In some occasions, specially when the issue we want to analyze or study is complex or very new, it could be useful to use analogies. We say that because, to explain the use of the security rating model we propose, we like to draw upon a very daily analogy: We compare cloud services with an hotel room.
You could tell us that we are crazy and that they do not have anything in common, but if we think again about it, in both cases:
- We are talking about a sharing infrastructure
- There is a huge and diverse offer with great disparity of prices
- A priori, it is really difficult to know (until you arrive the room) the real quality and the environment (above all, if we think in cities we do not know well)
- Once we have chosen one, it is difficult to change it (we mean that once you arrive the hotel, you decide to change to another, it is not easy to find another one in the same city that you like more - availability of information, of time, or even availability of free rooms)
So, to try to answer the question, rating or certification?, we think in what happens in hotel sector and we find that the answer is: both.
And, why both? Well, it is easy, because:
- There could not exist an unique global standard (i.e., it is not as power supply where everything uses 220-240V). Users must have the option to choose and, therefore, we cannot have an universal standard, like HTML.
- However, there should exist some minimum requirements that should be satisfied and that guarantee a minimum service quality level to the users (in hotels case, we talk about something like an operating license).
- But, after that, considering that it is an imperfect market (you know, with asymmetry of information) and users must have the option to compare between different offers with reliable information, we need a rating model that helps them to take that decision (in hotels case, we have the famous star scheme)
So, and as conclusion, our answer to the rating or certification dilemma is clear: certification of minimum requirements and security rating above that, to bring transparency to the users decision process.
You can follow us on twitter.com/leet_security