Highlights & Next Steps

USG Cloud Computing Technology Roadmap Highlights & Next Steps NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve Robert Rathe our quality of life DGI Cloud with Confidence: A Concrete Path for Government, November 10, 2011 Dawn Leaf, NIST Senior Executive for Cloud Computing Information Technology Laboratory 1

Revisiting the NIST Cloud Computing Program Goal First briefed November 2010 Accelerate the federal government s adoption of cloud computing* Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders * REF http://www.cio.gov/documents/federal-cloud-computing-strategy.pdf Information Technology Laboratory 2

Strategic Program How to build a USG Cloud Computing Technology Roadmap 1. Define Target USG Cloud Computing Business Use Cases 2. Define Neutral Cloud Computing Reference Architecture & Taxonomy NIST CLOUD COMPUTING PROGRAM (PHASE 1) priorities risks obstacles DUAL STRATEGIC & TACTICAL OBJECTIVES 3. Generate Cloud Computing Interagency Report: Technology Roadmap USG Cloud Computing Translate Technology Roadmap Requirements list of Tactical Priorities & & Identify Gaps Deliverables Expand CC Definition ref. architecture Concurrent & Iterative 3-step process that drives tactical efforts Tactical Program NIST CC efforts Standards Working Group, Standards Organization liaison, NIST CC Definition & Reference Architecture Submissions Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) qualitative testing of specifications against interoperability, security, and portability requirements Guidance Special Publications; technical advisor to Fed CIO Council (FedRAMP), Federal CC Standards & Technology Working Group Complex Computing Simulation & Modeling Koala IaaS resource allocation algorithms Information Technology Laboratory 3

NIST CLOUD COMPUTING PROGRAM TIMELINE (PHASE 1) S May 2010 Nov 2010 March 2011 Oct 2011 T R NIST CC Forum & Workshop I NIST CC Forum & Workshop II NIST CC Forum & Workshop III NIST CC Forum & Workshop IV A T E G I C Outreach & Fact finding with USG, Industry, SDOs NIST CC Definition Evaluate past models & lessons learned Define fresh approach to support secure & effective USG cloud computing adoption, prioritize interoperability, portability, & security requirements, collaborate, more quickly respond to operational needs Tactical efforts Launch CC Strategic Program Initiate Stakeholder Meetings Collaboratively define working group scope & resources Develop Refined Plan Execute CC Strategic program Continue Stakeholder meetings Integrate results into tactical priorities Complete 1 st draft USG Cloud Computing Technology Roadmap Interagency Report Assess Results & Replan Information Technology Laboratory 4

Revisiting the rationale -- Why a USG Cloud Computing Technology Roadmap, and why is it structured as it is.? The technology roadmap initiative and document are intended to in parallel help us move forward strategically and tactically. Strategic roadmap is basically a priority list what do we need to get from where we are to where we want to be Mechanism to integrate and present analysis, findings, and useful technical work mechanism to focus discussion in order to more definitively achieve a common understanding between USG & private sector on technical steps to move forward Calibration point -- basis to assess & plan NIST Cloud Computing priorities Information Technology Laboratory 5

The USG Cloud Computing Technology Roadmap in final form will have 3 volumes Volumes I & II are released as Draft Special Publication 500-293 for public comment; Volume III is a working document. all are available online Volume I, High-Priority Requirements to Further USG Agency Cloud Computing Adoption, frames the discussion and introduces the roadmap - STRATEGIC Volume II, Useful Information for Cloud Adopters, is a technical reference for those actively working on cloud computing initiatives STRATEGIC & TACTICAL Third volume, Technical Considerations for USG Cloud Computing Deployment Decisions TACTICAL explains how Volume II work can be applied initiated in parallel with but dependent on Volume II -- will be part of the 500-293 SP All are publically available at http://www.nist.gov/itl/cloud/index.cfm Information Technology Laboratory 6

