COMMUNICATIONS ALLIANCE LTD

Transcription

1 COMMUNICATIONS ALLIANCE LTD Communications Alliance Response to ACS Discussion Paper on a Potential Cloud Computing Consumer Protocol

2 - 1 - TABLE OF CONTENTS INTRODUCTION 2 SECTION 1 OVERVIEW OF RESPONSE 3 SECTION 2 COMMENTS ON CONSUMER CONFIDENCE 4 SECTION 3 SUGGESTING DRAFTING CHANGES TO SECTION 4 5 SECTION 4 COMMENTS ON SECTION 7 OF THE PAPER 6 SECTION 5 COMMENTS ON SPECIFIC QUESTIONS IN THE PAPER 7

3 - 2 - INTRODUCTION Communications Alliance welcomes the opportunity to provide this submission in response to ACS Discussion Paper on a Potential Cloud About Communications Alliance Communications Alliance is the primary telecommunications industry body in Australia. Its membership is drawn from a wide cross-section of the communications industry, including carriers, carriage and internet service providers, content providers, equipment vendors, IT companies, consultants and business groups. Its vision is to provide a unified voice for the telecommunications industry and to lead it into the next generation of converging networks, technologies and services. The prime mission of Communications Alliance is to promote the growth of the Australian communications industry and the protection of consumer interests by fostering the highest standards of business ethics and behaviour through industry self-governance. For more details about Communications Alliance, see

4 - 3 - SECTION 1 Overview of Response Communications Alliance offers the following over-arching viewpoint about the utility and objectives of the potential Protocol. These comments are preliminary, in line with the earlystage nature of the discussion paper and we look forward to more detailed consultation when a draft protocol is available 1. The most significant potential market failure that the proposed Cloud Computing Consumer Protocol would seek to address, in the view of Communications Alliance Members, is that of the lack of consumer knowledge and understanding, which appears to be inhibiting uptake of cloud services 2. The best way to address this is via a range of educational tools, e.g. awareness campaigns, web-sites, on-line forums, Wikis, etc. and by leveraging existing informational sources. 3. This education task should be the focus of the ACS Cloud Protocol 4. The CSP members of Communications Alliance do not support the creation of an additional protocol covering what might be disclosed by providers to customers. 5. The existing, registered and enforceable Telecommunications Consumer Protections Code 2012 governs the disclosure requirements for CSPs when they provide services to their customers and provides a strong basis for the way CSPs will inform customers in circumstances where CSPs are also providing cloud-based services. Overlaying the TCP Code is the regulated framework of the Australian Consumer Law, with which CSPs are also required to comply. 6. The situation in New Zealand is very different to that in Australia the co-regulatory and regulatory requirements including applicable consumer law and the new Privacy Act amendments - on service providers are not as comprehensive in New Zealand as in Australia.

5 - 4 - SECTION 2 Comments on Consumer Confidence Typically there are two main concerns with the use of cloud services from a security perspective: 1. The security of the platform that the cloud service is based on (responsibility of the provider). 2. The secure use of the platform by consumer (responsibility of the consumer). Having assurance that security is being addressed from both of these angles will increase consumer confidence in using the service. Each item is discussed in the following paragraphs: 1. To address the security of the cloud platform from the provider s perspective cloud providers may choose to publish publicly accessible statements regarding compliance to security standards. There are many standards available (such as ISO 27001, PCI DSS and SOC 1/SSAE 16/ISAE 3402) that would be confusing to a customer. To assist the customer in deciphering these codes into what constitutes good security practice the protocol might include plain language guidance around these standards. For example, the protocol might say: ISO give assurance that the cloud provider has gone through a basic compliance programme to verify robust security practices Medium level of assurance. PCI DSS might come with a high level of assurance etc. 2. To address the secure use of the cloud platform of the consumer, the protocol might recommend that service providers publish best practice guidelines around common pitfalls and mistakes that customers might encounter while using the service. Such concerns can include: a. User management (on-boarding, off-boarding and regular audits) b. Encrypting confidential data c. Security of hosted servers, network elements and applications d. How to identify malicious behaviour e. Common products and partners that can assist in the above.

