Cloud Industry Forum: Transparency, Capability & Accountability
The Cloud Industry Forum was established in 2009 and is engaged in certifying online cloud service providers. This enables end users to conveniently identify reliable, trustworthy vendors. This article takes a look at the certification process, requirements and benefits.
Code of Practice
The Cloud Industry Forum (CIF) certifies entities based on their compliance with the CIF Code of Practice. The Code is comprised of three core principles:
- Transparency
- Capability
- Accountability
These core principles are discussed in greater detail in the remainder of this article.
Transparency
Organizations are required to maintain a “reasonable and consistent level of transparency” for certain types of information. Certain information should be publicly available, while other information is considered commercial-in-confidence disclosure.
Publicly available information includes:
- Corporate identity and responsibilities
- Full scope of operations
- Compliance with code
- Third-party coverage of code
- Technological commitments (optional)
- Existing certifications (optional)
- Industry association memberships (optional)
Information that should be disclosed in confidence (e.g. in proposals or contracts) includes:
- Commercial terms
- Financial stability
- Personnel profile
- Customer migration paths at contract termination
- Customer migration paths during contract execution
- Licensing provisions
- Provisions for information security
- Data protection provisions
- Provisions for service continuity
- Service dependencies
- Provisions for audit
- Complaints and escalation procedures
Capability
Organizations are required to document management systems and resources, in order to deliver specified capabilities, for instance, data protection and continuity of operations. The Code requires that the following areas have documented management systems:
- Information security management (includes data protection)
- Service continuity management
- Service level management
- Supplier management
- Software license management (includes license compliance)
- Complaint handling
- Environmental impact management
Typically, the extent of documentation required depends on the size of the organization. Large, multi-national organizations will require extensive policy and procedure documentation, while small-medium businesses will have minimal documentation requirements.
Accountability
Organizations must be accountable for their compliance with the Code, as well as their behavior with customers. They also should agree to binding complaint resolution procedures with customers.
Getting Certified
Currently, the CIF offers two levels of certification:
- Self-Certification – With this option, the organization claims that it has achieved compliance. This is done through a formal statement by the Board of Directors. The organization is then required to complete a successful self-certification against the Code and file this status with the CIF. This process must be repeated on an annual basis.
- Independent Certification – The organization fulfills all the requirements of self-certification and has an independent validation of compliance. This option was recently introduced in 2011. It is likely that only larger organizations would take this option, given the prohibitive cost of doing so.
Certification with the CIF does not guarantee that redress or compensation will be provided, in the event that commitments are not met. However, organizations may be threatened with the possibility that their certification will be withdrawn and their non-certified status will be publicized. Although there is no guarantee associated with a CIF certification, it does facilitate competent decision making upfront, as key types of information is disclosed, according to the transparency requirement of the Code. Organizations are afforded normal legal recourse, in the event that this information is found to be unreliable.
Customers’ Experiences
According to the CIF, certification against the Code brings increased transparency and trust. This encourages customers to do business in the cloud. The CIF has identified a number of levels upon which the customer operates:
- Trust – Displaying proof of certification can give potential customers assurance that they can obtain information and make competent business decisions.
- Identification of Suppliers – The CIF Code enables customers to identify suppliers on the following levels:
- Organizations that are certified can lead customers through hyperlinks to organizations that have shown this level or responsibility.
- Organizations registered for self-certification can display this on their website.
- Organizations may choose to be part of a free online database of services offered by certified organizations.
- Access to Information – Customers will have access to publicly-available information (as defined by the Code) from the certified organization’s website.
- Guidance – In the near future, the CIF will be providing guidance to end-user organizations, in order to facilitate their business in the cloud.
Summary
This article takes a look at the Cloud Industry Forum’s (CIF) Code of Practice Certification Program. This certification identifies organizations that have committed to the three requirements of transparency, capability and accountability. The goal of the CIF certification is to ease consumer decision making and ensure that provider selection is done in an informed manner.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Compliance impact on cloud contracts (Domain 4)
- Provider selection (Domain 8)
- Key management best practices (Domain 11)
