Organizations Building Momentum Around Standards

A number of organizations and informal groups are addressing standards issues in the cloud environment. Some of these organizations have been around for years; others are relatively new. Note: Some of these standards bodies aren’t necessarily looking to create new standards. Instead they are looking to leverage existing best practices and standards such as those used in implementing the web and service oriented architectures (SOA).

Several standards organizations have gotten together to create a cloud standards coordination wiki — a website that uses collaborative software to allow many people to work together to post and edit content. All groups can post their work at one spot: www.cloud-standards.org .

Cloud Security Alliance

We talk a lot about the Cloud Security Alliance (CSA) (www.cloudsecurity.org ) in Chapter 15. The CSA formed in late 2008 when cloud security became important in users’ minds. Its founding members include Dell, PGP, QualSys, Ascaler, and the Information Systems Audit and Control Association (ISACA). The CSA’s goal is to promote a series of best practices to provide security assurance in cloud computing and to provide education. It’s important to note that the CSA itself isn’t an actual standards body. However, its objectives include promoting understanding between users and providers of cloud computing regarding security requirements and researching best practices for cloud security.

The CSA offers training in three areas:

Governance, Risk Management, and Compliance (GRC)

Payment Card Industry (PCI) Data Security Standard (DSS) controls in the cloud

Cloud Computing Security Knowledge (CCSK)

The CSA also provides a certificate in CCSK via a 50-question timed online test. According to the CSA, the CCSK is meant to augment certifications in information security, audit, and governance, and not to replace them. The CSA recently rolled out its Security, Trust & Assurance Registry (STAR), a free, publically accessible registry that documents the security controls provided by cloud vendors. The registry is a form of self-regulation by cloud providers and is meant to help ensure that CSA best practices become de facto standards.

Recent reports produced by the CSA include version 3 of its Security Guidance for Critical Areas of Focus in Cloud Computing (https://cloudsecurityalliance.org/research/security-guidance/), which we talk more about in Chapter 15.

Distributed Management Task Force (DMTF)

The DMTF (www.dmtf.org ) has been around for 20 years and may best be known for its common information model, which is a common view of IT equipment. Its goal is to bring the IT industry together to collaborate on systems management standards.

The DTMF formed the DTMF Cloud Management Working Group. The goal of the group is to develop specifications for architectural semantics to support the interoperable management of primarily IaaS clouds. The group will focus on compute, storage, and network infrastructure.

Its starting point utilizes work already done by the Open Clouds Standards Incubator, which launched in 2009, and focuses on standardizing interactions between different cloud environments by developing cloud resource management protocols, packaging formats, and security mechanisms to facilitate interoperability. The group will also use previous research from its work in the Common Information Model and the Open Virtualization Format (OVF). OVF describes an open, secure, and portable format for packing and distributing software that will be run on virtual machines.

National Institute of Standards and Technology (NIST)

NIST (www.nist.gov ) has been in existence since 1901. It’s a nonregulatory federal agency that is part of the U.S. Department of Commerce. Its goal is to promote innovation and U.S. competitiveness by advancing standards, measurement science, and technology. NIST has its hands in all kinds of standards, from fire-related standards for your mattress to the auto emissions your car must (not) pass on the road.

NIST formed its cloud computing group to help federal agencies understand cloud computing. However, its reach has gone much further than the federal government. For example, its definition of cloud computing models are widely used across all industries (refer to the NIST special publication 800-545, September 2011).

NIST recently completed its Cloud Computing Standards Roadmap (NIST special publication 500-291, July 2011, www.nist.gov/customcf/get_pdf.cfm? pub_id=909024 ). The purpose of the document is to assess the state of standards in cloud computing. The document contains an inventory of standards that currently exist to support cloud computing in the areas of security, interoperability, and portability. It also indentifies some of the gaps. We discuss this document in the previous section of this chapter.

Cloud Standards Customer Council (CSCC)

The OMG (Object Management Group; www.omg.org ) was formed in 1989 and is an international group focused on developing enterprise integration standards for a wide range of industries, including government, life sciences, and health care. The OMG creates many working groups that focus on issues important to both vendors and customers. One important group within the OMG is called the Cloud Standards Customer Council (CSCC).

