rating and certifying cloud hosts for client risk
TRANSCRIPT
-
8/14/2019 Rating and Certifying Cloud Hosts for Client Risk
1/3
Rating and Certifying the Cloud Hosting and Web Application Providers. Part III
I have been slowly morphing my consulting practice. I usually offer myself as aproduct sector strategy asset. Product Managers and VP's in the on-lineapplications business hire me to shoulder some of their burden when targetingspecialist sectors - you know, industrial, technical, services, professional.These established clients usually have an idea of where their development effortsare heading. I came in to refine and prove the potential numbers. I developed
approaches to paid subscriptions, industry specialty requirements, and I foundinnovative ways to exploit trade specific marketing. I was the product manager'shelper, and It was a good gig until about 2007, when the economy got soft.Analysts are the first to have their contracts cut.
Now I am delivering what I learned as an analyst, and applying this toevangelizing small and medium businesses. These folks are the end users I hadquantified, targeted, and interviewed in my work for web applications providers.Small and medium bizfolks perceive the benefits of hosted services and cloudcomputing. They clearly perceive the benefits of fault tolerance, licensingadvantages, and a simplified communications topology. These smaller accounts arecertainly numerous. Can they abide having recurring computing fees forever? Theycertainly know that their internal server and workstation / mobile infrastructure
(as traditionally delivered), costs them big time when things go bad.The SME / SMB, in other words, gets it. They get the benefits of Web based, cloudhosted stuff. They like getting out from under the local IT support guy, or theinternal IT guy that they are held hostage to. They look forward to a time whereindividual routers with special configurations are replaced by safe, centralizedfault tolerant networks, servers, and comm infrastructure that they can provisionand pay for in a rational way. They just don't know if they can trust you and ifyou will be around long enough to justify the cut over.
So, before I close this series, which might include one more post on the brokeringof technical services between partners and competitors to backstop businesscontinuity failures, I will talk briefly about ratings and certifications for anyremote provider of compute and storage - out there in the cloud.
Established utility computing providers, like AWS, are probably uninsureable asfar as client's needs are concerned; they are too big, and any coverage they dohave insures only their own facilities and operations, which does accrue somewhatto the client's benefit in the very long run, but does nothing when the downtimeoccurs. In the case of the big dogs, your insurance is their size and need tomaintain a reputation. Eventually we will get our way, and instances of clientcomputing services will get risk based pricing, preceded by business viabilityratings, and of course, certifications for good facilities, operating procedures,and back office accounting standards. I'm willing to bet the ISO is working upsomething in their wild and crazy working groups as we speak.
One more thing: Why is PAAS different?
Briefly: clients using unitary applications or suites have invested a certainamount of time moving from thick client project management to a hosted solution(one example). They have probably identified ways of moving the data off theplatform (I hope), and so on. They are using an application, and we have allchanged applications. PAAS is like marrying your company to .Net or some otherstandard. There is an investment, a rather large one for the SME, actually. Forthe lone developer making web apps, it's ok.
The PAAS landscape is made of some very innovative and funny systems. I think youknow what I mean. Some remind me of 4GL, some will let you host a language and
-
8/14/2019 Rating and Certifying Cloud Hosts for Client Risk
2/3
framework, but not the integral database, some have language environments that aremade from whole cloth. As a group they are fascinating and right on the cuttingedge, and they are, as a group, under capitalized and illiquid. There areexceptions, but I will bet you the best dinner in Boston that one would be hardpressed to find a PAAS provider that would allow an industry ratings organizationto inspect their capital and operations profile.
If a SAAS application company is illiquid in its essence, then we find another,
move the data. If a PAAS company is under capitalized, we have a larger set ofproblems. The way migration has been handled for PAAS failures has been shameful.
Someone once asked me if the 25M round for an on-line storage provider places themin a well capitalized position; my answer was, "it depends, but generally, no, itis not considered well capitalized for the intended target and use case - 25M in aVC round ain't shit when rating a crucial service provider that has not attainedsustained profitability and near perfect uptime."
