Microsoft appreciates the opportunity to respond to the Cloud Computing Consumer Protocol: ACS Discussion Paper July 2013 (the protocol).

(1)

Microsoft Pty Ltd, Page 1 Microsoft Submission to ACS Cloud Protocol Discussion Paper

Microsoft Submission to ACS Cloud Protocol Discussion PaperMicrosoft Submission to ACS Cloud Protocol Discussion Paper Microsoft Submission to ACS Cloud Protocol Discussion Paper General Comments

General CommentsGeneral Comments General Comments

We acknowledge the considerable efforts of the contributors and team at the Australian Computer Society (ACS) in drafting the discussion paper and in endeavouring to deliver on the recommendation of the Australian Government’s National Cloud Computing Strategy.

In addition to some general comments, we have provided responses to each of the relevant questions (those related to providers as opposed to users) asked within the Discussion Paper. It is critical that the objective and proposed uses of the protocol are well defined. In addition, the protocol should clearly state what it is not proposed to be used for.

The aim should be to achieve a simple set of common disclosures that improve the ability for consumers, businesses and other organisations to make an informed choice about Cloud services. Microsoft believes the protocol should not aim to become de facto regulation by prescribing standards or answers; or become a mandatory requirement for procurement.

Business Readiness Business ReadinessBusiness Readiness Business Readiness

Firstly, Microsoft would question whether businesses are truly “… reticent to integrate the cloud into their businesses and operations.”1

We are seeing strong global appetite and take up from organisations of all sizes as they come to understand the options and business models related to Cloud computing. In the consumer market, Cloud computing adoption is widespread and growing rapidly.

On this point, it is our opinion that it is too early to take the view that there has been a market failure requiring significant intervention. We also feel that current legislative protections like Competition and Consumer laws and the Privacy Act provide adequate protection for cloud consumers.

Relevance of Government Guidelines Relevance of Government GuidelinesRelevance of Government Guidelines Relevance of Government Guidelines

Guidelines developed for internal Government use include standards, recommendations, and positions that may not be appropriate for small and medium business.

For example, the DSD Cloud Considerations paper, developed by an organisation with a primary focus on protecting national security secrets, is not relevant for a broader national audience and includes statements like:

“DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies to choose either a locally-owned vendor or a foreign-owned

(2)

Microsoft Pty Ltd, Page 2 vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders” 2

The Attorney General’s Department Policy for the Storage and Processing of Information in Outsourced or Offshore ICT Arrangements goes even further. This new policy introduced arbitrary requirements whereby any government agency wishing to utilise the benefits of public cloud requires (a) a formal and explicit risk assessment, (b) an audit against the mandatory requirements of the Protective Service Policy Framework, (c) the formal approval of the Agency Head, and (d) the formal approval of both the Minister and the Attorney General.3

Far from being useful guidance to encourage small and medium business to leverage the economic and security benefits of cloud computing, this guidance is more likely to be a much greater inhibiter of progress.

We also feel that the ACS should avoid trying to build requirements into any proposed code that aims to address the National Cloud Computing Strategy objective of: “Responsiveness to market and technology developments”4_{. This is a highly subjective statement that is at the core of} innovation and competition within the cloud services market. It would be nearly impossible to develop language that would enable industry compliance and meet this objective.

Transparency and Trust Transparency and TrustTransparency and Trust Transparency and Trust

We do, however, strongly support transparency, particularly with relation to customer data. Cloud providers should contractually commit that at all times, customers own their own data, and retain all rights, title and interest in the data stored with the provider. Customers should be able to download a copy of all of their data at any time and for any reason, without any assistance from the Cloud provider.

Customers should have full control and access to their data and be able to remove or delete it as they deem necessary throughout the duration of the service. In addition, customers have the option of purchasing services from a variety of IT organisations to assist them in migrating their data.

In line with this commitment on transparency and privacy, we have developed online Trust Centres that provide additional information for our Cloud services including: Office 365, Dynamics CRM Online, and Windows Azure.

