nist information technology laboratory cloud computing program nist cloud computing program current...

NIST Information Technology Laboratory Cloud Computing ProgramNIST Information Technology Laboratory Cloud Computing Program

NIST Cloud Computing ProgramNIST Cloud Computing ProgramCurrent ActivitiesCurrent Activities

Robert Bohn, Ph.D.NIST Cloud Computing Program Manager

ETSI - Cloud Standards Coordination 5 December 2012, Cannes, France


OutlineOutline

• Roadmap Activities• Updates on PAPs/Working Groups

– SLA Guidance– Cloud Metrics– Cloud Broker

• Security RA• Standards Update

2

NIST Information Technology Laboratory Cloud Computing ProgramNIST Information Technology Laboratory Cloud Computing Program3

USG Cloud Computing Roadmap – USG Cloud Computing Roadmap – Volume IVolume I

Collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group

Intent is to leverage PAPs that are identified as complete or under way by cloud stakeholder community; some may fall within NIST scope

Prioritized strategic and tactical requirements that must be met for USG agencies to further cloud adoption;

Interoperability, portability, and security standards, guidelines, and technology needed to satisfy these requirements;

Recommended list of Priority Action Plans (PAPs) -- candidates for voluntary self-tasking by the stakeholder community.


USG Cloud Computing Technology USG Cloud Computing Technology Roadmap requirementsRoadmap requirements

R 1: International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards)R 2: Solutions for high priority Security Requirements (security technology)R 3: Technical specifications to enable development of consistent, high quality Service Level Agreements (interoperability, portability, and security standards and guidance)R 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology)R 5: Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology)R 6: Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards and technology)R 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability and security technology)R 8: Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and security technology)R 9: Defined and implemented reliability design goals (interoperability, portability, and security technology)R 10: Defined and implemented cloud service metrics (interoperability and portability standards)


USG CC Roadmap – Volume IIUSG CC Roadmap – Volume II

Reference Architecture & Taxonomy•Recommend Industry Mapping so that USG agencies & others can more easily and consistently compare cloud services•In parallel, support formal standards development process leveraging the reference architecture

Standards•Provide avenue for USG agency engagement•Continue standards roadmap

Target Business Use Cases & SAJACC•Expand initial use case set & use SAJACC to identify gaps

Security•leverage working groups to finalize special publication focusing on challenging security requirements•Continue technical advisor role – e.g. FedRAMP, continuous monitoring, conformity assessment system

Use collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group to continue to validate findings


USG CC Roadmap – Volume IIIUSG CC Roadmap – Volume III

• BUILDS ON the first two volumes of the USG Cloud Computing Technology Roadmap

• IS FOR USG agency technical planning and implementation teams - AND ANYONE ELSE THAT FINDS IT USEFUL

• HAS A GOAL to inform decision makers regarding questions and decision factors in the context of Cloud Computing use cases

•DESCRIBES HOW to leverage the Federal Cloud Computing Strategy Decision Framework for Cloud Migration and the collaborative NIST Cloud Computing Program work

6


Decision FrameworkDecision Framework


16 aspects…16 aspects…

• Provision– Aggregate demand– Integrate services– Contract effectively– Realize value

• Manage– Shift mindset– Actively monitor– Re-evaluate periodically

• Selection– Efficiency– Agility– Innovation– Security Requirements– Service characteristics– Market Characteristics– Network infrastructure– Government readiness– Technology lifecycle


Application CategoriesApplication Categories

• Collaboration Tools• Planning/Management Tools• Web Server/Content Management• Identity Management• Document Retrieval/Library System

• PaaS• IaaS


Next Steps for PAPs/Working GroupsNext Steps for PAPs/Working Groups

• Goal 1 - Requirement 3: Address “Technical Specifications for High-Quality Service-Level Agreements”.

• Goal 2 - Requirement 10: Address “Defined & Implemented Cloud Service Metrics”.

• Goal 3 -Advanced Actor Analysis - To further the discussion on the roles of and interactions of cloud computing actors (consumer/auditor/broker/carrier).


SLA TaxonomySLA TaxonomyChair: John Messina (NIST) and Ken Stavinoha (Cisco)Purpose: Address Roadmap Requirement 3 on Service Level Agreements (SLA)s

Goals:•Create a mindmap/taxonomy identifying the major elements that should appear within a high-quality SLA.•Write report on how to create high-quality SLA

Status:•Mindmap/taxonomy draft complete (available on NIST CC twiki public website)•Report draft complete (available on NIST CC twiki public website)

Moving Forward:•Establish Federal SLA collaborative activities•Submit material to international standards bodies for further development


Mind Map of a Master Service AgreementMind Map of a Master Service Agreement


Contents of SLAContents of SLA

Business Level Objectives•Roles & Responsibilities•Requirements•Operational Policies•Continuity•Limitations•Financial•Glossary of Terms

Service Level Objectives•Resources•Performance Indicators•Service Deployment•Service Management•Description•Security•Privacy


Cloud Business RequirementsCloud Business Requirements


Performance IndicatorsPerformance Indicators


Cloud MetricsCloud MetricsChair: Frederic J. de Vaulx and Steve Woodward (CloudPersectives)Purpose: Address Roadmap Requirement 10 on Cloud Metrics

Goals:•Improve consistency & terminology to facilitate valuable comparative analysis•Create a framework to help clarify measures, definitions and collection methods•Align with the roadmap high priority goals like SLAs

Status:•Cloud reference and description list (available on NIST CC twiki public website)•Draft concept model for cloud metrics, measures and usages (available on NIST CC twiki public website)

