Eric A. Hibbard, CTO Security and Privacy Hitachi - gave this presentation at our API and SOA workshop in conjunction with CSA

1. Latest in Cloud
Computing Standards
Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA, SCSE
CTO Security & Privacy
Hitachi Data systems
1

2. Standards Alphabet Soup
• CSA = Cloud Security Alliance
• DMTF = Distributed Management Task Force
• ENISA = European Network and Information Security Agency
• ETSI = European Telecommunications Standards Institute
• IEC = International Electrotechnical Commission
• IEEE = Institute of Electrical and Electronics Engineers
• INCITS = International Committee for Information Technology
Standards
• ISO = International Organization for Standardization
• ITU-T = International Telecommunication Union – Telecom
• NIST = National Institute for Standards and Technology
• OASIS = Organization for the Advancement of Structured
Information Standards
• SNIA = Storage Networking Industry Association
• TCG = Trusted Computing Group 2

3. Sample Cloud SDO Relationships
CT-CC
ITU-T
CSA
ISO/IEC ISO/IEC
ENISA SC27 SC38
TCG
INCITS/ INCITS/
CS1 DAPS38
IEEE
NIST SNIA DMTF
3
Formal
Informal

4. Standards & Glaciers…Similar Pace
4

5. Cloud Computing…
cloud computing: paradigm for enabling [ubiquitous,
convenient, on-demand] network access to a shared
pool of configurable cloud resources (3.2.4) accessed
through services (3.1.8), that can be [rapidly]
provisioned and released [with minimal management
effort or service provider interaction.]
SOURCE: ISO/IEC 2ndCD 17788
5

6. ISO/IEC JTC 1/SC 38
• SC38 = Information Technology – Distributed Application Platforms &
Services
• ISO/IEC 17788 (Cloud computing – Vocabulary and overview)
• Collaborative Team (CT) with ITU-T/SG13 to develop common text
• Defines key cloud terminology and provides an overview of cloud computing
• Intended to be a foundation document for cloud computing
• Stage: 2nd Committee Draft (CD)
• ISO/IEC 17789 (Reference architecture)
• Collaborative Team (CT) with ITU-T/SG13 to develop common text
• Covers general concepts and characteristics of cloud computing, the
components/functions and roles and their capabilities and inter-relationships
• Focused on the requirements of ―what Cloud services provide, not ―how to
design solutions and implementations
• Stage: Working Draft (CD) 6
• Under Consideration:
• Service Delivery Principles and Service Level Agreements

7. ITU-T/Study Group 13 (SG13)
• Future networks including cloud computing, mobile and next-
generation networks
• Y.ccdef – Cloud computing definition and vocabulary
• Y.cceco – Cloud computing: ecosystem, use cases and general
requirements
• Y.Cloud-SIDE-Reqts – High level requirements and capabilities for cloud
enabled service environment
• Y.ccic – Framework of inter-cloud for network and infrastructure
• Y.ccinfra – Cloud computing infrastructure requirements
• Y.ccra – Cloud computing reference architecture
• Y.e2eccrmr – End-to-end cloud computing resources management
requirements
• Y.VNC – Resource control and management for virtual networks for cloud
7
services (VNCs)

8. ITU-T/Study Group 17 (SG17)
• Security
• X.ccsec – High-level security framework for cloud computing
• X.goscc – Guidelines of operational security for cloud computing
• X.sfcse – Security functional requirements for Software as a
Service (SaaS) application environment
• X.idmcc – Requirement of IdM in cloud computing
8

9. ISO/IEC JTC 1/SC27
• SC27 = Information Technology – Security techniques
• ISO/IEC 27017 (Code of practice for information security controls for
cloud computing services based on ISO/IEC 27002)
• Additional implementation guidance for relevant information security
controls specified in ISO/IEC 27002; and
• Additional controls and implementation guidance that specifically relate to
cloud computing services.
• Technical Report => International Standard
• Stage: 4th Working Draft (WD)
• ISO/IEC 27018 (Code of practice for data protection controls for public
cloud computing services)
• Applies to organizations providing public cloud computing services
that act as PII processors (possibly PII controllers)
• Establishes commonly accepted control objectives, controls and
guidelines for implementing controls to protect 9
• Stage: 2nd Working Draft (WD)