Guiding Principles Guiding PrinciplesGuiding Principles Guiding Principles

There are some guiding principles for any Protocols developed with regards to cloud: • Transparency is keyTransparency is key: Any voluntary code should seek to encourage transparency and Transparency is keyTransparency is key

disclosure as the basis of an improved trust relationship with customers.

2_{DSD Cloud Computing Security Considerations, page 1}

3_{Australian Government Policy and Risk management guidelines for the storage and processing of Australian} Government information in outsourced or offshore ICT arrangements, page 7

(3)

Microsoft Pty Ltd, Page 3 • Avoid a prescriptive one size fits all approachAvoid a prescriptive one size fits all approach: Microsoft alone operates more than 100 Avoid a prescriptive one size fits all approachAvoid a prescriptive one size fits all approach

Cloud services, many of which have different business models (e.g., free, subscription based, or ad-funded), platforms, and audiences (e.g., consumer, commercial,

Government, or a combination of these). Prescriptive and coverall reporting/disclosure requirements may not be relevant across all of these services.

• Don’t try to create newDon’t try to create new standardsDon’t try to create newDon’t try to create newstandardsstandardsstandards: Cloud computing services are global services. Incompatible regulatory or standards regimes impose barriers to market entry and additional costs, not just for global organisations in providing services to Australians, but also for Australian cloud providers trying to access international markets. Encouraging and supporting the adoption of global standards and best practice creates a level playing field for all providers.

Question 1. Do you believe a voluntary protocol in which cloud suppliers provide undertakings and information about their services would improve confidence in the market and increase the adoption and take-up of cloud computing services?

As stated, we feel that it is too early to establish that there is a lack of confidence in the market. We have witnessed strong global adoption of our cloud services. For example 250 million people use our cloud storage service Skydrive, there are 400 million Outlook.com accounts, 7 million people use our corporate social media platform Yammer and use of our cloud-based productivity suite Office365 is growing rapidly.

Question 2 b). If you are a provider of cloud services, is the description above of cloud services and the outline of its benefits accurate and comprehensive for prospective users who may know little of the details of cloud computing?

Microsoft is broadly comfortable with the definition and benefits outlined within the Discussion Paper.

However, any Protocol should avoid making sweeping statements with regards to cost savings or pricing, as this will vary dramatically across the market and also needs to consider an

organisation’s particular circumstances.

In a competitive market, it is ultimately incumbent on the cloud service providers to adequately describe the service and demonstrate the benefit, including financial benefits of a service; and on customers to conduct their own financial due diligence.

Question 4. Are there other disclosures from cloud vendors that have not been outlined in this section? What are they?

(4)

Microsoft Pty Ltd, Page 4 Any code should avoid prescribing the format or content of the answers.

For example, when customers are asking about security, they typically want to know what security practices and standards are in place for data that is at rest or in transit, and how their data might be used and disclosed while it is in the provider’s care.

For most customers, critical questions include:

• Where are security practices and standards for the service documented by the provider? • Where does the provider document its protocol for handling law enforcement enquiries

relating to customer data associated with the service?

• Does the provider use customer data associated with the service for any purpose other than providing the service to the customer? If so, where does the provider document its other uses of the customer data?

In addition to those disclosures outlined within the Discussion Paper, data mining should be disclosed, such as whether the provider will mine a user’s data for the purpose of serving advertising or another commercial reason.

Other potential questions to use as the basis of disclosures include:

• What is the service?

• Where are the features of the service documented?

• How can documents and data be worked on when there is no internet connection and synchronised when the internet connection is restored?

• Where is the fee for the service documented? • How much notice do I get about fee increases?

• Do I need anything else to make it work the way I need it to? • How much does the service cost to set up?

• What is the on-going service fee, and how long do I have to commit to? • How well does the service respect and protect my data?

• Will the integrity and content of documents and other data be preserved?

• Could the provider use my data (beyond providing me the service I’m paying for)? • Could the provider use my data to build advertising profiles on my staff or clients? • Could my staff and clients easily keep their work and personal identities separate? • Is the service certified to ISO27001?

