Categories of Cloud-Related Standards
Cloud standards are still in the process of being developed and implemented. Some are coming along, but watching the development of these standards can be frustrating to many, from cloud providers to cloud consumers. New standard bodies emerge, whereas others seem to flounder. Some of the current challenges in achieving widely adopted hybrid cloud standards include the following:
The cloud is still undergoing considerable innovation. The rate and pace of technology innovation is outpacing the rate at which technology can be standardized. Creating standards is difficult if the technology is constantly evolving.
Hundreds of technology standards organizations are out there. Many have or are working on creating cloud standards. Some of these groups work together; however, with so many standards bodies, overlapping standards can emerge. Additionally, some lose steam — or more importantly, funding — and simply fizzle out.
Not all standards are created or established equally. For a standard to truly succeed, it needs to be
• Broadly adopted by vendors
• Broadly adopted and required by consumers
• Open source (eventually)
If these criteria are not met, a “standard” is far from standard and is instead just a piece of paper.
Regardless, establishing hybrid cloud standards is important because standards help improve choice, reduce cost, and improve quality. Standards are being developed in many very specific areas, but broadly, areas where standards are being developed include the following, which we discuss further throughout this section:
Interoperability
Portability
Security
Interoperability
Interoperability is the ability to interoperate between two or more environments. This includes operating between on-premises data centers and public clouds, between public clouds from different vendors, and between a private cloud and an external public cloud. For example, from a tooling or management perspective, with the right broadly stabled standards, one would expect that the application programming interfaces (APIs), the tools used to deploy or manage in the cloud, would be used by multiple providers. This would allow the same tool to be used in multiple cloud environments or in hybrid cloud situations.
Interoperability is especially important in a hybrid environment because your resources must work well with your cloud providers’ resources. To reach the goal of interoperability, interfaces are required. In some instances, cloud providers will develop an API that describes how your resources communicate with their resources. APIs may sound like a good solution, but problems can arise. If every cloud provider develops an API, you run into the problem of API proliferation, a situation where there are so many APIs that organizations have difficulty managing and using them all. Having so many APIs can lead to vendor lock-in, which means that once you start using a particular vendor, you’re committed to them. All of this can also lead to portability issues.
Different approaches have been proposed for cloud interoperability. For example, some groups have proposed a cloud broker model. In this approach, a common unified interface, called a broker, is used for all interactions among cloud elements (for example, platforms, systems, networks, applications, data).
Alternatively, companies such as CSC and RightScale have proposed an orchestration model. In this model, a single management platform is provided that coordinates (or orchestrates) connections among cloud providers. Recently, NIST documented the concept of functional and management interfaces when discussing interoperability. The interface presented to the functional contents of the cloud is the functional interface. The management interface is the interface used to manage a cloud service. Your management strategy will vary depending on the kind of delivery model utilized (for more on delivery models, see Chapter 1).
Another player in the interoperability space is the Open Services for Lifecycle Collaboration (OSLC). The OSLC is working on the specifications for linked data to be used to federate information and capabilities across cloud services and systems.
NIST has also cataloged existing standards. According to NIST, many existing IT standards can help to contribute to the interoperability among cloud consumer applications and cloud services, and among cloud services themselves. However, only the following two interoperability standards are developed and accepted specifically for the cloud (although others are currently under development and are likely to emerge quite soon):
Open Cloud Computing Interface (OCCI): A set of standards developed by the Open Grid Forum. OCCI is a protocol and API for all kinds of management tasks and utilizes the REST (Representational State Transfer) approach for interaction. It began its life as a management API for IaaS services. It now supports PaaS and SaaS deployments.
The Cloud Data Management Interface (CDMI): Developed by the Storage Networking Industry Association (SNIA). It defines the functional interface that applications should use to create, retrieve, update, and delete data elements from the cloud. It also utilizes a RESTful approach.
Some standards currently under development include the Institute of Electrical and Electronics Engineers (IEEE) IEEE P2301, Draft Guide for Cloud Portability and Interoperability Profiles (CPIP); and the IEEE P2302, Draft Standard for Intercloud Interoperability and Federation (SIIF).
Portability
Portability enables you to take applications, data, or instances running on one vendor’s system and deploy it on another vendor’s implementation. For example, you may want to move your data or application from one cloud environment to another. Or you may want to use the cloud for cloud bursting — gaining additional compute power from the cloud during peak demand times or when on-premises resources are otherwise tied up. An example is when you need extra capacity to meet peak demands so you share the load with external cloud providers. Or you may want to move your virtual server from one environment to another.
The goal of obtaining portability is that your components (such as an application or data) can be reused when moved between different vendors. This is regardless of the platform, operating system, location, storage, or anything else in a provider’s environment.
One example of a standard that has gained some traction in the cloud environment is the Open Virtualization Format (OVF) developed by the Distributed Management Task Force (DMTF). This standard was developed jointly by the likes of Citrix, Dell, HP, IBM, Microsoft, and VMWare. The idea is to streamline the installation of a virtualized platform. This standard addresses portability and interoperability issues for virtual machines. The multivendor format includes a set of metadata (virtual machine hard drives, information about resource requirements, a digital signature, and so on) that enables virtual machines to be used in multiple environments. This helps with the application portability issue.
On the data side, standard formats and protocols are needed for data to be moved between one environment and another. Most experts believe that data portability is more difficult than applications because there are different kinds of data, with different volumes, and that ultimately the control of that data belongs to the owner of the data. The CDMI standard mentioned previously has been approved to help in data portability. Another standard currently under development by the IEEE is the earlier mentioned IEEE P2301, Draft Guide for Cloud Portability and Interoperability Profiles (CPIP).
Security
Cloud security is such a big concern that we devote Chapter 15 to it. You need to make sure that the right controls, procedures, and technology are in place to protect your corporate assets. Your organization has invested a great deal internally to protect your assets, and it’s reasonable to assume that your cloud provider will do the same. A sound security strategy is especially true in a hybrid environment where your private cloud or data center has touchpoints with public cloud services.
Cloud security standards are a set of processes, policies, and best practices that ensure the proper controls are placed over an environment to prevent application, information, identity, and access issues (to name a few).
Numerous standards have already been approved and are currently used widely in the area of security, including standards for the following:
Authentication and authorization: A number of standards are in use to verify the identity of a person or computer. These include standards associated with the following keys (see Chapter 15 for more on keys and encryption):
• IETF RFC 3820: X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
• IETF RFC5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• ITU-T X.509 | ISO/IEC 9594-8— The Directory: Public Key and attribute certificate frameworks: Information technology — open systems interconnection
Security monitoring and incident response: Some standards have currently been approved to handle security monitoring and incident response. These include the best practices developed by NIST in the NIST SP 800-61 Computer Security Incident Handling Guide.
Confidentiality, integrity, and availability of data: We address data issues more fully in Chapter 11. However, a number of standards that have been on the market for some time deal with encryption of data, keys, and data transport. These include the Key Management Interoperability Protocol (KMIP), developed by OASIS; and FIPS 186-3 Digital Signature Standard (DSS), developed by NIST.
Security policy management: These standards set forth best practices and procedures for implementing policies around security. FIPS 200: Minimum Security Requirements for Federal Information and Information Systems developed by NIST is an example of this kind of standard.
For a complete list of these standards and gaps in security standards, we encourage you to get a copy of the NIST Cloud Computing Standards Roadmap described in the next section.