Update on CompTIA’s Cloud Trustmark Progress

Comments Off on Update on CompTIA’s Cloud Trustmark Progress

comptiaAs I wrote here before, I am on CompTIA’s Cloud Executive Council and several of us are helping CompTIA come up with a Cloud Trustmark that would help IT Solution Providers determine, in a nutshell, how credible the cloud service provider happens to be. The following are my opinions and impressions and do not represent CompTIA, other members of the executive council or any other entity. I hope this information gives you a perspective for the hard work that is being done in our industry and encourages you to participate.

First a little bit of background – I originally objected to the idea of the Cloud Trustmark for the simple reason that the same executive council spent nearly a year just to come up with a well rounded definition of “What is the cloud” and creating a unified certification of the same would be either expensive or meaningless. The point of the association though is not just to sit and object to things that are difficult but to craft something that would be useful. Here is the summary of the major discussion topics:

Should we require a physical visit? Some felt that the certification would be neutered and meaningless without verifying that the physical location of the servers was not confirmed in person. The concern was rejected because the effort would be too expensive to execute, wouldn’t be relevant for a large number of cloud service providers that do not have a physical server infrastructure or had a very large footprint (multiple data centers).

Should we certify security or financial information? This was a broad discussion over what financial and security processes could be identified, verified and how they would be reported. For example, should the certification conduct a PCI-like scan and if so what would be done if the company had no PCI-requirement. Does a company pass or fail the certification solely on their extensive backoffice infrastructure or does lack of one create a liability? As you can tell, this was a long discussion that revealed the complexity of even CompTIA’s ability to effectively report on the credentials of a service provider.

What should the certification include? Should the certification be a pass/fail, a checklist of applicable criteria, score based or something else? The complexity of the cloud service provider business models lead us to the final question:

What would be valuable to the VAR/MSP/consulting community? The entire meeting included only vendors and CompTIA staff. While we know what helps us position our solutions, are those necessarily the same components that you would value? This is why it’s so important for IT Solution Providers themselves to be a part of CompTIA AMM and annual meetings and voice their needs (in part writing posts like these is to solicit your opinion and encourage you to). The decision was made for the CompTIA research team to conduct a poll of service provider members and gather some feedback.

I will keep you up to date as this develops further and encourage you to both send me your feedback and attend the CompTIA Cloud meetings and conferences. There are Cloud Café’s at major IT conferences this year, please get involved. Yes, it’s free.

My personal opinion: CompTIA has no footprint/legitimacy in the cloud so the Trustmark as an endorsement wouldn’t be meaningful on the same level as many other industry standards that evaluate security, credit card transactions, accounting standards, operations management and so on. Where CompTIA does have a foundation to build a certification on is it’s relationship with the IT workers and in my opinion the true value of the certification would be in helping IT staff compare cloud providers on equal footing in terms of which standards they comply with, which industry standards are being met and so on. Passing a trademark for the sole purpose of having another trademark that less than a few dozen people would be interested in only cheapens the value of other established trademarks and CompTIA’s reputation in the IT industry, if you feel that there is a need for this certification to exist and can clearly demonstrate the criteria that are important I implore you to join us and help us build it.