• Is there a response to the Cloud Security Alliance’s standard questions for the service? • What are the data protection and data recovery practices for the service?

• What is the policy for dealing with law enforcement requests relating to the service? • What level of support is available for the service?

• How extensive is the professional support network I can turn to in Australia? • What standard of reliability does the provider promise for the service? • How am I compensated if reliability standards are not met?

• Are any parts of the service not covered by the reliability standard?

• Is audited financial information about the provider publicly available (e.g., is the provider is a listed company)?

• Is the provider financially sound?

(5)

Microsoft Pty Ltd, Page 5 • Is it practical for me to leave the service?

• Will I have time to retrieve my data?

• Can I get my data out in a format that is easy to transfer to another service?

Question 6. If you are a provider of cloud services and products, what is the current state of market confidence in cloud computing, and are there any outstanding transparency issues that concern users? If so, what is the best method of addressing these concerns?

According to IDC, Public IT cloud services spending will reach $98 billion in 2016, with a com-pound annual growth rate (CAGR 2011- 2016) five (5) times the growth of the IT industry overall.5 These strong growth rates for Cloud demonstrate improved market confidence in Cloud services. As adoption increases and businesses become more familiar with Cloud services, we also feel that user confidence is growing,

Providing open and transparent information about Cloud services is the best way to address any potential concerns. In line with this our online Trust Centres provide additional information for users of our Cloud services aimed at building trust and improving transparency.

Again, it’s important for consumers of Cloud services to do their own risk analysis, based on best practice checklists and other relevant information made available by Cloud providers and the industry, and then to be free to make their own choice. Any proposed protocol should aim to support this informed choice.

Question 7. If a voluntary protocol is introduced, do you have any comments on potential compliance costs, jurisdictional complexities and the interaction between the Protocol and other cloud standards currently being developed globally?

We strongly support the ACS’ view that: “any cloud protocol for Australia must avoid further regulatory complexity, jurisdictional variation, anti-competitive outcomes and overly prescriptive disclosure requirements.”

In general, due to the need to scale and to keep the prices as low and competitive as possible, whilst Cloud computing services are configurable, they are not customisable. The service is the same for every customer and so customers need to do their own due diligence to determine whether any given service is suitable for their specific needs.

For example, vendors have their own security standards and protocols, usually based on recognized world standards like ISO and so they are not in a position to agree to comply with a customer’s specific security policy, or some other self-regulatory scheme or protocol, to the extent they differ from the worldwide standard followed by the vendor.

As with any technology, innovation generally precedes standardisation. Cloud computing is in no way different. Many Cloud providers have achieved certification with the internationally

(6)

Microsoft Pty Ltd, Page 6 recognized ISO 27001. Already international standards such as ISO 27035 are in draft that

embody the consensus acceptance of global practices in standards.

We do not support any attempt to provide an exhaustive or recommended list of standards. Industry standards are continually evolving and a list would quickly be outdated.

To the extent that any voluntary/self-regulatory scheme purports to require Cloud vendors to change the service or the policies that govern it (ie. security and privacy), then the majority of Cloud vendors will not be in a position to sign up to it.

This may then have the adverse effect of limiting competition and preventing market entry, to the extent that customers or consumers see a vendor’s compliance with such regulatory regime as a mandatory pre-condition of any purchase and so avoid vendors who are not able to join.

The impact of an additional protocol may adversely impact both the cloud provider and the cloud consumer, as the consumer needs to factor the protocol into their procurement decisions,

supplier engagement and onward supply chain processes. This is especially true in the very common scenario of application service providers who assemble and develop their offering on top of the offerings of global Cloud providers. Microsoft has thousands of local cloud partners who build solutions in this way who would feel any additional compliance burden.

Care would need to be taken with the proposed voluntary protocol to ensure that it does not add to the existing compliance burden that already exists both for cloud providers and cloud

consumers.

Question 8. Using the New Zealand Code as an example, are there changes or improvements that could be made which would improve the efficacy of that process in an Australian context? Are there other issues not addressed in the New Zealand Code that need to be considered?