financial benefit of services and leave it to customers to conduct their own due diligence as is the case in a robust market environment. Q4: Are there other disclosures from cloud vendors that have not been outlined in this section? What are they? While we acknowledge that in the context of a protocol framework the noted disclosure concepts are, in principle generally acceptable, this also has the potential to create confusion for customers. We are particularly concerned that the nature and form of the disclosures listed will result in a default to a set of prescriptive standards. Taking the NZ Cloud Code as an example it asks in section 5.4: As at the date of application:... We are/are not listed on the CSA STAR Registry. By forcing Protocol adherents to choose from a list of certifications, this question discriminates against those that may have equal or better certifications not listed. Further, if a provider answered We are not to this question, then a potential consumer may assume they have lesser standards than those who answered We are. In fact the CSA Star registry is only one of many ways to promote the security standards of a solution. AIIA agrees that customers need to be fully informed of and have confidence in, the service offerings they purchase but the sorts of questions requiring customer assurance are a matter of routine consumer education to ensure they are asking the right questions of service suppliers as is the case in any purchase of a product or service. Q6: If you are a provider of cloud services and products, what is the current state of market confidence in cloud computing, and are there any outstanding transparency issues that concern users? If so, what is the best method of addressing these concerns? As noted above, the experience of our members is that there is a growing and vibrant cloud market nationally and internationally. Members advise that they are fully aware of the need 6 P a g e

7 to assure customers of the quality and data security aspects of their services and that they are well equipped to provide such information and assurance without the need for a Protocol. Q7: If a voluntary Protocol is introduced, do you have any comments on potential compliance costs, jurisdictional complexities and the interaction between the Protocol and other cloud standards currently being developed globally? As noted above, AIIA does not support the need for the Protocol as proposed. We are especially concerned that such a Protocol would become, by default, a mandatory expectation of the market. The experience in New Zealand is that the market now incorrectly believes the NZ Cloud Code is a standard or procurement requirement. In addition, the NZ Cloud Code had not considered how to deal with its own management costs, and did not run a cost assessment to understand how compliance costs might impact industry. We strongly oppose the potential for this to be the case in Australia. The view of our members is that introduction of a Protocol would have the adverse effect of limiting competition and preventing market entry, to the extent that customers or consumers see a vendor s compliance with such regulatory regime as a mandatory pre-condition of any purchase and so avoid vendors who are not able to join. We would also make the point that whilst cloud computing services are configurable, they are not customisable. The service is the same for every customer. Customers need to do their own due diligence to determine whether any given service is suitable for their specific needs. For example, vendors have their own security standards and protocols, usually based on recognized world standards and hence are not in a position to agree to comply with a customer s specific security policy, or some other self-regulatory scheme or protocol, to the extent they differ from the worldwide standard followed by the vendor. 7 P a g e

8 We are greatly concerned that the development of individual country protocols will lead to a proliferation of different protocols worldwide. Cloud providers cannot maximise the efficiencies of global operations if they are stymied by different industry requirements from country to country. We do not support any attempt to provide an exhaustive or recommended list of standards. Industry standards are continually evolving and a list would quickly be outdated. We would also add that the Protocol may adversely impact both the cloud provider and the cloud customer, as the customer would also have to factor the Protocol into their procurement decisions, supplier engagement and onward supply chain processes. This is especially true in the very common scenario of application service providers who assemble and develop their offering on top of the offerings of global cloud providers. Q8: Using the New Zealand Code as an example, are there changes or improvements that could be made which would improve the efficacy of that process in an Australian context? Are there other issues not addressed in the New Zealand Code that need to be considered? With respect to New Zealand, AIIA does not agree with the NZ Cloud Code and does not support a similar Protocol in Australia. The NZ Cloud Code, as stated previously, includes disclosures that are too specific and it does not provide sufficient flexibility for the different models, technologies or certifications of various providers. For example, we do not believe it helpful to mention approved or sanctioned certifications. We are concerned that the NZ Cloud Code is too technical and is not consumer friendly. If a Protocol is developed it must be brief and simple. This will better serve consumers and make compliance easier for those cloud providers who may choose to join the Protocol. 8 P a g e

9 CONCLUSION AIIA notes the concerns raised by the ACS and while we dispute the severity of the problem, we believe that any concerns are better addressed through a cooperative education program. The proposed Protocol introduces an additional and less flexible way to achieve the same outcome. Our suggestion is that if Government wants to increase cloud uptake they should work with industry to create awareness and marketing programs. Imposition of a Protocol makes it more difficult for cloud providers to do business and, in our view, undermines the flexibility and benefits of cloud services. We are concerned also that this sets a precedent for effectively regulating any new technology where Government thinks it is in their interests or the interests of consumers to do so. The nature of increasingly smart digital technology will undoubtedly challenge some consumers but this is no reason to impose arbitrary additional compliance and rules on some technologies. It is imperative that we have confidence in existing laws, the market and in robust competitive market forces. The largely theoretical or unfounded security concerns raised by some consumers will not change simply because of disclosures required by a Protocol. Cloud providers should be left to meet the needs of the market in a manner they determine. The market will determine if they have confidence in the transparency of cloud providers and consumers will make their choices by purchasing those products or not. 9 P a g e