Now, on to ratings and certifications for the cloud.
What is the difference between a rating and a certification? For the purpose ofunderwriting the risks of business continuity failures due to computing failures,there is an assumed, informal distinction.
Ratings are gathered from the outside in; companies are surveyed, their clientsare surveyed, and they provide voluntary information. Also, performance data iscollected in the wild - you know, up-time, availability, responsiveness to supporttickets, and the like. Ratings take time to compile. Sometimes, ratings canderived from historical data and a large set of participating clients. Risk basedunderwriting may make use of industry ratings, but the primary use of ratings,particularly those blessed by trade groups and associations, are to make clientscomfortable.
Finally, only when ratings do not jibe with reality, does the following becomeapparent: Ratings imply no promise of performance. This may seem like a smallthing, a semantic difference, but for those who price IT risk for third partypayouts, it's the whole ball game. One can not rate a businesses operationalviability, nor its ability to survive and thrive without invasive audits bytrusted, confidential examiners from industry standards organizations.
So, this where Certifications, capital C, come in. Certifications are invasive,involving on site auditing and live tests that determine specific functionality.ISO, SAS 70, and SystTrust, are some of the current examples of certs that arecurrently in vogue for typical data center assurances. Unfortunately, none ofthese standards, as good as they are, really addresses all of the issuesunderwriters need to individually insure a client of a cloud host, SAAS or PAAS
provider. In the case of PAAS start ups, it's a messy process to accuratelyquantify risks when so much muscle and blood has been invested in cutting overincumbent processes - and the fact that for some reason, the PAAS providers, takenas a group, are some of the shakiest kids on the block.
Big data centers can be certified, telecommunications can be certified, processesthat handle customer data can be certified, etc. For these types of certs, AICPAis the best we have in SAS 70 and SysTrust. In order to indemnify clients usingremote IT services (SAAS, Clouds, Grids, PAAS), we may need more.
You want more that SAS 70, or other certifications can deliver? The insurance
-
8/14/2019 Rating and Certifying Cloud Hosts for Client Risk
3/3
underwriting industry in its forward looking moments knows that technology andoperations are the least fragile variable in the total equation. In order to offerbusiness continuity assurances to the Cloud's clients, the carriers want auditedviability in the following areas:
1) Management Background ( The principals backgrounds and disclosures being freefrom deception).
2) Operations audits (GAAP, Records retention policies, maintenance procedures)
3) Operations Liquidity (Does the company pass the viability test for a"foreseeable period of operations that encompass an adequate time horizon,considering the industry's typical cycle of periodic upgrades and major technicalwatersheds)?
4) Security and Exposure to 3rd party liabilities. (Does the company operate inmanner that would mitigate against common IT liabilities for data security, loss,and mishandling of customer information?).
Once these broad systemic root certifications can be determined, either throughexisting industry organizations or via a new body, then the underwriters can start
processing the risks involved. After the risk is priced, then measures tooperationally offset the risk can be applied. And.....
Once the risks are sufficiently offset and the risks are recalculated for thosecloud offerings that voluntarily avail themselves of these aforementionedtechnically mitigated risks....then we can look forward to a developing insurancesegment that can offer professional lines of coverage for could computingservices.
Finally, finally, we come to the technical, operational offsets of client risks,where I am more familiar and on home ground. We will discuss using brokeredservices and API's via blind third parties that will cover outages in the cloud.This is where the real work gets done. Without offsetting risks, there may never
be adequate coverage options for clients of the cloud.
Next post!
Related articles by Zemanta
* Iasta Achieves SAS 70 Type II Certification (seomashup.blogspot.com)* How to Turn Cloud Computing Into Big Business - A Peek Inside Amazon Web
Services (xconomy.com)* 5 more fresh articles...
Reblog this post [with Zemanta]