Moving Forward:•Present the concept model to organizations involved in cloud metrics•Write the Cloud Measure document based on the draft outline


Cloud MetricsCloud MetricsWork Areas & Priorities


Goal 3: Advanced Actor Analysis –Goal 3: Advanced Actor Analysis –Cloud BrokerCloud Broker

Cloud Broker Intermediate Cloud Service Provider

• dd

• Consumer accesses multiple provider services through a single broker interface

• The Cloud Consumer retains visibility into the cloud service providers they use

• Intermediary uses additional providers as invisible components of its own service, presented as integrated offering

• No consumer visibility into or control over additional cloud providers


The NIST Cloud Computing Reference ArchitectureThe NIST Cloud Computing Reference Architecture19

Cloud CarrierCloud Carrier

Cloud AuditorCloud

Auditor

SecurityAudit

SecurityAudit

Privacy Impact Audit


Performance Audit

Performance Audit

Cloud Service

Consumer

Cloud Service

Consumer

Cloud Service ProviderCloud Service Provider

Physical Resource Layer

Hardware

Facility

Resource Abstraction and Control Layer

Service Layer

IaaS

SaaS

PaaS

Cloud Service Management


Business Support

Business Support

Provisioning/ConfigurationProvisioning/Configuration

Portability/Interoperability




Hardware

Facility


Service Layer

IaaS

SaaS

PaaSSoftware as a Service

Platform as a Service

Infrastructure as a Service

Cloud Provider

IT Infrastructure/Operation

ApplicationDevelopment

Biz Process/Operations

App/Svc Usage

Scenarios

App/Svc Usage

Scenarios

App/Svc Usage

Scenarios

App/Svc Usage

Scenarios

Develop, Test, Deploy and Manage

Usage Scenarios

Develop, Test, Deploy and Manage

Usage Scenarios

Create/Install, Manage, Monitor Usage Scenarios

Create/Install, Manage, Monitor Usage Scenarios

NIST Security Reference ArchitectureNIST Security Reference Architecture20


Draft NIST CC Reference ArchitectureDraft NIST CC Reference Architecture

Cloud ConsumerCloud Consumer

Cloud ProviderCloud Provider



Cloud CarrierCloud Carrier

Cloud AuditorCloud Auditor

Cloud Consumer

Cloud Consumer

Provisioning/ConfigurationProvisioning/Configuration



SecurityAudit

SecurityAudit



Performance Audit

Performance Audit

Business Support

Business Support


Hardware

Facility


Service Layer

IaaS

SaaS

PaaS

Cloud Orchestration

Cross Cutting Concerns: Security, Privacy, etc

Cloud BrokerCloud Broker

Service Intermediation

Service Intermediation

Service Aggregation

Service Aggregation

Service ArbitrageService

Arbitrage

21


NIST Security Reference Architecture –NIST Security Reference Architecture –formal modelformal model

22


ISO/IEC JTC 1 Information Technology

SC 27IT security techniques

IECISO

ISO TC 68Financial services

SC 7Software &

systems engineering

SC 38Distributed application platforms &

services

SC 2Financial Services, security

PSDOIEEE

W3COASIS TCGOMG SNIA

OGF CAOCC

ATIS CSA Kantara TIA

Cloud Computing Standards DevelopersCloud Computing Standards Developers

ITU-TIETF

SG 17

Security

SG 13Future networks including mobile

and NGN

SG 11Signalling

requirements, protocols and test

specifications

JTC 1 PAS Submitters

others

Key: PSDO = Partner Standards Development Organization; PAS = Publicly Available Specification; = private sector, national member-based international standards body; = UN agency, member state-based international standards body;

= international consortium standards developer


NIST SP 500-291 RecommendationsNIST SP 500-291 RecommendationsAccelerating Development and Use of Cloud StandardsAccelerating Development and Use of Cloud Standards

Contribute Agency RequirementsParticipate in Standards Development Encourage Compliance Testing to Accelerate Technically Sound Standards-Based DeploymentsSpecify Cloud Computing StandardsUSG-Wide Use of Cloud Computing StandardsDissemination of Information on Cloud Computing Standards

• Contribute Agency Requirements• Participate in Standards Development • Encourage Compliance Testing to Accelerate

Technically Sound Standards-Based Deployments• Specify Cloud Computing Standards• USG-Wide Use of Cloud Computing Standards• Dissemination of Information on Cloud

Computing Standards


New Topics for ConsiderationNew Topics for Consideration

• Accessibility• Conformity Assessment• Performance• Reliability• Forensics• Law Enforcement• Education


NIST Cloud Computing Special Publications

• CC Standards Roadmap ……………………..500-291• CC Reference Architecture………………….500-292• USG CC Technology Roadmap Draft......500-293

• Guidelines on Security and Privacy …….800-144• Definition of Cloud Computing …………..800-145• CC Synopsis & Recommendations……....800-146

Searchable as “NIST SP xxx-nnn”


ContactsContacts

NIST ITL Cloud Computing Home Page http://www.nist.gov/itl/cloud

NIST Cloud Computing Collaboration Site (twiki)http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing

Dr. Chris [email protected]. Robert Bohn [email protected] Messina [email protected]. Michaela Iorga [email protected] Sokol [email protected] Hogan [email protected] Simmon [email protected] de Vaulx [email protected]

Acting SESProgram MgrRA/Tax Co-ConvenerSecurityStandardsStandardsVolume IIIMetrics

nist information technology laboratory cloud computing program nist cloud computing program current...

Documents

security standards r

portability standards

technology gaps

cloud stakeholder community

portability guidance

guidance r

technical security solutions

solutions interoperability