10. ISO/IEC JTC 1/SC27 (cont.)
• ISO/IEC 27040 (Storage security)
• Overview of storage security concepts and related definitions
• Guidance on the threat, design and control aspects associated with typical
storage scenarios and storage technology areas
• Limited coverage for cloud storage (e.g., CDMI)
• Stage: 2nd Committee Draft (CD)
• Numerous other security standards that are potentially relevant!
10

11. Standards Setting Organizations
(SSO) & Industry Associations
11

12. NIST – Information Technology Laboratory
• Special Publication 800-144, Guidelines on Security and Privacy in Public
Cloud Computing
• Special Publication 800-145, The NIST Definition of Cloud Computing
• Special Publication 800-146, Cloud Computing Synopsis and
Recommendations
• Special Publication 500-291, NIST Cloud Computing Standards Roadmap
• Special Publication 500-292, NIST Cloud Computing Reference
Architecture
• Special Publication 500-293, (Draft). US Government Cloud Computing
Technology.
• Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof
of Concept Implementation
12

13. Cloud Security Alliance (CSA)
• Security Guidance for Critical Areas of Focus in Cloud
Computing
• Open Certification Framework
• Cloud Controls Matrix (CCM)
• Trusted Cloud Initiative (TCI) Reference Architecture Model
• Top Threats to Cloud Computing
• Security as a Service (SecaaS) Implementation Guidance
13

14. OASIS
• Cloud Application Management for Platforms (CAMP)
• Identity in the Cloud (IDCloud)
• Symptoms Automation Framework (SAF)
• Topology and Orchestration Specification for Cloud
Applications (TOSCA)
• Cloud Authorization (CloudAuthZ)
• Public Administration Cloud Requirements (PACR)
14

15. Other Cloud Activities of SSOs & IAs
• IEEE Standards Association (IEEE-SA)
• P2301 - Guide for Cloud Portability and Interoperability Profiles
(CPIP)
• P2302 - Standard for Intercloud Interoperability and Federation
(SIIF)
• Internet Engineering Task Force (IETF)
• RFC 6208 – Cloud Data Management Interface (CDMI) Media Types
• Huge number of RFCs that enable the cloud.
• Trusted Computing Group (TCG)
• Trusted Multi-Tenant Infrastructure (TMI) Use Cases
• Trusted Multi-tenant Infrastructure (TMI) Specification [Goal]
• Storage Network Industry Association (SNIA)
• Cloud Data Management Interface (CDMI) specification
• ISO/IEC 17826: 2012, Information technology -- Cloud Data
15
Management Interface (CDMI) [CDMI v1.0.2]

16. Other Cloud Activities of SSOs & IAs
• The Open Group
• Service-oriented Cloud Computing Infrastructure (SOCCI) Framework
• Cloud Computing Reference Architecture (CCRA)
• Distributed Management Task Force (DMTF)
• DSP0243 Open Virtualization Format (OVF)
• ISO/IEC 17203:2011, Information technology -- Open Virtualization
Format (OVF) specification
• DSP0263 Cloud Infrastructure Management Interface (CIMI) Model
and REST Interface over HTTP Specification
• DSP0264 CIMI-CIM Specification
16

17. Final Thoughts
• A significant number of the cloud computing standards and
specifications are still in draft form
• There are many organization operating in this space, but it does
appear there are conscious efforts to avoid duplication and
contradiction
• It is unlikely that a single, all-encompassing standard (or source
for standards) will emerge for cloud
17

18. eric.hibbard@hds.com
THANK YOU 18