The CSCC (www.cloud-council.org ) provides modeling standards for software and other processes and has brought together many of the most influential companies in cloud computing. IBM, Computer Associates, Kaavo, Software AG, and Rackspace are the groups founding sponsors. The goal of the CSCC is to establish a set of customer-driven/end-user requirements to ensure cloud users have the same flexibility and openness that they have with traditional IT environments. CSCC will prioritize key interoperability issues in reference architecture, security and compliance, cloud management, and hybrid clouds.

The idea is that this group will work with most of the standards bodies listed here to bring the end-user perspective more fully into the standards discussion.

Open Cloud Consortium (OCC)

The OCC (www.opencloudconsortium.org ) was formed in 2008. One of its goals is to support the development of standards for cloud computing and frameworks for interoperability among clouds. In fact, it operates cloud infrastructure. It also manages cloud computing infrastructure to support scientific research. Members include Cisco and Yahoo! as well as a number of universities including Johns Hopkins University.

The OCC has a number of working groups. One in particular deals with standards — Malstone is a reference benchmark and standard for dealing with data-intensive computing in the cloud.

The Open Group

The Open Group (www3.opengroup.org ) is a global consortium with more than 400 member organizations that focuses on achieving business objectives through standards. Its goal is to lead the development of vendor-neutral IT standards and certifications.

In the cloud, the Open Group Cloud Work Group is looking to create a common understanding among various groups about ensuring safe and secure architectures. The group is working with organizations such as the Cloud Security Alliance and the Jericho Forum to make this happen. Incidentally, the Jericho Forum was founded at the Open Group in 2004 and focuses on issues around de-perimeterization.

De-perimeterization is a strategy of securing an organization’s IT assets through multiple techniques instead of simply attempting to build a wall around your infrastructure to try and keep out ever varying threats. This is achieved through encryption, inherently-secure computer protocols, inherently-secure computer systems, and data-level authentication. This strategy is clearly important for hybrid clouds because data and applications will likely be on systems that are out of your sole control.

For more on the Jericho Forum and perimeter issues, refer to Chapter 15, which focuses on security.

The Open Grid Forum (OGF)

The OGF (www.ogf.org ) is an open community that focuses on driving the adoption and evolution of distributed computing, including everything from distributed high-performance computing resources to horizontally scaled transactional systems supporting SOA, as well as the cloud. The community shares best practices and drives these best practices into standards. It consists of more than 400 companies in 50 countries, including AT&T and eBay.

The OGF is responsible for OCCI, an API for interfacing cloud computing facilities, as previously described.

Storage Networking Industry Association (SNIA)

The SNIA (www.snia.org ) has focused for more than ten years on developing storage solution specifications and technologies, global standards, and storage education. This organization’s mission, according to the SNIA members is “to promote acceptance, deployment, and confidence in storage related architectures, systems, services, and technologies, across IT and business communities.” As part of its 2012–2014 strategic plan, it also intends to promote standards and educational services around information management.

The SNIA is responsible for the Cloud Data Management Interface previously described. This is a functional interface that applications can use “to create, retrieve, update and delete data elements from the Cloud.” Clearly, this is an important standard for hybrid cloud environments that deal with data between on-premises and public cloud deployments.

Vertical groups

In addition to the preceding standards groups and discussion groups, vertical industry groups — groups comprised of members from a particular industry such as technology and retail — are also beginning to look at cloud standards. Here are two examples:

TeleManagement Forum (TM Forum): This large group consists of service providers, cable and network operators, software suppliers, equipment suppliers, and systems integrators. It has provided a standardized operational framework for the creation, delivery, and monetization of digital services. It recently launched its TM Forum Cloud & New Services Initiative that focuses on leveraging these standards into the cloud marketplace. To learn more about the group visit www.tmforum.org .

Association for Retail Technology Standards (ARTS): The goal of this group is to create an open environment where retailers and technology vendors can work together to create international retail technology standards. Recently, this group released its Cloud Computing whitepaper (available the ARTS website), which also includes a template of questions for retailers to use when looking at various cloud options. To read more about ARTS or access the whitepaper you can visit www.nrf-arts.org .