nist cloud computing program current activities · nist cloud computing program current activities...

NIST Cloud Computing ProgramNIST Cloud Computing Program

Current ActivitiesCurrent Activities

NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program

Robert Bohn, Ph.D.

NIST Cloud Computing Program Manager

ETSI - Cloud Standards Coordination

5 December 2012, Cannes, France

OutlineOutline

• Roadmap Activities

• Updates on PAPs/Working Groups

– SLA Guidance

– Cloud Metrics

2


– Cloud Metrics

– Cloud Broker

• Security RA

• Standards Update

USG Cloud Computing Roadmap USG Cloud Computing Roadmap ––

Volume IVolume I

Prioritized strategic and tactical requirements that must be met for

USG agencies to further cloud adoption;

Interoperability, portability, and security standards, guidelines, and

technology needed to satisfy these requirements;

Recommended list of Priority Action Plans (PAPs) -- candidates for

voluntary self-tasking by the stakeholder community.

NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program3

Collaboration through public working groups & Federal Cloud Computing Standards &

Technology Working Group

Intent is to leverage PAPs that are identified as complete or under way by cloud

stakeholder community; some may fall within NIST scope

voluntary self-tasking by the stakeholder community.

USG Cloud Computing Technology USG Cloud Computing Technology

Roadmap Roadmap requirementsrequirements

R 1: International voluntary consensus based interoperability, portability and security standards

(interoperability, portability, and security standards)

R 2: Solutions for high priority Security Requirements (security technology)

R 3: Technical specifications to enable development of consistent, high quality Service Level Agreements

(interoperability, portability, and security standards and guidance)

R 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and

technology)

R 5: Frameworks to support seamless implementation of federated community cloud environments


R 5: Frameworks to support seamless implementation of federated community cloud environments

(interoperability and portability guidance and technology)

R 6: Technical security solutions which are de-coupled from organizational policy decisions (security

guidance, standards and technology)

R 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability,

portability and security technology)

R 8: Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and

security technology)

R 9: Defined and implemented reliability design goals (interoperability, portability, and security technology)

R 10: Defined and implemented cloud service metrics (interoperability and portability standards)

USG USG CC Roadmap CC Roadmap –– Volume Volume IIII

Reference Architecture & Taxonomy

• Recommend Industry Mapping so that USG agencies & others can more easily

and consistently compare cloud services

• In parallel, support formal standards development process leveraging the

reference architecture

Standards

Use collaboration through public working groups & Federal Cloud Computing Standards & Technology

Working Group to continue to validate findings


Standards

• Provide avenue for USG agency engagement

• Continue standards roadmap

Target Business Use Cases & SAJACC

• Expand initial use case set & use SAJACC to identify gaps

Security

• leverage working groups to finalize special publication focusing on challenging

security requirements

• Continue technical advisor role – e.g. FedRAMP, continuous monitoring,

conformity assessment system

USG CC Roadmap USG CC Roadmap –– Volume IIIVolume III

• BUILDS ON the first two volumes of the USG Cloud Computing Technology Roadmap

• IS FOR USG agency technical planning and implementation teams - AND ANYONE ELSE THAT FINDS IT USEFUL

6


• HAS A GOAL to inform decision makers regarding questions and decision factors in the context of Cloud Computing use cases

•DESCRIBES HOW to leverage the Federal Cloud Computing Strategy Decision Framework for Cloud Migration and the collaborative NIST Cloud Computing Program work

Decision FrameworkDecision Framework


16 aspects…16 aspects…

• Provision

– Aggregate demand

– Integrate services

– Contract effectively

– Realize value

• Selection

– Efficiency

– Agility

– Innovation

– Security Requirements


– Realize value

• Manage

– Shift mindset

– Actively monitor

– Re-evaluate periodically

– Service characteristics

– Market Characteristics

– Network infrastructure

– Government readiness

– Technology lifecycle

Application CategoriesApplication Categories

• Collaboration Tools

• Planning/Management Tools

• Web Server/Content Management

• Identity Management


• Identity Management

• Document Retrieval/Library System

• PaaS

• IaaS

Next Steps for PAPs/Working GroupsNext Steps for PAPs/Working Groups

• Goal 1 - Requirement 3: Address “Technical Specifications for High-Quality Service-Level Agreements”.

