Cloud computing: New EU guidelines offer a framework that Luxembourg firms should adopt, but standards still need more work, says PwC’s Vincent Villers.
On June 24 the European Commission issued new cloud computing service level agreement (SLA) standardisation guidelines(PDF)--primarily in the area of privacy and security--which incorporates feedback from representatives of the cloud services industry. Delano asked Vincent Villers of consultancy PwC in Luxembourg for his assessment.
AG: In your view, why is the publication of these guidelines an important step?
VV: As clearly mentioned in the document and confirmed by the commission, these guidelines are meant to serve as reference for all “cloud stakeholders”--for example, providers, customers, governments, supervisory authorities--when dealing with cloud services.
As far as I can see, it should be used by Luxembourg companies when developing projects to move to the cloud.
AG: Can you provide a couple examples of where the guidelines are offering more clarity to service providers and customers?
VV: The guidelines provide clarity through the “cloud SLA vocabulary” section which, indeed, serves as a reference for any further detailed work to be done on existing SLA. Remember that the document “illustrates and specifies the concept that should be addressed” and “does not specifies the structure of an SLA”. It is important to consider these guidelines as what they are: guidelines. They are not a “magical recipe”.
I am also glad to read that key concepts are addressed such as “capacity” (maximum amount of some property of a cloud service), “termination process”, “data portability” and finally “openness, transparency and notice”.
The first one is usually not present in SLAs but is key for users to understand the capacity of the provider to deliver. For the other concepts, they address a major risk relating to outsourcing in general, and to cloud services more specifically: the “lock in” risk.
The guidelines are helpful in that they give clear suggestions to include in SLAs.
AG: From your perspective, what questions were left unanswered by the document?
VV: I believe that most relevant issues are addressed in these guidelines. Given their objective, it is, for example, left to the users and providers to make the best use of them while working on dedicated SLAs or when assessing existing ones.
The ongoing work of other bodies or working groups--such as the ISO/IEC and ENISA--should also be closely followed up.
According to me, potential cloud users need to keep in mind two essential questions before “accepting to jump to the cloud”: “what does it really mean for my business?” and “how does a cloud solution fit in the future evolution of my organisation (in terms of strategy, new products, flexibility, long term continuity)?”
Each company is different and should therefore address a cloud project with questions specific to their context.
I would like to stress one key risk that is not addressed so far by the guidelines is the “isolation failure” risk: shall cloud users be the only ones to access their data? This specific item is not clearly mentioned in the security section.