Dull stuff, audit! Detail, detail, detail. Yet that detail can hide ferocious tigers waiting to pounce -Tesco's £265 millions anyone?
A while back I wrote on the issue of software testing. What is its real purpose, I challenged. Its purpose, I wrote, is assurance - assurance for the Board that, if they invest in some new software-based initiative, it will deliver. Assurance is what gives a Board confidence to act. That confidence is worth a lot of money, both tactically and strategically.
One responsibility in my days as ICI's CIO was the annual dialogue with our KPMG 'computer audit' team. As most of our ICT operations were in-house (at least initially!) that audit exercise was relatively straight forward. Even when I outsourced the core compute operations, the KPMG team could still identify specific datacentres to audit.
But what in today’s emerging world of the virtual?
The current Cloud Industry Forum Annual Survey details an exploitation of Cloud services that is now expanding fast: in larger enterprises, in the public sector, in smaller enterprises – across the patch. So a growing diversity of ventures are now starting to rely on services supply chains that are increasingly virtual.
How can the Board scope the risks inherent in these virtual supply chains? How does it build confidence that business continuity is secured - that effective disaster recovery is in place? Is each step in the virtual supply chain secure in the fullest cybersecurity sense? How safe is the venture's data - and what happens if there is bankruptcy somewhere along that virtual chain - 'can I quickly access & rescue my data?' And what about data privacy – ‘in exploiting this virtual services supply chain, am I compliant with data privacy requirements at each stage?’
And this against the background of quite radical innovation along the length of these virtual service supply chains. As a judge in this year’s EuroCloud Europe-wide Cloud Awards, I read the brief of a venture claiming to be able to move a complex of virtual servers in real time between remote physical locations while still actively processing.
One of the initiatives launched under the aegis of the EU Cloud Strategy (covered by fellow columnist and lawyer Alistair Maughan on CIO here) is worth taking a serious look at - a review of the diversity & variety of Cloud Certification Schemes now on offer. The review is being managed by ENISA (the EU’s Agency for Network and Information Security).
I must here declare several interests. As Chairman of the Cloud Industry Forum I support its Code of Practice, a low cost self-certification frame-work designed and promoted as a means for medium to smaller Cloud enterprises to build customer confidence that ‘all is being done correctly in the Cloud’. And as a Vice-Chairman of EuroCloud Europe I am briefed on its Star Audit, a comprehensive, effective (and expensive) certification exercise requiring extensive external audit.
This is becoming a busy field. For example the Cloud Security Alliance (CSA) has developed a family of security-focused certification schemes that range from the self-certified through to the externally audited. And there is the draft ISO/IEC 27017 [Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services].
The importance of the ENISA work is that it is seeking to provide a taxonomy of this vital aspect of the world of Cloud operations: a meta -framework designed to help practical analysis and choice.
Two key issues! Firstly focus should now be on the independent ‘Cloud certification of platforms’. Those who read my columns regularly know the analysis that I offer of vendor business models increasingly split between those who specialise in the infrastructural underbelly of our industry (data storage, processing, networking and their overall virtualisation and integration into platform capabilities) and those who innovate and deliver apps and services off these platforms. It seems to me to be self-evident that the platforms need to be independently certified – the task of certifying the operations of the apps & services focused vendors then becomes much simpler, as they can build on the certification of their underlying platforms.
The second key issue is that these certification schemes risk being over focused on security (thus the draft ISO/IEC 27017). Security is vital but, as my observations above make clear, assurance along the length of a complex virtual services supply chain is required for a much wider set of Board concerns: business continuity/disaster recovery, regulatory and legal compliance (think data privacy), data access in the event of bankruptcy. There is the need for a more holistic approach to the delivery of 'assurance in the virtual’ than simply focusing on security. The time is ripe for an active, constructively critical approach to the increasing diversity of Cloud Certification Schemes that we are being offered.