The Cloud Standards Guide

Standardisation is a strong enabler, bringing more confidence to users, especially SMEs. Consumers are increasingly concerned about the lack of control, interoperability and portability, which are central to avoiding vendor lock-in, whether at the technical, service delivery or business level, and want broader choice and greater clarity. Open standards can protect consumers and are one of the most important means used to bring new technologies to the market.

From a consumer’s point of view, uptake and even enforcement of public open standards offers a number of benefits over industry standards due to impartial public copyrights and associated IPR policies. As a consequence, public open standards offer protection from vendor lock-in and licensing issues, therefore avoiding significant migration costs if not provided.


Cloud platforms should make it possible to securely and efficiently move data in, out, and among cloud providers and to make it possible to port applications from one cloud platform to another. According to NIST cloud portability  means that data can be moved from one cloud system to another and that applications can be ported and run on different cloud systems at an acceptable cost. This allows allows two or more kinds of cloud infrastructures to seamlessly use data and services from one cloud system and be used for other cloud systems.

Open Virtualization Format (OVF) from the Distributed Management Task Force (DMTF) 

The rapid adoption of virtual infrastructure has highlighted the need for a standard, portable metadata format for the distribution of virtual systems onto and between virtualization platforms. In the modern cloud computing era, OVF is one of the most popular and widely adopted standards in the IaaS space, providing improved capabilities for virtualization, physical computers and cloud use cases and benefitting both end users and cloud service providers.

OVF provides a platform independent, efficient, open and extensible packaging and distribution format that facilitates the mobility of virtual machines and gives customers platform independence.  As cloud computing continues to gain traction in the industry, the updated standard will provide improved capabilities for virtualization, physical computers and cloud use cases – benefitting both end users and cloud service providers.

From the user's point of view, OVF is a packaging format for virtual appliances. Once installed, an OVF package adds to the user’s infrastructure a self-contained, self-consistent, software application that provides a particular service or services.

OVF has been adopted and published by the International Organization for Standardization (ISO) as ISO 17203.

OVF Technical Paper | Specifications & Schemas


Topology and Orchestration Services for Applications (TOSCA) from OASIS

The OASIS TOSCA enhances the portability of cloud applications and services providing a machine-readable language to describe the relationships between components, requirements, and capabilities. TOSCA enables the interoperable description of application and infrastructure cloud services, the relationships between parts of the service, and the operational behavior of these services (e.g., deploy, patch, shutdown)--independent of the supplier creating the service, and any particular cloud provider or hosting technology. TOSCA also makes it possible for higher-level operational behavior to be associated with cloud infrastructure management.
By increasing service and application portability in a vendor-neutral ecosystem, TOSCA enables:

  • Portable deployment to any compliant cloud
  • Smoother migration of existing applications to the cloud
  • Flexible bursting (consumer choice)
  • Dynamic, multi-cloud provider applications

TOSCA in 2015 | Understanding TOSCA | How industry are using TOSCA | Topology design and TOSCA

Find out more about how TOSCA alleviates vendor lock-in woes in multi-cloud environments




A truly interoperable cloud will encourage potential cloud customers to on-board, safe in the knowledge that they can change providers, or use multiple providers, without significant technical challenges or effort. This will expand the size of markets in which cloud providers operate. Additionally, if standards are suitably defined, the unique selling propositions of cloud providers can all be exposed. Interoperability is a significant challenge in cloud computing, but if addressed appropriately will offer new business opportunities for cloud customers and providers alike.

Standards already exist which enable interoperability as listed below:


Infrastructure as a Service cloud standards

Open Cloud Computing Interface (OCCI) specification from Open Grid Forum

The Open Cloud Computing Interface comprises a set of open community-lead specifications delivered through the Open Grid Forum. OCCI is a Protocol and API for all kinds of Management tasks. OCCI was originally initiated to create a remote management API for IaaS model based Services, allowing for the development of interoperable tools for common tasks including deployment, autonomic scaling and monitoring. It has since evolved into a flexible API with a strong focus on integration, portability, interoperability and innovation while still offering a high degree of extensibility. The current release of the Open Cloud Computing Interface is suitable to serve many other models in addition to IaaS, including e.g. PaaS and SaaS.

OCCI Implementations | Tools

Cloud Infrastructure Management Interface (CIMI) from the Distributed Management Task Force (DMTF).

This specification standardizes interactions between cloud environments to achieve interoperable cloud infrastructure management between service providers and their consumers and developers, enabling users to manage their cloud infrastructure use easily and without complexity. Cloud computing allows customers to improve the efficiency, availability and flexibility of their IT systems over time. As companies have adopted cloud computing, vendors have embraced the need to provide interoperability between enterprise computing and cloud services. DMTF developed CIMI as a self-service interface for infrastructure clouds, allowing users to dynamically provision, configure and administer their cloud usage with a high-level interface that greatly simplifies cloud systems management.

