This article is by Sam Higgins, research director at Longhaus, a leading Asia-Pacific ICT industry analyst firm covering Australia and near shore markets. This article first appeared in the firm’s Longview journal (PDF) and is published here with its permission.
analysis In June 2010 Microsoft held an industry analyst event in Sydney. In attendance was Greg Stone, chief technology officer for Microsoft in Australia and New Zealand.
Amongst other things Longhaus discussed with Stone were issues relating to standards, data sovereignty and regulation of the global cloud computing market. One particular element of that discussion was market supervision and in particular what happens when cloud providers fail; and who is responsible for mitigating this risk? It was a topic that also received attention from Laura Smith of SearchCIO.com in August.
Compared with other utility or critical industries, it is reasonable to say that information technology is only lightly regulated. If you step beyond technology manufacturing, of which there is little in Australia, and telecommunication service providers being monitored by the Australian Media and Communication Authority (ACMA), this is especially so.
Instead, most ICT companies — including the new breed of cloud computing providers — are left under the broad watch of the Australian Securities and Investment Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC). A simple search of the current policies of ASIC, ACCC and ACMA reveals that beyond email scams and spam, none of these organisation is paying sufficient attention to the new industrial phenomenon that cloud computing represents.
Indeed, even the reported government policy thinking to date appears limited to how to exploit cloud computing for the sake of internal efficiency or security, rather than about what the reality of paying an offshore firm not required to be registered for Goods and Service Tax (GST) means for Australia’ s taxation revenue. If one was to assume for a moment that cloud computing, in all its “as-a-service” forms, will become the dominant model for provision of ICT, then like any core element of economic prosperity, be it water, power, health, travel or of course money, this increasingly attractive market requires oversight.
The truth is cloud computing as a dominant model for ICT services is not an assumption. It is fast becoming a reality, with 62 percent of large Australian organisations from Longhaus’ 2010 ICT Adoption and Priorities Study indicating cloud computing would be a priority to manage cost of ICT in the next financial year. It is therefore critical that policy makers and buyers start asking at least two simple questions: What standards or policies are in place to ensure that cloud providers manage their assets appropriately to protect businesses from the risk of a collapse? And what recourse is there for a business that is locked into a long-term contract with a cloud provider?
The answers today to both questions are: “None”. The current system relies almost exclusively on the “power of the market”. This is a power we clearly saw abused by individuals and institutions alike on Wall Street that contributed, if not caused, the most recent global financial crisis.
Like the financial, water and power systems, ICT has specialised considerations that require expert knowledge and insight in order to be effectively managed in the long term. It makes sense that ICT services of the global reach and wide-scale adoption that cloud computing currently presents should also be subject to scrutiny by third-party organisations that have the requisite skills and capability to provide proper oversight. It is not acceptable to simply leave the complexities of cloud computing and their associated need for large scale capital refreshes and long range marginal costing models to ASIC or the ACCC.
Take the Australian Prudential Regulation Authority (APRA) as an example. Funded primarily by industry but created within a regulatory framework that arises from the “four pillars” policy, its mission reads as follows: To establish and enforce prudential standards and practices designed to ensure that, under all reasonable circumstances, financial promises made by institutions we supervise are met within a stable, efficient and competitive financial system.
It is through this mission, enabled by the collection of essential statistics regarding the viability of every financial institution operating within Australia, that was a key mechanism in preventing Australia’ s banking system from over-leveraging and accepting excessively high toxic debt. Arguably Australia’s regulatory mechanism worked to prevent excessive impacts of the Wall Street disease from infecting its own financial system.
The same is true of all the other core elements of economic prosperity mentioned above. Each of which has specialised regulatory frameworks that include the following features:
- Industry associations to represent key players and their economic interests to government and the regulator;
- Formalised user or consumer groups to advocate on behalf of buyers to government and the regulator;
- A “reserve” or element of government participation or ownership, such as the Reserve Bank in financial markets, or the Universal Service Obligation legislation in telecommunications;
- An independent industrial ombudsman to monitor complaints and handle mediation of disputes which in turn provides a crucial lead indicator of potential trouble;
- A formally regulated industry monitor or watchdog to consider matters such as anti-competitive behaviour, foreign investment levels and transactions, price monitoring, standards compliance and to gather key statistics and report on the viability of the “system” overall; and
- Minimum industrial standards for interoperability, fairness, other reasonable buyer protections and service obligations.
It is time that the Australian ICT Industry created an appropriate regulatory model for cloud computing and once again showed the world its ability to create resilient and innovative environments for effective business — just as was done when the G8 turned to the APRA model as the basis for global financial regulation.
The alternative is that inevitably when the Enron, WorldCom, Lehman Brothers, Pyramid Building Society, HIH or OneTel-like collapses finally hit the global or local cloud computing market, it is with little doubt that questions will be raised about why our political and industrial masters left such critical services unregulated and under-supervised for so long.