What’s missing in the standards landscape? - A view from CloudWATCH

Based on the conclusions and recommendation included in the ETSI Cloud Standards Coordination Report, the NIST Cloud Standards Roadmap and other information collected and assessed with regard to the standards for cloud computing, CloudWATCH has recently drawn the following conclusions on potential gaps.

Development and adoption of a common vocabulary: this gap has been partially addressed with the recent publication of the ISO / IEC 17788, (Cloud computing – Overview and vocabulary) and of the ISO / IEC 17789 (Cloud Computing – Reference Architecture), and further improvement should be expected once other on-going effort, such as the ISO/IEC 19086 project on Cloud SLA, will be completed.

Governance, Risk and Compliance (GRC): there are several on-going efforts in the area of GRC, which include the development of mechanisms for assessing cloud service before their acquisition, for measuring the service performance, for SLA monitoring, for service orchestration. However, from the reluctance of a portion of potential cloud customers to embrace cloud service and from their feedback on the confusion around accountability, liability, compliance and security in the cloud, it appears that those on-going efforts to simplify the provider selection process and the governance and control of cloud programmes are not yet mature enough or at least the level of awareness about them is not satisfactory.

A typical example of this gap in area of GRC tools is the ones of “cloud certification”. Another output of CloudWATCH is the Cloud certification guidelines and recommendations, which has analysed a number of certification schemes which you can find here. The document concludes that several of the schemes are definitely mature and solid enough to satisfy the need of assurance of most cloud service customers. However, the level of adoption of the schemes is not yet satisfactory. In the specific case of certification it appears that the reason of this low level of adoption is linked to: 1) low awareness around the schemes and 2) a knowledge gap around the technical standard underlying the certification process.

Application-specific data and metadata standards: According to NIST Cloud Standard Roadmap, confirmed by a consolation of the members of the CSA ISC: “application-specific data and metadata standards remain standardisation gaps in portability and interoperability”. For example, email and office productivity application data format standards and interfaces are required to achieve interoperability and portability for migrating from existing systems to cloud systems.

Another important area for standardisation is the metadata format and interfaces, in particular, to support compliance needs. For example, standard metadata format and APIs to describe and to generate e-discovery metadata for emails, document management systems, financial account systems, etc., will help government consumers to leverage commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) software products to meet e-discovery requirements.

Management interfaces: gaps are noticeable also in the area of space management interfaces to administer application functionalities. Despite the lack of interfaces to satisfy very diverse and sometime complex needs, it appears that some management functionalities are becoming common (e.g. user account and credential management). According to the NIST report, “…these common management functionalities represent candidates for interoperability standardisation.

Data format for backup and migration of application workload, including database serialisation/de-serialisation, need further standardisation to support portability.