Cloud Hosting

A lighthouse project that will shine a light to guide both users and providers towards more trustworthy and transparent adoption of cloud computing in Europe and beyond.

Thats the bold claim made for the new EU Cloud Code of Conduct (CoC), the result of over four years of collaboration between the European Commission and suppliers from the cloud computing industry. Its stated mission is to make it easier for customers to determine whether cloud services from various providers are suitable for their designated purposes, as well as creating an environment of trust that adherence to its terms will result in a default level of data protection, built, of course, around GDPR (General Data Protection Regulation).

This is a very important moment for the industry, argues Agnieszka Bruyere, VP, IBM Cloud EMEA:

Up to now, we have been missing a reliable, easy tool to assess the compliance of cloud computing services with data protection regulations. This created an uncertainty for users and also cloud providers that slowed down the adoption of cloud computing all over Europe. This period has now come to an end.

This is the first tool in Europe that allows us to demonstrate not only compliance, but also to bring proof of compliance for cloud users and cloud providers all over the Europe. It's also very important because for the first time we have an independent monitoring body that has been accredited.

So whats actually in the Code? As per the CoCs own descriptor, the Cloud Code of Conduct:

The Code is a voluntary instrument and service providers demonstrate compliance through self-evaluation and self-declaration and/or through third-party certification, attaining one of three levels of approval.

Providers have to:

convincingly explain how the requirements of the Code are met. The Monitoring Body will refer to questionnaires. First set of questions is a derivative of the Controls Catalogue. Depending on the information provided there will be follow-up questions or requests; questions are mostly related to better understand the actual measures; requests are mostly related to further evidence and samples. In case provided information leave doubts of a CSPs compliance requests may also be related to particular remedies and or confirmations.

Once a cloud service has been verified as compliant, it will be listed in the Public Register where customers can view the results. To date, a number of vendors have gone through or are in the process of going through the certification procedures. For example, SAP, Google, Workday and Microsoft already boast some level of compliance, while Oracle and Salesforce are completing their respective certifications.

Workday has been involved in the CoC collaboration since early 2018, says Barbara Cosgrove, the firms Chief Privacy Officer, attracted in part by its broad focus on all types of cloud services:

As a cloud provider, we continue to look for innovative ways to demonstrate to our customers that we meet our obligations. We think that you must have that 'trust, but verify it' approach. We have binding corporate rules for processors, we use that as a data transfer mechanism, along with other mechanisms. But we really thought that the Code of Conduct was a unique mechanism under GDPR where, in addition to having a contractual mechanism, you were able to tie it to much more detailed audits and monitoring.

The fact that the CoC covers SaaS, PaaS and IaaS offerings is being pitched as a significant differentiator compared to other similar initiatives. As Jo Copping, Salesforces EMEA Senior Director of Privacy, explains:

That makes it a very unique proposition and a really all-encompassing solution. The Code does bring really an unprecedented level of certainty and coherence to the market. Its a really robust tool of reference that can be used by cloud providers and cloud users alike to ensure that data protection standards really are high. As cloud providers, we get a robust tool that we can use to demonstrate our commitment to EU privacy principles and also to fundamental EU values.

European customers are very highly-sophisticated when it comes to their privacy and security requirements and they have very high expectationsMore trust leads to more cloud adoption which leads to more efficiencies and ultimately more benefits for European customers, citizens and also for the economy as a whole.

Another appealing aspect of the CoC is the existence of an independent body to monitor its operation and future development, argues Karine Picard, Vice-President of Business Development EMEA, Oracle:

It was absolutely key for us as well to have an authority, like SCOPE Europe, that can monitor and and drive continuous innovation of the Code. It's the first code, but it's not going to be the only one. Actually it's an evolutive code. With cloud and innovation, things are moving very fast, so to have this authority to monitor the code and to make it evolve in the right direction is really important as well.