Specifications | XML Schema | White papers

Cloud Data Management Interface (CDMI) from The Storage Networking Industry Association (SNIA)

The Cloud Data Management Interface defines the functional interface that applications will use to create, retrieve, update and delete data elements from the Cloud. As part of this interface the client will be able to discover the capabilities of the cloud storage offering and use this interface to manage containers and the data that is placed in them. In addition, metadata can be set on containers and their contained data elements through this interface.

This interface is also used by administrative and management applications to manage containers, accounts, security access and monitoring/billing information, even for storage that is accessible by other protocols. The capabilities of the underlying storage and data services are exposed so that clients can understand the offering.

Technical position | CDMI healthcare use case | CDMI for S3 programmers | CDMI LTFS for Cloud Storage Use Cases 



Platform as a Service cloud standards

Cloud Application Management Protocol (CAMP) by the OASIS

As the first effort to standardize a PaaS management interface, CAMP is intended to provide a common basis for developing multi-cloud management tools as well as offering cloud providers and consumers a REST-based approach to application management. CAMP advances an interoperable protocol that cloud implementers can use to package and deploy their applications. It provides a common development vocabulary and API that can work across multiple clouds without excessive adaptation and is compatible with PaaS-aware and PaaS-unaware application development environments, both offline and in the cloud. Based on REST, CAMP fosters an ecosystem of common tools, plugins, libraries and frameworks, which will allow vendors to offer greater value-add.
CAMP for consumers: CAMP alleviates portability concerns of cloud computing. By standardizing the management API for the use cases around deploying, stopping, starting, and updating applications, this specification increases consumers ability to port their applications between PaaS offerings.
CAMP for providers: CAMP has a consensus management API allows providers to leverage the experience and insight of the specification contributors and invest their design resources in other, more valuable areas.
CAMP was launched by a consortium leading technology vendors, including CloudBees, Cloudsoft Corporation, Huawei, Oracle, Rackspace, Red Hat, and Software AG.

Common CAMP use cases include:

  • moving on-premise applications to the cloud (private or public)
  • redeploying applications across cloud platforms from multiple vendors

CAMP Spec v1.1Find out more


Software as a Service cloud standards

Most of the standards are neither new nor cloud specific: IP (v4, v6), TCP, HTTP, SSL/TLS, HTML, XML, REST, Atom, AtomPub, RSS, and JavaScript/JSON, OpenID, Odata, CDMI, AMQP, and XMPP, XML.

The European Commission has recently stated that widespread adoption of cloud computing would be crucial for improving productivity levels in the European economy, and that Europe should aim to be the world’s leading “trusted cloud region.” However, people are concerned and security in the cloud remains one of the largest barriers to the cloud. This is compounded even more with many high-profile cloud-related security scandals in the news The Steering Board of the European Cloud Partnership (ECP) recognised that “data security can be the most important issue in the uptake of cloud computing”, and underlined moreover “the need for broad standardisation efforts.”

CloudWATCH has identified the following security standards that are suitable for cloud computing


ISO / EIC 27018 Code of practice for data protection controls for public cloud computing services - ISO

ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations. The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.

Read more on ISO / EIC 27918 from CloudWATCH's Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting.

NIST 800-53 Rev.4 Security Controls - NIST

Special Publication 800-53, Revision 4, provides a more holistic approach to information security and risk management by providing organizations with the breadth and depth of security controls necessary to fundamentally strengthen their information systems and the environments in which those systems operate—contributing to systems that are more resilient in the face of cyber attacks and other threats. This "Build It Right" strategy is coupled with a variety of security controls for "Continuous Monitoring" to give organisations near real-time information that is essential for senior leaders making ongoing risk-based decisions affecting their critical missions and business functions.

NIST Security Reference Architecture

The Cloud Computing Security Reference Architecture, lays out a risk-based approach of establishing responsibilities for implementing necessary security controls throughout the cloud life cycle. This security reference architecture draws on and supplements a number of other NIST publications to provide the security needed to speed adoption of cloud computing. This document supplements SP 500-292, Cloud Computing Reference Architecture.  The security reference architecture provides “a comprehensive formal model to serve as security overlay to the architecture” in SP 500-292.
The draft publication describes a methodology for applying the Risk Management Framework described in SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,  adapted for the cloud. The formal model and security components in the draft are derived from the Cloud Security Alliance’s Trusted Cloud Initiative - Reference Architecture.

