Cloud computing requires professional, independent and trustworthy certifications

I had written about a year ago on the sense and nonsense of cloud seals, certificates, associations and initiatives. At that time I already come to the conclusion that we need trustworthy certifications. However, the German market looked rather weak and was represented alongside EuroCloud with other advocacy groups as the “Initiative Cloud Services Made in Germany” or “Deutsche Wolke”. But there is a promising independent freshman.

Results from last year

“Cloud Services Made in Germany” and “Deutsche Wolke”

What initiatives generally have in common is to try to steer as many providers of cloud computing services as possible in their own ranks with various promises. Especially “Cloud Services Made in Germany” jump on the supposed quality feature Made in Germany, and promises to “more legal certainty in the selection of cloud-based services …”.

And exactly this is how “Cloud Services Made in Germany” and “Deutsche Wolke” position themselves. With weak criteria, both of them are very attractive for vendors from Germany, which in turn can advertise with the “stickers” on their websites. But in the criteria nothing is discussed in any way about the real quality of a service. Is the service really a cloud service? How is the pricing model? Ensures the provider a cloud computing conformal scalability and high availability? And many more questions that are essentially important to evaluate the quality of a cloud service!

Both initiatives have in any case credentials in their form. However, they should not be used as a quality criterion for a good cloud service. Instead, they belong to the category “Patriotism: Hello World, look we Germans can also do cloud.”

EuroCloud and Cloud-EcoSystem

In addition to these two initiatives, there are the association EuroCloud and Cloud-EcoSystem, both advertise with a seal and certificate. EuroCloud has its SaaS Star Audit. The SaaS Star Audit is aimed, as the name implies, exclusively to software-as-a-service provider. Depending on the budget, the provider may be honored by one to five stars by the EuroCloud federation, but must also be a member of EuroCloud. The number of stars says something about the scope of the audit. While with one star only “contract and compliance” and a bit “operating infrastructure” are being checked, five stars also check processes and security intensively.

The Cloud-EcoSystem by contrast has with its “Cloud Expert” a quality certificate for Saas & Cloud Computing consultants and with its “Trust in Cloud” one for cloud computing providers. A “Cloud Expert” after the definition of the Cloud-EcoSystem should offer providers and users a decision guidance. In addition to writing, creating professional articles and checklists an expert also carry out quality checks. Furthermore, a customer should be able to trust that the advisor has certain properties of criteria for “cloud experts.” So every “cloud expert” should have a deep understanding and basic skills, and have references available and provide its self-created documents on request. Basically, according to the Cloud-EcoSystem, it is about to shape and present the Cloud-EcoSystem.

The “Trust in cloud” certificate should serve as guidance for companies and users and establish itself as a quality certificate for SaaS and cloud solutions. On the basis of the certificate users receive the opportunity to compare cloud solutions objectively and come to a secure decision. The certification is based on a set of 30 questions, divided into 6 categories each of 5 questions. The questions must be answered by the examinee with Yes or No and also be proved. If the cloud provider answers a question with Yes, he receives a “cloud”. The checklist includes the categories of references, data security, quality of provision, decision confidence, contract terms, service orientation and cloud architecture.

Both EuroCloud and the Cloud-EcoSystem go the right way and try to evaluate providers based on self-imposed criteria. However, in this case two points should be questioned. First, these are associations, that means as a provider you have to be a member. It is legitimately asked which association member can fail an examination – independence? Furthermore, both create their own requirements catalogs, which are not comparable. Just because a provider has a “seal of approval” of two different associations, which evaluate according to different criteria, does not mean at all that the cloud service also provides real quality – confidentiality.

The pros get into the ring: TÜV Rheinland

Regardless of all the organizations that have come together specifically for the cloud, TÜV Rheinland has launched a cloud-certification. TÜV itself is most likely aware of the testing and acceptance of cranes, fun rides and the general inspection for the car. But also have more than 15 years of experience in the IT areas of consulting and certification with regard to compliance, risk management and information security.

The cloud-certification process is extensive and has a price. A first look at the audit process and the list of requirements shows that the TÜV Rheinland has thus developed a very powerful tool for the testing of cloud services and infrastructures.

Starting with a “Cloud-Readiness Check” first security, interoperability, compliance and data privacy are checked for their cloud-based suitability and a plan of action is created. This is followed by the review of the “cloud design” in which the concept and solution are examine carefully. Among others, topics such as architecture but also the network security and access controls are examined. Afterwards, the actual implementation of the cloud solution is considered and quality checks are carried out. After, the preparation of the certification follows and later the actual certification.

The cloud requirements catalogue of the TÜV Rheinland comprises five main areas, which are in turn subdivided into a number of sub-elements. This includes organizing processes, organizational structure, data security, compliance / data privacy and processes. All in all a very profound requirement catalog.

In a called reference project TÜV Rheinland requires eight weeks for the certification of an international infrastructure-as-a-service provider.

Independent and trustworthy cloud certifications are mandatory

The quality and usefulness of certificates and labels stand and fall with the companies that are responsible for auditing and their defined criteria. Weak requirements catalogs meet neither an honest statement, nor will they help to illustrate the clear differences in quality of cloud solutions for the buyer. On the contrary, IT decision-makers in doubt rely on these supposedly tested services, whose quality is another matter. In addition, in cloud computing it is not about to install a software or a service. At the end it is consumed only and the provider is responsible for all other processes that would otherwise have taken the customer himself.

For this reason, independent, trustworthy, and above all professional certifications are necessary to ensure an honest statement about the quality and property of a cloud service, its provider and all downstream processes such as security, infrastructure, availability, etc. As a provider one should be honest with themselves and at the end decide on a certification, which focuses on professional lists of criteria, not just scratch the surface but deeply immersed in the solution and thus make a credible statement about the own solution.

By Rene Buest

Rene Buest is Gartner Analyst covering Infrastructure Services & Digital Operations. Prior to that he was Director of Technology Research at Arago, Senior Analyst and Cloud Practice Lead at Crisp Research, Principal Analyst at New Age Disruption and member of the worldwide Gigaom Research Analyst Network. Rene is considered as top cloud computing analyst in Germany and one of the worldwide top analysts in this area. In addition, he is one of the world’s top cloud computing influencers and belongs to the top 100 cloud computing experts on Twitter and Google+. Since the mid-90s he is focused on the strategic use of information technology in businesses and the IT impact on our society as well as disruptive technologies.

Rene Buest is the author of numerous professional technology articles. He regularly writes for well-known IT publications like Computerwoche, CIO Magazin, LANline as well as and is cited in German and international media – including New York Times, Forbes Magazin, Handelsblatt, Frankfurter Allgemeine Zeitung, Wirtschaftswoche, Computerwoche, CIO, Manager Magazin and Harvard Business Manager. Furthermore Rene Buest is speaker and participant of experts rounds. He is founder of and writes about cloud computing, IT infrastructure, technologies, management and strategies. He holds a diploma in computer engineering from the Hochschule Bremen (Dipl.-Informatiker (FH)) as well as a M.Sc. in IT-Management and Information Systems from the FHDW Paderborn.