How CloudWATCH2 helps - Mapping and promoting the adoption of cloud standards
The development of standards for the free flow of data and data ownership is key for levelling the playing field between cloud providers and cloud customers.
Article 20 of the new General Data Protection Regulation (GDPR), introduces a right to data portability (RDP) for data subjects. Looking more closely at Article 20 of the GDPR it becomes clear that such a possibility is limited to what is “technically feasible”. Therefore, the direct transmission of personal data will very much depend on the availability of standards that make different systems interoperable. Widespread adoption by the market of Standards for interoperability and portability are therefore key for Article 20.
It is important to understand that interoperability and portability can be achieved without conformance to, or compliance with a standardised specification - and vice versa. Any two implementations of a standard may perfectly well conform to its conformance requirements, while failing to interoperate entirely.
This becomes important when analysing interoperability and portability in the context of Cloud computing. Interoperability applies to access interface and invocation semantics (typically, APIs), while portability addresses identical treatment of artefacts across systems that not necessarily need to interoperate. In short, in a successful DSM processes and services need to be interoperable on portable applications and data.
CloudWATCH cloud standards guide
The CloudWATCH cloud standards guide identifies cloud standards for portability and interoperability.
Table 1Cloud standards for portability and interoperability
Cloud standards for portability
Open Virtualization Format (OVF) from the Distributed Management Task Force (DMTF)
Topology and Orchestration Services for Applications (TOSCA) from OASIS
Cloud standards for interoperability
IaaS: Open Cloud Computing Interface (OCCI) specification from Open Grid Forum
IaaS: Cloud Infrastructure Management Interface (CIMI) from the Distributed Management Task Force (DMTF).
IaaS: Cloud Data Management Interface (CDMI) from The Storage Networking Industry Association (SNIA)
PaaS: Cloud Application Management Protocol (CAMP) by the OASIS
Interoperability and portability
In the Cloud computing market, interoperability and portability are reciprocal when applied to IaaS and SaaS. In the (pure) IaaS sector, interface interoperability predominates as service consumers deploy applications and data of their choice - within their administrative domain - onto the service provider’s infrastructure: Portability in this case is limited to the portability of VMs and, less so, data containers (i.e. virtual HDD partitions) from one IaaS provider to a contender.
In the SaaS sector, however, the situation is reciprocal, in that the service consumer uses provider-controlled applications to process their data, typically in a browser-only or mobile app access scenario. Here, data portability becomes much more important, and service interoperability is almost negligible: the consumer’s business intelligence is entirely encoded in their data stored in the service provider’s resources, and at risk of being (almost literally) “lost in translation” from one service provider to another.
Key to the success of a digital single market are interoperability and portability standards that are ubiquitous, pervasive, and compulsory, and are enforced on a European and national level. Non-standardised markets proliferate segmentation, ring-fencing and often national-first interest. Standardisation, on the other hand, lowers the market-entry barrier for both service providers and service consumers.
The CloudWATCH2 project assesses the extent to which cloud standards ensure greater flexibility, offer cloud providers a unique selling point and impact on wider implementation within both EU research and a more general context. The project focuses to report on status of the Security and Interoperability Standards, which will include:
- List of standards in use in surveyed FP7 and H2020 projects.
- Most common standard implementation use cases.
- Gaps in the standards landscape.
- List of recommended priorities for new standardization efforts.
Through intensive collaboration with EC-funded projects concerning Cloud Computing, the CloudWATCH identified the cloud standards most used cloud standards by FP7 Call 8 & 10 projects , namely:
- OCCI - Open Cloud Computing Interface (OGF);
- CDMI - Cloud Data Management Interface (SNIA);
- OVF - Open Virtualization Format (DMTF);
- TOSCA - Topology and Orchestration Specification for Cloud Applications (OASIS).
In addition, we have collected use cases and requirements that shape the projects’ needs for standards and standardisation across Cloud computing service and deployment models.
By combining quantitative analysis using established statistical methodology with an open books qualitative analysis of that information, CloudWATCH has collected a set of initial (“strawman”) Cloud standards profiles tailored to the needs of these EC projects with similar requirements and use cases:
- Scientific Computing
- High-Performance dedicated purpose applications
- Trusted public clouds for Governments
Pursuant to this, CloudWATCH2 has implemented the automatable part of this workflow in an online tool open to anyone to use, and more importantly, to contribute their information to improve the data base on which the clustering is calculated. CloudWATCH2 continues to make use of the tool’s output to further improve on the clustering and resultant strawman standard profiles for a DSM. In addition, CloudWATCH2 aims to use the tool to enable common approaches to similar challenges and facilitate re-use of research results, as well as areas for future technology convergence.
Overall this analysis of the landscape of cloud computing provides insights into the process of developing standards profiles. This modelling of the landscape will also form the basis for potential collaborations with standards development initiatives such as IEEE P2301 (Guide for Cloud Portability and Interoperability Profiles (CPIP)) who see potential in using the methodology and tool to match relevant standards based on their user profile.
CloudWATCH2 will deliver three Cloud Interoperability Plugfests during its lifetime. Testing cloud standards is a key stage in successful adoption. Plugfests give technology providers the opportunity to mutually test their implementations of standardised specifications for conformance and interoperability, sometimes under closed conditions. In addition to this, CloudWATCH2 has published a report exploring how future plugfests can become self-sustainable through the combination of live and remote events.
The CloudWATCH2 portal, CloudWatchHUB.eu provides free, accessible resources for both SME and PA CSCs guiding them on the practical steps and informing customers about the characteristics of cloud computing.
CloudWATCH has provided a specific tool, the European CloudScout in multi-lingual versions, which through an educational questionnaire, provides a fast diagnosis of CSC’s cloud-related needs and suggests tailor-made solutions.
CloudWATCH2 also promotes the adoption of cloud standards as part of its core messaging to SMEs, PAs and the research community. As previously mentioned, the CloudWATCH cloud standards guide provides information on standards for portability, interoperability and security; as well as a guide to cloud certifications. In addition, on the CloudWatchHUB homepage CloudWATCH2 actively promotes user-friendly tools from ENISA (SME Cloud Security Tool and Cloud Certification Schemes Metaframework which again, inform CSCs on how best to deal with security issues. Furthermore, we have analysed all currently available cloud security certification schemes available in an online the guide to Certifications and have established a set of recommendations for policy makers regarding the adoption of security certifications.
Cloud contract regulating the provision of cloud computing services have not evolved at the speed of technology. The contracts are often offered by cloud providers in a standard and non-negotiable form, which may make it difficult for clients, who are typically data controllers under EU law, to discharge their duties towards data subjects and Data Protection Authorities.
CloudWATCH2 has therefore also created documents aimed at helping cloud customers decipher and understand cloud contracts. The CloudWATCH Legal Guide to the Cloud for SMEs explains the main aspects that need to be taken into account when considering moving data to the cloud. A selection of Frequently Asked Questions deal with key aspects of cloud contracts from privacy to data location. The Legal Guide to Contractual Clauses in Cloud Contracts gathers practical examples of the main building blocks of Cloud Service Level Agreements and will be published shortly.