Cloud Computing Consumer Protocol Submission
21 August 2013
Australian Computer Society
Adam Redman
Head of Policy and External Affairs
Via email: [email protected]
Re: Cloud Computing Consumer Protocol
Dear Mr Redman and Ms Johnson,
Introduction
OzHub welcomes the opportunity to provide a submission to the Australian Computer Society
(ACS) on the discussion paper entitled “Cloud Computing Consumer Protocol” (The Protocol).
The development of The Protocol is intended to address perceived gaps in confidence and trust
between potential users of cloud computing services and providers of cloud computing.
OzHub is of the view that this protocol has the potential to assist in improving the level of both
advice and education about cloud computing to users and potential users. In particular, this
protocol might act to increase the quality and utility of information disclosed by providers and
suppliers.
OzHub is an industry leading coalition that aims to build consumer and business confidence in
and promote the growth of the Australian cloud computing industry. In this way, OzHub is a
stakeholder in the objectives of the protocol.
Members of OzHub are Macquarie Telecom, Fujitsu, Infoplex, Alcatel-Lucent and F5 Networks.
OzHub is working to understand consumer needs and encourage good industry practice for
cloud computing in Australia. These activities are aimed at maximising Australia’s participation
in and experience of the benefits of the rapidly growing cloud industries.
As an industry association, OzHub has taken a principles based approach to responding to the
issues raised in the discussion paper. While taking into account the objectives of the
consultation process, OzHub has focused on some broader issues which it believes to be
pertinent.
1
OzHub has responded to this discussion paper from the primary perspective of promoting a
safe, secure and trusted Australian cloud industry. Accordingly, the development and use of a
protocol which supports this objective is applauded by OzHub.
As an overarching principle, OzHub firstly notes that this protocol highlights the challenges of
dealing with a longstanding concept; the most appropriate way for a vendor to deal with receipt
of its customer’s data and information.
Longstanding principles and standards have guided the obligations of a service provider in
dealing with customers’ data – in this sense, cloud computing is really a new way to deal with
old issues. However cloud computing does face new challenges. Those challenges are largely
focused around issues of scale: the vast amounts of data that are dealt with in the context of
online services, the sharp increase in people who access these services, the speed of data
movements due to the proliferation of ubiquitous broadband and the increasing variety of
circumstances that cloud computing is applicable.
The challenge of developing an effective cloud computing consumer protocol is firstly in
aligning new services with existing accepted standards already in place. Indeed, the most
efficient and effective way to develop a protocol is by working from existing consumer
protection arrangements. That approach allows for the easy transition to new services while the
underlying principles remain consistent.
The points addressed in this submission are:
1.
2.
3.
4.
Education of Consumers
NZ Cloud Computing Code of Practice
Data security
Definition and benefits
1.
Education of Consumers
The purpose of the protocol as stated in the discussion paper is “to provide prospective and
current users of cloud computing with information about cloud computing…” While there are
many regulatory instruments that are used to provide guidance to cloud service providers,
consumers may not be aware of how to recognise, navigate and understand these standards and
regulations or know how to apply them to the requirements of their own data. As such, OzHub
believes the protocol should be a guideline for consumers and providers, rather than a
prescriptive code. The protocol should aim to raise the level of understanding by providing
information on matters that need to be taken into account when providing or acquiring cloud
services.
OzHub has chosen to address the following issues with the assumption that the protocol will
fulfil this educational function.
Considering the lack of understanding that consumers face with regard to cloud computing,
OzHub believes that it would be most useful for the protocol to address the most pertinent
consumer issues upfront. The protocol will be most beneficial to the consumer by providing a
2
high level of understanding about issues with which consumers have the most concern. Those
issues would be:
a. Onshore/offshore storage, relevant jurisdiction & rights to redress
The protocol should explain that a cloud service provider should declare where the data
is stored and, if it is not stored onshore, what particular jurisdiction it may be subject to.
Consumers may not understand that offshore storage can mean the security obligations
and legal rights to redress for data breaches may differ to information stored in
Australia. The protocol could point to the Australian Government Policy and Risk
Management Guidelines for the Storage and Processing of Australian Government
Information in Outsourced and Offshore ICT Arrangements as a government model for
making onshore/offshore storage decisions.
b. Ownership of data
The presumption of consumers would be that data stored in cloud arrangements would
remain in their ownership. If a cloud provider has a different policy to this, it should be
disclosed to the consumer upfront.
c. Breach notifications
The protocol should direct consumers to look for disclosure of breach notification
processes and providers to disclose their notification processes.
d. Links to privacy authorities, and regulation
The protocol would be useful to consumers by directing them to relevant avenues with
which they can pursue questions or concerns about the use of cloud computing, such as
authorities or regulatory bodies. The protocol may also provide a list of the most typical
standards and codes that regulate the cloud computing market, to provide a reference
point for consumers and providers.
This list is not intended to cover all aspects that should be considered, but outlines the main
concerns that consumer have with regard to cloud computing. Having explanation of these
concepts upfront would provide prospective users with an easy guide which can help them in
understanding the existing market regulations in place.
2.
NZ Cloud Computing Code of Practice – CloudCode
OzHub does not disagree with the tenet of the New Zealand CloudCode and supports the ease of
process for which providers can respond to the required statements. However, OzHub notes
that the NZ CloudCode is useful in a market that has less pre-existing regulatory conditions. The
structure of the code, being a statement for providers to follow, is unlikely to be of as much
value in the Australian market given the existing legislation, standards and practices.
As mentioned above, the Australian market is more in need of a protocol that gives guidance to
consumers about the existing market conditions governing cloud computing. This will better
inform consumers and ensure they are making more informed choices about their provider.
This type of understanding will also ameliorate the risk of actions that the consumer is unaware
of or does not condone.
3
3.
Data security
OzHub understands that the cloud computing market provides differing levels of data security
and that well-informed consumers will be able to make informed decisions about the level of
security that is relevant to their needs. The protocol’s role, to provide some of that education,
will contribute towards effective consumer decisions in this regard.
Data classification is an important step in making this decision and pointing consumers to
government policies which address appropriate levels of security, relevant to the type of
information, may be of assistance.
4.
Definition and benefits
OzHub broadly agrees with the definition of cloud computing and the range of stated benefits
for SMEs. However OzHub believes that the benefits should also include reference to the energy
efficiency and reduced energy use of cloud computing as compared to traditional storage
options. Cloud computing has been shown to be 95% more energy efficient according to
Enabling Technology of a Low-Carbon Economy: A focus on cloud computing.
Conclusion
This protocol is part of ongoing work undertaken by a range of players, including OzHub, ACS
and the Department of Broadband, Communications, and the Digital Economy, focused on
growing the understanding, trust and use of cloud computing. OzHub looks forward to working
together with the ACS, DBCDE, and other industry bodies to promote a safe, secure and well
informed cloud computing market in Australia.
Yours sincerely,
Matt Healy
Chairman
OzHub
4