5 Overview of Cloud Standards |
|
83 |
|
Table 5.4 Security – vendor initiatives |
|
|
|
|
|
|
|
Standard name |
Group/body |
Focus |
Readiness |
Amazon Virtual |
Amazon Web |
To enable enterprises to |
Available for use |
Private Cloud |
Services |
securely connect their |
|
(VPC) [21] |
(AWS) [22] |
existing infrastructure to |
|
|
|
AWS compute resources via |
|
|
|
a Virtual Private Network |
|
|
|
(VPN) connection |
|
Online Security |
Microsoft [24] |
To build a framework ensuring |
Applied to MS cloud |
Services and |
|
security, privacy, risk |
infrastructure |
Compliance |
|
management, business |
|
(OSSC) [23] |
|
continuity management, |
|
|
|
global criminal compliance |
|
|
|
and operational compliance |
|
|
|
of MS cloud infrastructure |
|
5.3.3 Market Adoption
Cloud Security Alliance is formed and backed by industry heavy weights such as HP, Verizon, VMware, McAfee, etc. This would speed up its adoption. Amazon [25] has put into practice several security measures to address all of the discussed issues.
5.3.4 Gaps/Areas of Improvement
Security is a very broad and most important concern to be addressed in cloud computing. Scenarios discussed are to be addressed before security is removed from the top concerns list of various user surveys.
5.4 Deep Dive: Portability Standards
Nimbus, having tried with an initial set of cloud providers, now decides to move some of its applications to other competitive/well-rated providers and some back to its on-premise environments. Portability here becomes a major concern and some relevant scenarios will be:
––The marketing applications built on Force.com need to be moved to the GAE or Microsoft Azure environment (PaaS) or even back to Nimbus data centre (application/service portability)
––Nimbus plans to consolidate its data marts into a centralised data warehouse. Hence, it wants its Marketing data mart to be moved back to Nimbus environment (data portability).
Do the current standards address these scenarios?
84 |
A. Govindarajan and Lakshmanan |
5.4.1 Purpose, Expectations and Challenges
The standards around portability are expected to enable smooth switch of cloud providers with minimal impact to cost and service quality. The purpose is thus to set guidelines for the cloud providers to build relevant layers of abstraction in their environments to help portability. Looking across the delivery models, the following are some of the challenges to address portability:
•SaaS – the content, data and metadata (application configurations) should be portable to a new environment for a smooth switch
•PaaS – the code base, application frameworks, data and metadata would be some things to port
•IaaS – the software runtime environments (configurations and APIs) would need to be ported. Typically, this would be the VM.
5.4.2 Initiatives – Focus, Sponsors and Status
Tables 5.5 and 5.6 show some of the key initiatives by industry bodies as well as by vendors towards portability standards.
5.4.3 Market Adoption
The current status shows that the portability using virtualisation (OVF standard) is the one in place. IBM has built an OVF toolkit and Citrix has Project Kensho OVF tool as a part of their Xenserver Virtualisation technology. Sun, Eucalyptus and few other vendors, however, are claiming portability by using open source-based platforms.
Table 5.5 Portability – group initiatives
Standard name |
Group/body |
Focus |
Readiness |
Open Virtualisation |
DMTF [11] |
To build an industry standard |
Version 1.0 of OVF |
Format [10] |
|
format for portable virtual |
available |
|
|
machines. Services running on |
|
|
|
VMs thus can be ported onto |
|
|
|
any virtualisation platform |
|
Cloud Storage |
SNIA [27] |
To build a standard interface |
Cloud storage |
Initiative [26] |
|
(CDMI) between the data and |
reference model |
|
|
the cloud storage provider, |
and use cases |
|
|
indicating the data services |
drafts are ready |
|
|
to offer, thus enabling data |
to allow standards |
|
|
portability across vendors |
development |
|
|
|
|
5 Overview of Cloud Standards |
|
85 |
|
Table 5.6 Portability – vendor initiatives |
|
|
|
|
|
|
|
Standard name |
Group/body |
Focus |
Readiness |
Cloud-Ready Server |
RightScale [29] |
To provide server deployment |
Available |
Templates [28] |
|
templates that allow |
for use |
|
|
portability of servers across |
|
|
|
multiple cloud environments |
|
Open Cloud |
Sun [31] |
To enable Open cloud based on |
Launched in |
Platform [30] |
|
open technologies such as |
March 2009 |
|
|
Java, MySQL, OpenSolaris, |
|
|
|
Open Storage, etc., enabling |
|
|
|
portability on similar cloud |
|
|
|
platforms |
|
5.4.4 Gaps/Areas of Improvement
OVF standard addresses portability through movement of VMs, which is the typical technology basis for the cloud. This addresses the IaaS level portability. Standards/ guidelines for portability of other models (SaaS, PaaS) as discussed earlier need to be addressed.
5.5 Deep Dive: Governance, Risk Management
and Compliance Standards
Having placed several core and non-core systems on the cloud, Nimbus has a key dependency on the provider to ensure that these systems do not fail and impact its business. Several assessments and discussions with the provider were done and a contract signed up. Now, how does Nimbus ensure the contractual terms are being met on an on-going basis by the provider? What if there is a breach? How can this risk be managed? Nimbus has signed up for several regulatory measures. How far are these adhered to by the provider? What if there is a breach? These are some concerns handled by GRC function.
5.5.1 Purpose, Expectations and Challenges
GRC in cloud computing can be considered as an extension of the traditional model, but has to address several new challenges as this is applied to an environment external to the organisation. The governance requirements can be classified as:
1.Design-time governance covering
(a)Service definition (e.g. design, build management, source code management, and QA)
(b)Service deployment
86 |
A. Govindarajan and Lakshmanan |
2.Runtime governance covering
(a)Service policy management (e.g. security, performance, reliability, etc.)
(b)Service retirement
3.Change management for services, policies, processes, data and infrastructure
The governance spans across all the cloud service types, viz. software (SaaS), platform (PaaS) or infrastructure services (IaaS).
Risk management in a cloud will be relevant to managing all types of IT and business risks that ensue due to managing services in an external environment, such as operational risk (e.g. outages), security risks (both data and process), financial risk and legal risk (due to non-compliance of regulatory needs).
Lastly, compliance of cloud to various regulatory needs brings in typical requirements, such as:
1.Records management (ensuring records for all activities)
2.Auditing (audit of all transactions)
3.Legal and eDiscovery needs (support for any forensic investigation)
4.Data privacy (meeting privacy laws as per region)
5.Geography (restrictions on geography imposed by organisations/governments)
The expectation from the standards is to enable the cloud meet all the above-listed requirements.
5.5.2 Initiatives – Focus, Sponsors and Status
There are very few guidelines focused on GRC. The Cloud Security Alliance [19] discussed in Security standards also covers the aspects of GRC and is the only industry initiative. Table 5.7 shows the vendor initiatives only.
Table 5.7 Governance, risk and compliance – vendor initiatives
Standard/ |
|
|
|
product name |
Group/body |
Focus |
Readiness |
WebLayers Center |
WebLayers [33] |
To provide automated governance |
Available |
5.0 [32] |
|
software with a central policy |
for use |
|
|
management feature to enforce |
|
|
|
policies and detect violations across |
|
|
|
all service life-cycle stages as well |
|
|
|
as across different infrastructures. |
|
Cloud-Ready |
RightScale [29] |
To provide server deployment templates |
Available |
Server |
|
for the cloud with the server |
for use |
Templates [28] |
|
configuration and policies pre- |
|
|
|
defined, thus ensuring governance |
|
|
|
and compliance |
|
|
|
|
|