NAB, Open Data Center Alliance Creating Best Practices for Vetting Cloud Providers

In an effort to make the vetting of potential cloud applications less like a box of chocolates, National Australia Bank is working as part of an international coalition to enable due diligence tools, testing and standards for the cloud that help firms determine whether providers are adequately addressing common concerns such as accessibility and security.

"One of the big security issues with the cloud is what defines security. One of the things that we see is every service provider has a different take on security when you are looking to buy. It's hard to make an informed decision," says Matthew Lowth, a security architect at National Australia Bank. "One of the reasons to create standards is so you can scale up and down based on your need to execute a project and have knowledge of the security of the cloud. The standards inform consumers that if they buy a certain level of service they can expect certain levels of security."

Working as part of the Open Data Center Alliance (ODCA), which has developed and is continuing to work on guidelines for cloud investments, NAB is working to produce a standard proof of concept and template form that can be used to evaluate and test the level of protection offered by cloud providers and inform service level agreements. Among the new tech tools is a personal engine assistant, which is based on a standardized mark-up language that allows businesses to standardize cloud computing requirements that are included in requests for proposal and other documents. The tool analyzes the IT requirements of the business against the ODCA security standards and produces a description of cloud computing specifications that are sent to potential cloud providers.

The ODCA's standards include grades that range from bronze to platinum, which participating suppliers agree to follow. The grades note the minimum compliance and security needs of the client that is purchasing cloud services. This security would include access, or the promise that the provider can safely make the necessary capacity available when needed; as well as data breach prevention strategies, fraud mitigation, supply chain risk, authentication, and the firewalls and encryption that protect credentials and other information that resides in the cloud. The grades would not replace due diligence, but are designed to make it simpler — a "platinum" grade of security would offer protection consistent with the needs of the military, for example; while "gold" would meet the security needs of most financial firms.

The ODCA includes companies and IT suppliers that are working toward increasing use of cloud computing by businesses. The alliance includes banks such as JPMorgan Chase (JPM), UBS (UBSN) and Deutsche Bank (DBK), nonbanks such as BMW (BMW) and Disney (DIS), and a number of vendors that sell and develop cloud solutions. NAB, JPMorgan Chase and UBS are all also part of a steering committee that is focusing on the standards and interoperability model.

"If we look at the number of providers that have joined and the type of providers that have joined (including VMware (VMW) and Red Hat (RHT), they have a vested interest in satisfying what large and small businesses want, so they can sell more software. We think the combined powers of the [vendors and other participants] is a powerful incentive for cloud suppliers to build out to the standards," says Denis McGee, general manager of application development and testing at NAB, who mentioned the alliance has 350 members globally, and would also work in conjunction with other standards organizations. The standards are obviously not regulations, but the goal is to make the standards part of service level agreements signed by firms and cloud service providers. "Three hundred and fifty members is a lot of purchasing power," McGee says.

The providers have reason to be concerned about the image of cloud security. In January, a survey of government agencies by the 1105 Government Information Group found that more than half of the respondents said cloud solutions aren't secure enough, with the majority citing security concerns such as data loss, identity authentication and credential management, clarification of record ownership, identity provisioning and the fear that cloud data will be exported to less secure countries

NAB also hopes to increase its own use of the cloud. It is working with IT outsourcing partner IBM to develop a private cloud to offer "infrastructure on demand" to rapidly provision IT resources to quickly scale up to execute marketing programs, and the subsequent spike in processing that results from the new business that results from the marketing program. "These needs can fluctuate up quickly, and then just as quickly fluctuate back down," McGee says.