Volume I - Highlights Overview - USG Cloud Computing Technology Roadmap initiative Core Elements: Prioritized strategic and tactical interoperability, portability, and security requirements that must be met for USG agencies to further cloud adoption; Standards, guidelines, and technology needed to satisfy these requirements; Recommended list of Priority Action Plans (PAPs) -- candidates for voluntary selftasking by the stakeholder community. USG Cloud Computing Technology Roadmap requirements -high priorities to further USG Cloud Computing Technology Adoption: Requirement 1: International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards) Requirement 2: Solutions for high priority Security Requirements (security technology) Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements (interoperability, portability, and security standards and guidance) Requirement 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology) Requirement 5: Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology) Requirement 6: Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards and technology) Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability and security technology) Requirement 8: Collaborative parallel strategic future cloud development initiatives (interoperability, portability, and security technology) Requirement 9: Defined and implemented reliability design goals (interoperability, portability, and security technology) Requirement 10:Defined and implemented cloud service metrics (interoperability and portability standards) Information Technology Laboratory 7

Useful Information for Cloud Adopters Summary of the work completed November 2010 through September 2011 in projects & working groups Analysis supports high priority requirements introduced in Volume I insight into rationale for list of candidate Priority Action Plans (PAPs) References to detailed publications & external work NIST Cloud Computing Reference Architecture (& Taxonomy) SP 500-292 Sept 2011 Summary of USG target business use case templates & initial set SAJACC technical use case summary spec 1 spec 2 Specifications Use Cases Case 1 Case 2 Validation Exercises Spec 1 Test 1 Spec 2 Test 2 Spec n Test n Cloud Computing Standards Roadmap SP 500-291 July 2011 standards & gap analysis Cloud Consumer Cloud Auditor Securit y y Audit Audit Privac y y Impact Audit Audit Perfor Perfor mance Audit Audit Service Layer IaaS SaaS PaaS Resource Abstraction and Control Layer Physical Resource Layer Hardware Facility Cloud Provider Cloud Carrier Community Outreach Cloud Service Managem ent ent Busines s s Support Provisio ning/ ning/ Configu ration ration Portabil ity/ ity/ Interope rability NIST Cloud Standards Portal Use Cases Validated Specifications standards Existing Standards Working Groups information Reference Implementations Standards Development Organizations High Priority Security Requirements - challenges, requirements overview, risk mitigation measures Other related work - Reliability Research in Cloud-based Complex Systems Koala SLA taxonomy, Information Technology Laboratory 8

Technical Considerations for USG Cloud Computing Deployment Decisions builds on the first two volumes released as SPs concurrently with this working paper FOR: technical teams responsible Cloud Computing projects GOAL: inform in terms of questions and decision factors in the context of representative Cloud Computing use cases DESCRIBES HOW: to use Volume II work completed 2010 2011 in the context of Federal Cloud Computing Strategy Decision Framework for Cloud Adoption Information Technology Laboratory 9

Underlying principles and assumptions Intent is to lay the groundwork to more directly tackle a subset of cloud computing technology scope to accelerate USG cloud adoption The roadmap is intended to foster a substantive discussion among cloud computing stakeholders in government and the private sector Many requirements identified in the roadmap are intuitive roadmap significance is the November 2010 October 2011 time frame technical work to identify a definitive priority list and assess the extent to which they are satisfied. Ideally, responses to the roadmap will refine the requirements and identify relevant work which is under way 30 Day comment period for SP 500-293 (by December 2, 2011) Written comments on both volumes of the SP 500-293 may be sent to: Robert Bohn,, 100 Bureau Dr., Stop 2000, Gaithersburg, MD 20899-2000. Electronic comments may be sent to: ccroadmap.comments@nist.gov In addition, public working groups will resume for all work related to the roadmap -- http://collaborate.nist.gov/twiki-cloud-computing/bin/view/cloudcomputing/webhome Information Technology Laboratory 10

Phase 2: The NIST Cloud Computing Program Goal Stays the same. Accelerate the federal government s adoption of cloud computing* Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders Information Technology Laboratory 11

Strategic Program (continue phase 1 activities and ) How to build a USG Cloud Computing Technology Roadmap 1. Define Target USG Cloud Computing Business Use Cases The Phase 1 Strategic & Tactical activities continue. Now leveraging work completed in Phase 1 2. REFINE & APPLY Neutral CC Reference Architecture & Taxonomy priorities risks obstacles 3. UPDATE Cloud Computing Technology Roadmap Translate Requirements & Identify Gaps Vendors map services Tactical Program NIST Cloud Computing efforts USG Cloud Computing Technology Roadmap Public & working groups, Standards Organization liaison (Definition & Reference Architecture submission) Standards Acceleration to Jumpstart the Adoption of Cloud Computing (SAJACC) qualitative testing of specifications against interoperability, security, and portability requirements Guidance Special Publications; technical advisor to Fed CIO Council (FedRAMP), Federal CC Standards & Technology Working Group Complex Computing Simulation & Modeling Koala... leverage Priority Action Plans (PAPs) selected for self-tasking by Cloud Stakeholder Community Assess & Track: USG CC High Priority Requirements met by Priority Action Plans (self-tasked by NIST and other CC stakeholders) Rqmt 1: International consensus interoperability, security, portability standards Rqmt 2: Solutions for High Priority Security requirements Rqmt 3: Technical Specifications to enable high quality SLAs. Rqmt 10: Defined and Implemented cloud service metrics Integrate results into tactical priorities Measure Results Information Technology Laboratory 12