Cloud Controls Matrix (CCM) - Cloud Security Alliance

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Open Certification Framework (OCF) - Cloud Security Alliance

The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. The framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.

It is based upon the control objectives and continuous monitoring structure as defined within the CSA GRC (Governance, Risk and Compliance) Stack research projects. It will support several tiers, recognizing the varying assurance requirements and maturity levels of providers and consumers. These will range from the CSA Security, Trust and Assurance Registry (STAR) self-assessment to high-assurance specifications that are continuously monitored.

Cloud Trust Protocol (CTP) - Cloud Security Alliance

The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything that is claimed to be happening in the cloud is indeed happening as described, …, and nothing else. This is a classic application of the definition of digital trust. And, assured of such evidence, cloud consumers become liberated to bring more sensitive and valuable business functions to the cloud, and reap even larger payoffs. With the CTP cloud consumers are provided a way to find out important pieces of information concerning the compliance, security, privacy, integrity, and operational security history of service elements being performed “in the cloud”.

CloudAudit - Cloud Security Alliance

The goal of CloudAudit is to provide a common interface and namespace that allows enterprises who are interested in streamlining their audit processes (cloud or otherwise) as well as cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds. The CloudAudit Working group was officially launched in January 2010 and has the participation of many of the largest cloud computing providers, integrators and consultants.

Privacy Level Agreement - Cloud Security Alliance

With its mission to support the creation of a transparent and trusted cloud market and in order to remove barriers to cloud adoption, the CSA is defining baselines for compliance with data protection legislation and best practices by defining a standard format for Privacy Level Agreements (PLAs) and standards, through which a cloud service provider declares the level of privacy (personal data protection and security) that it sustains for the relevant data processing.
The CSA believes that the PLA outline can be a powerful self-regulatory harmonization tool and could bring results that are difficult to obtain using traditional legislative means. Moreover, we see the PLA as:

  • A clear and effective way to communicate to (potential) cloud customers the level of personal data protection provided by a CSP.
  • A tool to assess the level of a CSP’s compliance with data protection legislative requirements and best practices.
  • A way to offer contractual protection against possible financial damages due to lack of compliance.

PLA are meant to be similar to SLA for privacy. In the PLA (typically an attachment to the Service Agreement) the CSP will clearly declare the level of privacy and data protection that it undertakes to maintain with respect to the relevant data processing, in a format similar to that which is used by other CSPs. CSPs have realized the importance of privacy disclosures, and they are devoting time and resources at improving their privacy disclosures, in order to reassure the customers about their data handling practices. This working group will be working on the definition of a template (i.e., a sample outline) for PLA.

EuroCloud Star Audit (ESCA) - EuroCloud

The certification scheme “EuroCloud Star Audit” (ECSA) was established in order to establish trust in cloud services both on the customer and the user side. The purpose of the ECSA and auditing Cloud Services is to provide an accountable quality rating of Cloud Services. This certification is specifically designed for IaaS, PaaS and SaaS and defines graded levels of performance to be met in specific fields if the cloud service provider in question is to be certified as reliable.

ECSA is a mature certification scheme, especially designed to asses cloud service. EuroCloud evaluates a cloud service against the requirements of the ECSA audit scheme and covers all participants of the specific supply chain of a cloud service. The ECSA audit has a non-negotiable mandatory bandwidth of all important areas which include: provider's profile, contract and compliance including data privacy protection against local law, security, operations, environment and technical infrastructure, processes and relevant parts of the application and implementation up to interoperability and data portability.

Data Security Framework - Open Data Center Alliance

The Framework defines requirements associated with increasing data security in the cloud, and documents the following data security controls:

  • Access control - Controlling who or what can access which data when, and in what context.
  • Information classification - Identifying the sensitivity of the data and the impact of unauthorized access, as well as the organization’s need for data integrity and data availability.
  • Data encryption - Applying the appropriate encryption techniques to enforce data confidentiality requirements.
  • Data masking techniques - Further increasing data security in the cloud through anonymization and tokenization.
  • Security information and event management - Tracking and responding to data security triggers, to log unauthorized access to data and send alerts where necessary.
  • Backup, archiving, and deletion - Identifying backup requirements and how those relate to secure storage and secure destruction of data when it is no longer needed.

This framework serves a variety of audiences. Business decision makers looking for specific information around data security and enterprise IT groups involved in planning and operations will find this document useful. Solution providers and technology vendors will benefit from its content to better understand customer needs and tailor service and product offerings. Standards organizations will find the information helpful in defining standards that are open and relevant to end users.


In addition to the guide above, CloudWATCH has also developed a set of cloud standard profiles. Find out more about how we did this and download our cloud standard profiles for the following topics: