B.1 National Institute of Standards and Technology (NIST)
B.2 Cloud Security Alliance (CSA)
B.3 Distributed Management Task Force (DMTF)
B.4 Storage Networking Industry Association (SNIA)
B.5 Organization for the Advancement of Structured Information Standards (OASIS)
B.7 Open Cloud Consortium (OCC)
B.8 European Telecommunications Standards Institute (ETSI)
B.9 Telecommunications Industry Association (TIA)
This appendix provides an overview of industry standards development organizations and their contributions to the standardization of the cloud computing industry.
NIST is a federal agency within the US Department of Commerce that promotes standards and technology in order to improve the general public’s security and quality of life. One of NIST’s projects is to lead federal government efforts on standards for data portability, cloud interoperability, and cloud security.
This agency has developed several standards and recommendations related to cloud computing that include:
• NIST Definition of Cloud Computing (Special Publication 800-145): Provides broad cloud computing definitions in terms of characteristics and models. The aim is to develop industry standards with minimal restrictions to avoid specifications that inhibit innovation.
• NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800-144): Provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
• NIST Cloud Computing Standards Roadmap (Special Publication 500-291): Surveys the existing standards landscape for security, portability, and interoperability standards, models, and use cases that are relevant to cloud computing, as well as identifying current standards, gaps, and priorities.
• NIST Cloud Computing Reference Architecture (Special Publication 500-292): Describes a cloud computing reference architecture, designed as an extension to the NIST Cloud Computing Definition, that depicts a generic high-level conceptual model for discussing the requirements, structures, and operations of cloud computing.
Official Web site: www.nist.gov
The CSA is a member-driven organization that was formed in December 2008 and chartered with promoting the use of best practices to enable security assurance in the field of cloud computing. CSA corporate membership is comprised of many of the industry’s large-scale vendors and suppliers.
This alliance considers itself to be a standards incubator rather than a standards developing organization, having published the following cloud security-related best practice guides and checklists:
• Security Guidance for Critical Areas of Focus in Cloud Computing (Version 3): This document describes security concerns and foundational best practices that are organized into 14 domains (Cloud Architecture, Governance and Enterprise Risk, Legal: Contracts and Electronic Discovery, Compliance and Audit, Information Lifecycle Management and Data Security, Portability and Interoperability, Traditional Security, Business Continuity and Disaster Recovery, Data Center Operations, Incident Response, Application Security, Encryption and Key Management, Identity and Access Management, Virtualization, and Security-as-a-Service).
• Cloud Controls Matrix (CCM) (Version 2.1): Provides a security controls list and framework that enables detailed understanding of security concepts and principles.
Official Web site: www.cloudsecurityalliance.org
The DMTF focuses on developing standards to enable interoperable IT management and promote worldwide multi-vendor interoperability. DMTF’s board of members are representatives from companies such as Advanced Micro Devices (AMD), Broadcom Corporation, CA, Inc., Cisco, Citrix Systems, Inc., EMC, Fujitsu, HP, Huawei, IBM, Intel Corporation, Microsoft Corporation, NetApp, Oracle, RedHat, SunGard, and VMware, Inc.
The cloud computing standards that were developed by the DMTF include the Open Virtualization Format (OVF) (DMTF Standard Version 1.1), an industry standard that aims at enabling interoperability between virtualized environments.
Official Web site: www.dmtf.org
The main objective of the SNIA is to develop and promote standards, technologies, and educational services for the management of information. The SNIA developed a Storage Management Initiative Specification (SMI-S) that was adopted by the ISO (International Standards Organization). The SNIA further established an intermediary council known as the Cloud Storage Initiative (CSI) that promotes the adoption of the Storage-as-a-Service cloud delivery model to provide elastic, on-demand storage on a pay-as-you-go basis.
The SNIA standards portfolio includes the Cloud Data Management Interface (CDMI), an industry standard that defines a functional interface that allows for interoperable data transfer and management in cloud storage, as well as discovery of various cloud storage capabilities. Cloud consumers that use CDMI can exploit the capabilities of standardized cloud storage devices that are offered by different cloud providers.
Official Web site: www.snia.org
OASIS is a consortium of vendors and users that is devoted to developing guidelines for IT product interoperability, so that the global information society can establish and adopt open standards. This organization produces standards in fields such as security, cloud computing, service-oriented architecture, Web services, and smart grids, and has put forth numerous service technology recommendations that include UDDI, WS-BPEL, SAML, WS-SecurityPolicy, WS-Trust, SCA, and ODF.
Official Web site: www.oasis-open.org
The Open Group is a consortium that works together with other standards bodies such as the Cloud Security Alliance and the Cloud Computing Interoperability Forum. Its mission is to enable access to integrated information both within and between enterprises, based on open standards and global interoperability.
The Open Group has a dedicated Cloud Working Group that was created to educate cloud providers and cloud consumers on the ways in which cloud technologies can be used to fully achieve benefits such as cost reduction, scalability, and agility.
Official Web site: www.opengroup.org
The OCC is a not-for-profit organization that manages and operates cloud infrastructure in support of scientific, environmental, medical, and healthcare research. This organization assists in the development of cloud computing industry standards, with a heightened focus on data-intensive cloud-based environments.
Contributions from the OCC include the development of reference implementations, benchmarks, and standards that include the MalGen Benchmark, a tool for testing and benchmarking data-intensive cloud implementations. The OCC also established a number of cloud test beds, such as the OCC Virtual Network Testbed and Open Cloud Testbed.
The OCC’s membership includes organizations and universities such as Cisco, Yahoo, Citrix, NASA, Aerospace Corporation, John Hopkins University, and the University of Chicago.
Official Web site: www.opencloudconsortium.org
The ETSI is recognized as an official industry standards body by the European Union that develops globally applicable standards for information and communications technologies. The main focus of this organization is to support interoperability via standardization in multi-vendor, multi-network, and multi-service environments.
The ETSI is comprised of a number of technical committees, such as a body called the TC CLOUD that focuses on building standardized solutions for using, integrating, and deploying cloud computing technology. This committee is particularly focused on the telecommunications industry’s interoperable solutions, and emphasizes the IaaS delivery model.
Official Web site: www.etsi.org
A trade association founded in 1988 that represents the global information and communications technology (ICT) industry, the TIA is responsible for standards development, policy initiatives, business opportunities, market intelligence, and networking events.
The TIA develops standards for telecommunications and data center technologies, such as the Telecommunications Infrastructure Standard for Data Centers (TIA-942 Standard, published in 2005, latest amendment in 2010). This standard outlines the minimum requirements for infrastructure redundancy on four different tiers, as well as those for data center and computer room telecommunications infrastructures. The latter includes single-tenant enterprise data centers and multitenant Internet-hosting data centers.
Official Web site: www.tiaonline.org
The Liberty Alliance develops open standards for protecting the privacy and security of identity information. This body published the Liberty Identity Assurance Framework (LIAF) to facilitate trusted identity federation and promote uniformity and interoperability among identity service providers, including cloud providers. The main building blocks of the LIAF are assurance level criteria, service assessment criteria, and accreditation and certification rules.
Official Web site: www.projectliberty.org
The OGF launched the Open Cloud Computing Interface (OCCI) working group to deliver an API specification for the remote management of cloud infrastructure. The OCCI specification assists in the development of interoperable tools for common tasks that include deployment, automated scaling, and monitoring. The specification consists of core models, infrastructure models, XHTML5 rendering, and HTTP header rendering.
Official Web site: www.ogf.org