S T R A T E G I C NIST COMPUTING PROGRAM TIMELINE (PHASE 2) (USG CLOUD COMPUTING TECHNOLOGY ROADMAP INITIATIVE CONTINUES.) Analyze Phase 1 working group & project results Complete 1 st draft for public comment USG Cloud Computing Technology Roadmap Version 1 SP 500-293 Nov 2011 NIST CC Forum & Workshop IV Re-Assess Progress & Phase 2 Plan March 2012 NIST CC Forum & Workshop V Initiate NIST CC Program Phase II Integrate & track USG Technology Roadmap Priority Action Plans (PAPs) with external stakeholders Integrate results into tactical priorities Measure Results Nov 2012 NIST CC Forum & Workshop VI USG Cloud Computing Technology Roadmap Version 2 Tactical efforts Public & Federal Standards & Technology working groups Standards liaison, SAJACC, FedRamp & other technical advisory, Guidance, Koala NIST Cloud Computing Special Pubs Guidelines on Security and Privacy 800-144 Definition of Cloud Computing..800-145 CC Synopsis & Recommendations..800-146 CC Standards Roadmap 500-291 CC Reference Architecture...500-292 USG CC Technology Roadmap Draft... 500-293 Information Technology Laboratory 13

Strategic Next Steps Verify USG High Priority Cloud Computing Requirements using Roadmap Volume I as a vehicle 30 Day Public Comment Period Core Elements: Written comments on both volumes of the SP 500-293 may be sent to: Robert Bohn, Standards and Technology, 100 Bureau Dr., Stop 2000, Gaithersburg, MD 20899-2000. Electronic comments may be sent to: ccroadmap.comments@nist.gov Prioritized strategic and tactical requirements that must be met for USG agencies to further cloud adoption; Interoperability, portability, and security standards, guidelines, and technology needed to satisfy these requirements; Recommended list of Priority Action Plans (PAPs) -- candidates for voluntary self-tasking by the stakeholder community. Collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group Intent is to leverage PAPs that are identified as complete or under way by cloud stakeholder community; some may fall within NIST scope Information Technology Laboratory 14

Immediate Next Steps to advance strategic & tactical objectives. Use Cloud Computing program work summarized in Volume II... in advance of and in parallel with roadmap comments & PAPs Use collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group to continue to validate findings Reference Architecture & Taxonomy Recommend Industry Mapping so that USG agencies & others can more easily and consistently compare cloud services In parallel, support formal standards development process leveraging the reference architecture Standards Provide avenue for USG agency engagement Continue standards roadmap Target Business Use Cases & SAJACC Expand initial use case set & use SAJACC to identify gaps Security leverage working groups to finalize special publication focusing on challenging security requirements Continue technical advisor role e.g. FedRAMP, continuous monitoring, conformity assessment system Information Technology Laboratory 15

Tactical Next Steps that supports Federal Cloud Computing Strategy & overall objective to support USG adoption Use collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group to continue to validate methodology, generic use cases, processes & develop the content Technical guidance in the context of: Information Technology Laboratory 16

http://collaborate.nist.gov/twiki-cloud-computing/bin/view/cloudcomputing/webhome NIST-led projects & working groups Public NIST cloud web site url http://www.nist.gov/itl/cloud/index.cfm Information Technology Laboratory 17

NIST invites you to collaborate with us on Cloud Computing! US Federal Cloud Computing references: www.cio.gov Public NIST cloud web site: http://www.nist.gov/itl/cloud/index.cfm United States Department of Commerce Information Technology Laboratory 100 Bureau Drive Stop 2000 Gaithersburg, MD 20899-2000 Tel: (301) 975-4500, cloudcomputing@nist.gov Information Technology Laboratory 18