• Goal 2 - Requirement 10: Address “Defined &


• Goal 2 - Requirement 10: Address “Defined & Implemented Cloud Service Metrics”.

• Goal 3 -Advanced Actor Analysis - To further the discussion on the roles of and interactions of cloud computing actors (consumer/auditor/broker/carrier).

SLA TaxonomySLA Taxonomy

Chair: John Messina (NIST) and Ken Stavinoha (Cisco)

Purpose: Address Roadmap Requirement 3 on Service Level Agreements (SLA)s

Goals:

• Create a mindmap/taxonomy identifying the major elements that should appear

within a high-quality SLA.

• Write report on how to create high-quality SLA


Status:

• Mindmap/taxonomy draft complete (available on NIST CC twiki public website)

• Report draft complete (available on NIST CC twiki public website)

Moving Forward:

• Establish Federal SLA collaborative activities

• Submit material to international standards bodies for further development

Mind Map of a Master Service AgreementMind Map of a Master Service Agreement


Contents of SLAContents of SLA

Business Level Objectives

• Roles & Responsibilities

• Requirements

• Operational Policies

Service Level Objectives

• Resources

• Performance Indicators

• Service Deployment


• Operational Policies

• Continuity

• Limitations

• Financial

• Glossary of Terms

• Service Deployment

• Service Management

• Description

• Security

• Privacy

Cloud Business Cloud Business RequirementsRequirements


Performance Performance IndicatorsIndicators


Cloud MetricsCloud MetricsChair: Frederic J. de Vaulx and Steve Woodward (CloudPersectives)

Purpose: Address Roadmap Requirement 10 on Cloud Metrics

Goals:

• Improve consistency & terminology to facilitate valuable comparative analysis

• Create a framework to help clarify measures, definitions and collection methods

• Align with the roadmap high priority goals like SLAs


Status:

• Cloud reference and description list (available on NIST CC twiki public website)

• Draft concept model for cloud metrics, measures and usages (available on NIST

CC twiki public website)

Moving Forward:

• Present the concept model to organizations involved in cloud metrics

• Write the Cloud Measure document based on the draft outline

Cloud MetricsCloud Metrics

Work Areas & Priorities


Goal 3: Advanced Actor Analysis Goal 3: Advanced Actor Analysis ––

Cloud BrokerCloud Broker

Cloud Broker Intermediate Cloud Service Provider

• dd


• Consumer accesses multiple provider services through a single broker interface

• The Cloud Consumer retains visibility into the cloud service providers they use

• Intermediary uses additional providers as invisible components of its own service, presented as integrated offering

• No consumer visibility into or control over additional cloud providers

The NIST Cloud Computing Reference ArchitectureThe NIST Cloud Computing Reference Architecture