6 - 5 - SECTION 3 Suggesting Drafting Changes to Section 4 What is Cloud Computing? 1 Cloud computing is a general term for the delivery of hosted services (in Virtualised environment) over the internet, enabling users to remotely store, process and share digital information and data. As such it is more a new way of delivering technology services rather than a new technology itself. There are three main categories of cloud, although the distinctions between them are becoming more permeable as their sophistication grows. They are: 1. Infrastructure as a Service (IaaS) offers data centre capacity, processing and storage. An example is Amazon web services. 2. Platform as a Service (PaaS) provides a software development and deployment environment for the applications. Examples are Microsoft s Windows Azure and Salesforce s force.com. 3. Software as a Service (SaaS) offers software applications that can be subscribed by users. Examples include Salesforce, Hotmail and Flickr.

7 - 6 - SECTION 4 Comments on Section 7 of the Paper Data Location While Communications Alliance does not advocate specific disclosure recommendations, additional commentary may be useful around the value of data sovereignty and the implications of on-shore versus off-shore hosting. This is of particular importance where a cloud service provider may be owned or operated by a US-based corporation, and thus subject to foreign laws (Patriot Act II, etc.) Backup and Maintenance It s worth pointing out that some cloud providers give clients the ability to choose the level of protection they subscribe to in terms of things like service availability, security, data protection and disaster recovery. There is a cost of providing specific service-related capabilities, such as back-up testing and validation - even when they are automated - and not all clients are willing/able to pay a premium for features such as this and/or may have another means of achieving the required level of data protection. It is important to protect the cloud consumer s ability to choose whether or not to purchase such additional capabilities, or simply make sure that consumers are aware that they have a choice Vendor Lock-In & Data Portability We disagree with the statement At present, the lack of interoperable technical standards between cloud computing services means that users may risk losing their content and media if they change services whilst from an end-user perspective this is true, there are technical tools available to migrate data safely between completely disparate and non-compatible cloud platforms. There is a risk that the cloud service provider industry is perpetuating the belief that customers cannot safely move.

8 - 7 - SECTION 5 Comments on Specific Questions in the Paper Question 6. If you are a provider of cloud services and products, what is the current state of market confidence in cloud computing, and are there any outstanding transparency issues that concern users? If so, what is the best method of addressing these concerns? Cloud computing technology is currently mature and there is no significant technical difficulty in implementing solutions that can be deployed in traditional data centres in Cloud. The concerns relate mainly to data security as well as the nature of multi-tenancy of cloud. Customers sometimes express concern that their data is stored with the service provider but may be shared with the other tenants on the same physical devices. Virtualisation technologies need to be continuously improved to ensure 100% isolation of customer data. Service providers ideally should implement cloud services that comply with various international standards such as ISO and PCI. These compliances are an indication of the high standard of cloud services but will also increase the cost of the services. Question 7. If a voluntary protocol is introduced, do you have any comments on potential compliance costs, jurisdictional complexities and the interaction between the Protocol and other cloud standards currently being developed globally? SMEs and Consumers are typically sensitive to price of services. Cost impacts will need to be carefully assessed before included any proposed compliance regime into the Voluntary Protocol (something that would in itself be unusual). For example, costs increase proportionally based on the type of security measurements to be implemented, adding too comprehensive and stringent security measures means more costs to the service provider and also final cloud end products.

9 Published by: COMMUNICATIONS ALLIANCE LTD Level 9 32 Walker Street North Sydney NSW 2060 Australia Correspondence PO Box 444 Milsons Point NSW 1565 T F E info@commsalliance.com.au ABN Care should be taken to ensure the material used is from the current version of the Standard or Industry Code and that it is updated whenever the Standard or Code is amended or revised. The number and date of the Standard or Code should therefore be clearly identified. If in doubt please contact Communications Alliance