New Zealand updates cloud policy, follows in Australia’s footsteps

As all eyes were on Australia in the Asia Pacific cloud computing space, New Zealand has taken a similar leap through the Institute of IT Professionals NZ (IITP) and published an updated cloud policy, called the Cloud Code.

The v2.0, released today, has two key agreements for all potential signatories: no cloud washing, and upfront disclosure of cloud products and services.

New Zealand’s cloudy code of practice was first developed in 2011, in partnership with the major CSPs, so it could be argued that this release is a long time coming. Yet it certainly appears timely, with Australia pushing forward its National Cloud Computing Strategy back in May.

And with 86% of Australian enterprises currently in the cloud, according to figures recently published by IDC, the growth potential is clear – as CloudTech examined in its editorial earlier this month.

But what will this latest development mean for New Zealand cloud companies?

They won’t be able to advertise products as cloud if they don’t meet the strict definition of cloud computing as portrayed in the CloudCode, which is: “On-demand scalable resources such as networks, servers and applications which are provided as a service, are accessible by the end user and can be rapidly provisioned and released with minimal effort or service provider interaction.”

It’s hard not to agree with this, and there’s room for manoeuvre too; if a product fails on a technical level yet “meets the spirit of the definition”, then the IITP NZ can accept it at their discretion.

Similarly, the CloudCode recommends that signatories be listed on the CSA STAR Registry, bumping up security and setting best standards and practice. This is a disclosure in the latest report, not a mandatory requirement.

The latest report also focuses heavily on the complaints procedure, whether a statement made by a CloudCode signatory in its disclosure was “untrue or not accurate”.

If a complaint is lodged, the signatory firstly has a chance to respond to the complaint, before which the investigative team will upon advice form a draft report, for which both parties get 14 days to respond; before a final report is issued where there is a 14 day period of grace for response or appeal.

Again, nothing wrong with such measures, but as the report notes: “An investigation may take anywhere from a day to several months depending on the nature of the complaint.”

CloudCode is already available to providers in New Zealand, as well as NZ companies who operate abroad. A blog post from the IITP NZ revealed that a number of other countries, including Australia, were interested in adopting the code.

The report featured financial contributions from the likes of, Google and the Cloud Security Alliance, as well as consultation with Marie Shroff, the New Zealand Privacy Commissioner. In February, Shroff advocated in a report that the user, ultimately, is responsible for any privacy breaches.

In a statement, Shroff said of the v2.0: “By setting a standard for local cloud providers to follow, the code makes sure that participating providers will give the right information to consumers to help them make good decisions. This is a very positive initiative from the IITP and I hope it will be widely adopted.”

Back in November, research from Frost & Sullivan revealed that more than half of New Zealand companies are looking to increase their cloud budgets – and this latest policy will certainly tighten things up, for CSPs and consumers.

What’s your view of the latest report, and what will it mean for the New Zealand cloud industry?

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.