19

Cloud

Auditor

Cloud

Auditor

Cloud

Service

Consumer

Cloud

Service

Consumer

Cloud

Broker

Service

Intermediation

Cloud

Broker

Service

Intermediation

Cloud Service ProviderCloud Service Provider

Sec

uri

tyS

ecu

rity

Pri

vac

yP

riv

acy

Service Layer

IaaS

SaaS

PaaS

Cloud Service

Management

Cloud Service

Management

Business

Support


Cloud CarrierCloud Carrier

AuditorAuditor

Security

Audit

Privacy

Impact Audit

Performance

Audit

Service

Aggregation

Service

Arbitrage

Service

Aggregation

Service

Arbitrage

Sec

uri

tyS

ecu

rity

Pri

vac

yP

riv

acy

Physical Resource Layer

Hardware

Facility

Resource Abstraction and

Control Layer

IaaS Support

Provisioning/

Configuration

Portability/

Interoperability

Service Layer

IaaS

SaaS

PaaSSoftware as a ServiceBiz Process/

Operations

App/Svc

Usage

Scenarios

App/Svc

Usage

Scenarios

NIST Security Reference ArchitectureNIST Security Reference Architecture20



Hardware

Facility

Resource Abstraction and

Control Layer

IaaS

Platform as a Service

Infrastructure as a Service

Cloud Provider

IT Infrastructure/

Operation

Application

Development

Develop, Test,

Deploy and Manage

Usage Scenarios

Create/Install,

Manage, Monitor

Usage Scenarios

Draft NIST CC Reference ArchitectureDraft NIST CC Reference Architecture

Cloud ConsumerCloud Consumer

Cloud ProviderCloud Provider

Cloud Service

Management

Cloud Service

Management

Cloud AuditorCloud Auditor

Cloud

Consumer

Cloud

Consumer

Provisioning/Security

Business

Support

Service Layer

IaaS

SaaS

PaaS

Cloud Orchestration

Cloud BrokerCloud Broker

Service

Intermediation

Service

21


Cloud ConsumerCloud Consumer

Cloud CarrierCloud Carrier

Provisioning/

Configuration

Portability/

Interoperability

Security

Audit

Privacy Impact

Audit

Performance

Audit


Hardware

Facility

Resource Abstraction and Control

Layer

Cross Cutting Concerns: Security, Privacy, etc

Service

Aggregation

Service

Arbitrage

NIST Security Reference Architecture NIST Security Reference Architecture ––

formal modelformal model

22


ISO/IEC JTC 1 Information

IECISO

ISO TC 68Financial

PSDOIEEE

Cloud Computing Standards Cloud Computing Standards DevelopersDevelopers

ITU-TIETF

SG 17

Security

SG 13

Future networks including mobile

and NGN

SG 11

Signalling requirements,

protocols and test specifications

JTC 1 PAS Submitters


Information

Technology

SC 27IT security

techniques

Financial services

SC 7Software &

systems engineering

SC 38Distributed application platforms &

services

SC 2Financial Services, security

W3COASIS TCGOMG SNIA

OGF CAOCC

ATIS CSA Kantara TIA

JTC 1 PAS Submitters

others

Key: PSDO = Partner Standards Development Organization; PAS = Publicly Available Specification; = private sector,

national member-based international standards body; = UN agency, member state-based international standards body;

= international consortium standards developer

NIST SP 500NIST SP 500--291 Recommendations291 RecommendationsAccelerating Development and Use of Cloud StandardsAccelerating Development and Use of Cloud Standards

Contribute Agency Requirements

Participate in Standards Development

Encourage Compliance Testing to Accelerate

• Contribute Agency Requirements

• Participate in Standards Development

• Encourage Compliance Testing to Accelerate

Technically Sound Standards-Based Deployments


Encourage Compliance Testing to Accelerate


Specify Cloud Computing Standards

USG-Wide Use of Cloud Computing Standards

Dissemination of Information on Cloud Computing

Standards


• Specify Cloud Computing Standards

• USG-Wide Use of Cloud Computing Standards

• Dissemination of Information on Cloud

Computing Standards

New Topics for ConsiderationNew Topics for Consideration

• Accessibility

• Conformity Assessment

• Performance

• Reliability


• Reliability

• Forensics

• Law Enforcement

• Education

NIST Cloud Computing Special Publications

• CC Standards Roadmap ……………………..500-291

• CC Reference Architecture………………….500-292

• USG CC Technology Roadmap Draft......500-293


• Guidelines on Security and Privacy …….800-144

• Definition of Cloud Computing …………..800-145

• CC Synopsis & Recommendations……....800-146

Searchable as “NIST SP xxx-nnn”

ContactsContacts

Dr. Chris Greer [email protected]

Dr. Robert Bohn [email protected]

John Messina [email protected]

Dr. Michaela Iorga [email protected]

Annie Sokol [email protected]

Mike Hogan [email protected]

Eric Simmon [email protected]

Acting SES

Program Mgr

RA/Tax Co-Convener

Security

Standards

Standards

Volume III


NIST ITL Cloud Computing Home Page http://www.nist.gov/itl/cloud

NIST Cloud Computing Collaboration Site (twiki)

http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing

Eric Simmon [email protected]

Frederic de Vaulx [email protected]

Volume III

Metrics

nist cloud computing program current activities · nist cloud computing program current activities...

Documents