ETSI Cloud Standards Coordination Report

The overall objective of the Cloud Standards Coordination initiative led by ETSI was to identify a detailed map of the standards required to support a series of policy objectives defined by the European Commission. The initiative attracted cloud industry players, public authorities, user associations and more than 20 standards setting organizations to work collectively on this objective.

The report provides:

  • A definition of roles in cloud computing;
  • The collection and classification of over 100 cloud computing Use Cases;
  • A list of around 20 relevant organizations in cloud computing Standardization and a selection of around 150 associated documents, Standards & Specifications as well as Reports & White Papers produced by these organizations;
  • A classification of activities that need to be undertaken by Cloud Service Customers or Cloud Service Providers over the whole Cloud Service Life-Cycle;
  • A mapping of the selected cloud computing documents (in particular Standards & Specifications) on these activities.

Finally, the report offers a set of recommendations on the way forward. The analysis shows that cloud standardization is much more focused that anticipated and that standards are maturing in some areas.

 

Analysis

The analysis took stock of approximately 150 technical standards, best practices and white papers relevant to cloud computing and identified 20 key players in the cloud computing standards landscape.

The CSC’s work focused on three (3) main areas:

  • Security and privacy
  • Interoperability and portability
  • Service level agreements

The work of the CSC group identified the standards available in these areas for each of the phases of a simple cloud service lifecycle composed of the steps:

  • Acquisition
  • Operation
  • Termination.

 

Conclusions

The conclusions of the ETSI CSC task force were the following:

  • The cloud standard landscape appears to be less fragmented than expected, it’s “complex but not chaotic and by no means a 'jungle'”.
  • Most of considered standards have still a low level of adoption (quoting the CSC report: “Several cloud computing standards have seen successful adoption in small-scale and research projects, cloud computing-specific standards are not seen widespread adoption by cloud providers to date” [ETSI13, Executive Summary]).
  • The cloud market and community would benefit from a definition and widespread adoption of a “shared vocabulary” and “formal definitions that are machine readable.” In particular in the Service Level Agreement, which is a fast maturing area, where gaps are still to be filled, there a clear need for an agreed terminology for Service Level Objectives and associated metrics
  • From the security perspective the work done by the CSC showed that there are many available standards in the areas of visibility and transparency, assurance and trust, certification, audit and testing, identity and access management, virtualization and multi-tenancy risks, data location control, secure data deletion and the exit process, but either they are in most of cases not 100% fit for purpose for cloud computing since they were created before the raise of cloud computing or they are cloud-specific but not quite mature of sufficiently adopted yet. Few exceptions can be found in the area of cloud computing governance and assurance standards. Moreover the security and privacy analysis showed that gaps exists in the area of accountability and cloud incident management (e.g., related with a SLA infringements).
  • The Interoperability and Portability analysis showed the existence of mature standards especially at IaaS level while effort is required for supporting a true interoperability and portability at PaaS and SaaS level.
  • Other areas where gaps exist are in the area of “federation”, cross border collaboration and verification of legal obligations, management interfaces and protocols (especially at PaaS and SaaS level), service metrics and service performance monitoring.
  • In the cloud service “Acquisition phase” there’s need to have more sophisticated tools for comparing cloud providers’ capabilities.
  • The analysis of the “Operation phase”, showed that standards for IaaS are available and are sufficiently mature and adopted while still more work is required for PaaS and SaaS.