The CoC sets a high bar for other parts of the world to emulate, suggests Nathaly Rey, Head of Data Governance EMEA, Google Cloud:

Normally our privacy programs are developed to scale globally. The things that you do - the product changes, the engineering changes, many of the contractual changes and the operational changes - not only impact Europe, but they impact your services globally. So, by virtue of adopting the Code, you're raising the bar for the industry and many times you're raising the bar for your compliance program globally.

GDPR and European privacy is inspiring what you do in other jurisdictions, in other countriesOther jurisdictions have taken the European model as an inspiration in terms of the principles that govern data protection. We're seeing many of the processes and provisions inspired by GDPR and the previous [EU Data Protection] directive. So, definitely there is a trend hereCodes of conduct like this are helpful to help operationalize high level principles into the state of the art for an industry.

So, thumbs up from all round from the supplier perspective, but what about the other side of the coin - will buyers really care about this or dismiss it as gesture politics from the sell-side? After all, every cloud services provider talks up trust and transparency and adherence to the likes of GDPR as a de facto part of their outreach already.

Oracles Picard argues that one obvious appeal for buyers is simplification:

If a customer already has multiple clouds in their landscape, they have to manage multiple SLAs (Service Level Agreements), and of course there will be interoperability of those clouds. We have to simplify their life and having IaaS, PaaS and SaaS under one code is really an asset for the customer. For a provider like us, because we cover all of these elements, it would have been very complex for us to have to follow up different codes. Our customers already know that we are following and committed to follow GDPR and ISO and SOC, but the Code is really providing another layer of insurance for them...It's really simplifying our life internally and the life of our customer.

And customers are, to date, taking note, suggests Workdays Cosgrove:

We've definitely had conversations with our customers about it. It helps pull together that entire picture. It helps us to not send them three different documents, to try to look at one place, to be able to have one mapping that we didn't do ourselves that's coming from an approved source. GDPR can be complex and [when you try] to apply it to different cloud industries, everybody starts to have different interpretations. Its so detailed and so having a place [customers] can go to and have this controls catalog and have an overall one stop to take a look and be able to review, has been really helpful. Then they can look at our other [corporate] resources and they can look up all of our audits and third-party certifications, but having one place that does that overall kind of mapping and expectation has been really helpful in the conversation.

It is that sort of ambition that makes this EU CoC so important, concludes Matthias Cellarius, Head of SAP Data Protection & Privacy:

It's not just one code of conduct, it's the Code of Conduct as I would put it. It's the first code that's been fully acknowledged by the European Data Protection Board, and it's operational as of today. I think that's the big, big difference. It's a role model for other codes of conduct. It's a lighthouse project and it'll be something that will transform the entire industry and from which all of our customers can benefit.

Cynics observe that the great thing about having a standard is there are so many to choose from. My own personal experience of standards bodies has been to observe years and years of collaboration and co-operation as the detailed work gets done, only for participating bodies to end up fighting like a bag of cats before the ink is even dry on the press release that work is complete on the first version of the standard.

This looks different. The SaaS, PaaS and IaaS remit overview is hugely welcome and the existence and involvement of SCOPE bodes well. There are some impressive supplier testimonials to back the Code up as well assome notable omissions to date. (Amazon - can you hear me?).

Critical here will be to watch how this EU initiative does or does not influence similar movements in other parts of the world. For all the fine words that get expressed about GDPRs impact, the harsh reality is that were a long way from beating down the vested interests at play in stopping a GDPR-US avatar from taking shape.

That said, this is impressive work to date. Its also important to recognize that it is ongoing work and work on which suppliers must be held to account moving forward. As SAPs Cellarius puts it:

We have made it the lighthouse project with the potential to transform the industry. It's now on us to actually fill it with life, to make sure that all the merits that are perceived today are actually going to turn into reality, and that we all show that we can comply and that we continue working on the Code and keeping it relevant, not only for now, but for the future.

Definitely something that we'll be keeping an eye on.

Read this article:
Conduct most becoming - Europes new Cloud Code of Conduct shines a light on trust and transparency between buyers and sellers - Diginomica