Navigating Cloud Standards David Bicket Director m-assure Limited dpb@19770.org Acknowledgements: Kate Craig-Wood, Memset Ian Osborne, Intellect, ICT KTN, CIF Standards Chairman
Learning objectives What standards are appropriate for Cloud service providers and cloud service users? Which programmes exist for technical, security, interoperability and commercial trust? What is the landscape looking like for the evolution of standards and best practice.
The great things about standards is that there are so many to choose from.
A caveat Few clear cloud standards have yet emerged But some bodies clearly have more authority Many APIs in use, many standards being designed Some defacto standards are emerging Lots of M&A activity and vested commercial interests further muddying the water Only selection of standards and technologies covered in this presentation Hopefully those that are most important / pertinent!
Approach / contents Review principal conceptual standards Overview of cloud standards initiatives Cloud computing definition, vocabulary & reference architecture Review currently applied operational standards Quality & operational: ISO 9001, ISO 17203, CIF, Uptime Institute Environmental: ISO 14001, PAS 2060, EU CoC DC Security: ISO 27001, CESG BIL s, PCI DSS Highlight principal technologies in use Virtualization, IaaS & PaaS technologies Application Programming Interfaces (APIs) Emerging de-facto standards
Part one Conceptual Standards
Cloud computing standardization initiatives Open Grid Forum (OGF) Cloud Computing Interoperability Forum (CCIF) Distributed Management Task Force (DMTF) Cloud Security Alliance (CSA) ETSI TC Cloud * Org for Advancement of Structured Information Standards (OASIS) Object Management Group (OMG) Storage Networking Industry Association (SNIA) ITU-T Focus Group on Cloud Computing Cloud Computing Forum (CCF - Korea) Korea Cloud Service Assn (KCSA) The Open Group European Network and Information Security Agency (ENISA) ISO/IEC JTC1 SC7 System and Software Engineering ISO/IEC JTC1 SC27 Security ISO/IEC JTC1 SC38 WG3 Cloud * Institute of Electrical & Electronic Engineers Standards Assoc (IEEE- SA) China Electronics Standardization Institute (CESI) Cloud Industry Forum (CIF) OSGi Alliance Open Data Center Alliance (ODCA) Japan Cloud Consortium
International Standards Organization (ISO/IEC) Generalized operational management systems 9001,14001,27001, 20000-1 DMTF s Open Virtualization Format (OVF) now ISO/IEC 17203 SC38: Distributed application platforms and services (DAPS) Vocabulary Reference Architecture
Part two Operational Standards
Quality standards Quality Management System (ISO 9001) Generalized but still applicable Uptime institute tiering & TIA-942 Data centre specific ISO SC38 - Distributed apps, platforms & services OVF / ISO 17203 Web services interoperability standards x 3 Debatable how much value ISO add in a fast-moving space! Cloud Industry Forum Code of Practice
Environmental standards Environmental management system ISO 14001 Generalized but applicable Carbon Neutral / PAS 2060 Generalized. Increasingly popular EU Code of Conduct for data centers Data-centre specific. Voluntary and common sense! LEED (buildings) Building-specific and arguably less relevant
Security standards ISO 27001 Highly applicable if done correctly PCI DSS Mainly focused on card transactions but of value Uptime institute tiering system Data-centre specific G-Cloud Business Impact Levels (BIL) Very relevant one to watch!
CIF code of practice Transparency Ownership, people Migration paths Commercial terms Capability Management systems Resources Continuity Accountability Complaint resolution
Part three Technical Standards Highlights only. See other on-line presentations for more information on this topic. References at end of deck.
IaaS vs. PaaS vs. SaaS - layering
Application Programmatic Interfaces (APIs) De-facto standards emerging for IaaS Different for compute and storage Open ones tend to be RESTful Eg. OpenStack, OCCi More Web 2.0 Closed / payware ones tend to be XML Eg. Amazon (SOAP), vcloud API provides introspection capability Provider often supplies libraries
IaaS compute APIs Common IaaS compute methods: Create new instances from specified image Start / stop / reboot instances Destroy instances List all/get details about hardware profiles List all/get details about realms/images etc Lack of standardization around: Importing / creating new VM images (OVF will help) Management of peripheral infrastructure (e.g.. network, firewall)
IaaS storage APIs Common IaaS storage methods: Create new container Update/delete container Create new object Update/delete object Read/write object attributes Read/write individual object attributes Lack of standardization around: Content Delivery Network services Quality of service (durability, availability etc)
Principal IaaS APIs Amazon Web Services Elastic Compute Cloud (EC2) & Simple Storage Service (S3) Defacto standards, most widely used OpenStack consortium Compute & Object Storage APIs and software Industry s answer to Amazon Open Grid Forum s (OGF) Open Cloud Computing Interface (OCCi) Somewhat academic approach but has traction with EC / FP7 DMTF's OVM, now ISO/IEC 1720 Description of a VM, not an API
Defacto standards for VM resources EC2-like ratios of RAM:CPU:disk becoming the norm: 1 / 2 / 4 / 8 x 1.4 GHz Xeon core 2 / 4 / 8 / 16 Gbytes RAM 160 / 320 / 640 / 1280 Gbytes disk Different hypervisors make relatively little difference Technologies available for portability Interoperability is almost there! Little standardization around network layer But some convergence in approaches from main players
Defacto standards for storage Most are object stores, not file systems Restrict options Can t do incremental updates (e.g.. rsync) Limited meta data (timestamps etc) Amazon s billing most comprehensive, but most: Per-GB stored Per-GB transferred out Durability becoming standard measure of resilience Probability of any one object being lost per year. E.g.. 99.999999% durability means that any individual object has a 0.000001%, or 1 in 100,000,000 chance of being lost.
PaaS standards / common features Less standardization than IaaS Lots of languages, lots of vendors vying for position Rage of approaches to billing per-user, per-thread, per-trans. etc Many are auto-scaling (but not all) Main benefit of PaaS arguably should be auto-scaling! Therefore less need for APIs though some have (e.g. Azure) Many include abstracted messaging & data base Easy to use / transparent, but also means vendor lock-in! Greatest standardization around code deployment Most use command line tools to deploy code straight from repositories such as SVN, GIT etc.
SaaS standards / common features Limited options for broad standardization Can only really do among similar types of software Not in vendors interests though! Billing tends to be per-user per-day/month/year Some application-specific data schemas E.g. accountancy information Authentication is ripe for standardization though OAuth looking interesting
Resources /cif-and-cloud-standards Ian Osborne, Chair, CIF Standards Committee Other presentations on this topic Kate Craig-Wood, Memset Kate Craig Wood- Speaking @ Cloud Expo Olympia 26-01-12- Full version http://www.youtube.com/watch?v=ltohjouxkyg Ian Osborne, Intellect, ICT KTN BrightTALK webinar http://www.brighttalk.com/webcast/1367/49035
Q&A
Thank you info@cloudindustryforum.org