Latest in Cloud Computing StandardsEric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA, SCSECTO Security & PrivacyHitachi Data systems

1

Standards Alphabet Soup• CSA = Cloud Security Alliance• DMTF = Distributed Management Task Force• ENISA = European Network and Information Security Agency• ETSI = European Telecommunications Standards Institute • IEC = International Electrotechnical Commission• IEEE = Institute of Electrical and Electronics Engineers • INCITS = International Committee for Information Technology

Standards • ISO = International Organization for Standardization• ITU-T = International Telecommunication Union – Telecom• NIST = National Institute for Standards and Technology• OASIS = Organization for the Advancement of Structured

Information Standards• SNIA = Storage Networking Industry Association• TCG = Trusted Computing Group 2

Sample Cloud SDO Relationships

3

ISO/IECSC27

ISO/IECSC38

FormalInformal

IEEE

ITU-T

SNIA DMTF

INCITS/CS1

TCG

CSA

ENISA

NIST

INCITS/DAPS38

CT-CC

Standards & Glaciers…Similar Pace

4

Cloud Computing…

5

cloud computing: paradigm for enabling [ubiquitous, convenient, on-demand] network access to a shared pool of configurable cloud resources (3.2.4) accessed through services (3.1.8), that can be [rapidly] provisioned and released [with minimal management effort or service provider interaction.]

SOURCE: ISO/IEC 2ndCD 17788

ISO/IEC JTC 1/SC 38• SC38 = Information Technology – Distributed Application Platforms &

Services

• ISO/IEC 17788 (Cloud computing – Vocabulary and overview)• Collaborative Team (CT) with ITU-T/SG13 to develop common text• Defines key cloud terminology and provides an overview of cloud computing• Intended to be a foundation document for cloud computing• Stage: 2nd Committee Draft (CD)

• ISO/IEC 17789 (Reference architecture)• Collaborative Team (CT) with ITU-T/SG13 to develop common text• Covers general concepts and characteristics of cloud computing, the

components/functions and roles and their capabilities and inter-relationships• Focused on the requirements of ―what Cloud services provide, not ―how to

design solutions and implementations• Stage: Working Draft (CD)

• Under Consideration:• Service Delivery Principles and Service Level Agreements

6

ITU-T/Study Group 13 (SG13)• Future networks including cloud computing, mobile and next-

generation networks

• Y.ccdef – Cloud computing definition and vocabulary• Y.cceco – Cloud computing: ecosystem, use cases and general

requirements• Y.Cloud-SIDE-Reqts – High level requirements and capabilities for cloud

enabled service environment • Y.ccic – Framework of inter-cloud for network and infrastructure • Y.ccinfra – Cloud computing infrastructure requirements • Y.ccra – Cloud computing reference architecture • Y.e2eccrmr – End-to-end cloud computing resources management

requirements • Y.VNC – Resource control and management for virtual networks for cloud

services (VNCs) 7

ITU-T/Study Group 17 (SG17)• Security

• X.ccsec – High-level security framework for cloud computing• X.goscc – Guidelines of operational security for cloud computing• X.sfcse – Security functional requirements for Software as a

Service (SaaS) application environment• X.idmcc – Requirement of IdM in cloud computing

8

ISO/IEC JTC 1/SC27• SC27 = Information Technology – Security techniques

• ISO/IEC 27017 (Code of practice for information security controls for cloud computing services based on ISO/IEC 27002)• Additional implementation guidance for relevant information security

controls specified in ISO/IEC 27002; and• Additional controls and implementation guidance that specifically relate to

cloud computing services.• Technical Report => International Standard• Stage: 4th Working Draft (WD)

• ISO/IEC 27018 (Code of practice for data protection controls for public cloud computing services)• Applies to organizations providing public cloud computing services

that act as PII processors (possibly PII controllers)• Establishes commonly accepted control objectives, controls and

guidelines for implementing controls to protect• Stage: 2nd Working Draft (WD)

9

ISO/IEC JTC 1/SC27 (cont.)• ISO/IEC 27040 (Storage security)

• Overview of storage security concepts and related definitions• Guidance on the threat, design and control aspects associated with typical

storage scenarios and storage technology areas• Limited coverage for cloud storage (e.g., CDMI)• Stage: 2nd Committee Draft (CD)

• Numerous other security standards that are potentially relevant!

10

11

Standards Setting Organizations (SSO) & Industry Associations

NIST – Information Technology Laboratory• Special Publication 800-144, Guidelines on Security and Privacy in Public

Cloud Computing• Special Publication 800-145, The NIST Definition of Cloud Computing• Special Publication 800-146, Cloud Computing Synopsis and

Recommendations • Special Publication 500-291, NIST Cloud Computing Standards Roadmap• Special Publication 500-292, NIST Cloud Computing Reference

Architecture• Special Publication 500-293, (Draft). US Government Cloud Computing

Technology. • Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof

of Concept Implementation

12

Cloud Security Alliance (CSA)• Security Guidance for Critical Areas of Focus in Cloud

Computing• Open Certification Framework• Cloud Controls Matrix (CCM)• Trusted Cloud Initiative (TCI) Reference Architecture Model• Top Threats to Cloud Computing• Security as a Service (SecaaS) Implementation Guidance

13

OASIS• Cloud Application Management for Platforms (CAMP)• Identity in the Cloud (IDCloud)• Symptoms Automation Framework (SAF) • Topology and Orchestration Specification for Cloud

Applications (TOSCA) • Cloud Authorization (CloudAuthZ) • Public Administration Cloud Requirements (PACR)

14

Other Cloud Activities of SSOs & IAs• IEEE Standards Association (IEEE-SA)

• P2301 - Guide for Cloud Portability and Interoperability Profiles (CPIP)

• P2302 - Standard for Intercloud Interoperability and Federation (SIIF)

• Internet Engineering Task Force (IETF)• RFC 6208 – Cloud Data Management Interface (CDMI) Media Types• Huge number of RFCs that enable the cloud.

• Trusted Computing Group (TCG)• Trusted Multi-Tenant Infrastructure (TMI) Use Cases• Trusted Multi-tenant Infrastructure (TMI) Specification [Goal]

• Storage Network Industry Association (SNIA)• Cloud Data Management Interface (CDMI) specification• ISO/IEC 17826: 2012, Information technology -- Cloud Data

Management Interface (CDMI) [CDMI v1.0.2] 15

Other Cloud Activities of SSOs & IAs• The Open Group

• Service-oriented Cloud Computing Infrastructure (SOCCI) Framework• Cloud Computing Reference Architecture (CCRA)

• Distributed Management Task Force (DMTF)• DSP0243 Open Virtualization Format (OVF)• ISO/IEC 17203:2011, Information technology -- Open Virtualization

Format (OVF) specification• DSP0263 Cloud Infrastructure Management Interface (CIMI) Model

and REST Interface over HTTP Specification • DSP0264 CIMI-CIM Specification

16

Final Thoughts• A significant number of the cloud computing standards and

specifications are still in draft form

• There are many organization operating in this space, but it does appear there are conscious efforts to avoid duplication and contradiction

• It is unlikely that a single, all-encompassing standard (or source for standards) will emerge for cloud

17

THANK YOU 18

eric.hibbard@hds.com