The last several days has seen two standardization-related events that I think are worth of note. Standardization, of course, is a critical element to creating fluid markets for compute, development, and application services in the cloud. There are several efforts already under way, including the Distributed Management Task Force (DMTF) Open Cloud Standards Incubator, the Open Grid Forum's Open Cloud Computing Interface working group, and the Storage Network Industry Association Cloud Storage Technical Work Group. A great resource to see the spectrum of cloud standards activity can be found at the OMG's cloud-standards.orgwiki.
The standardization effort that was officially announced this week is already listed on that wiki: the Open Group Cloud Work Group. In a press release, The Open Group, described the group's charter:
(T)he Group is being established to ensure the effective and secure use of cloud computing within enterprise architectures, based on open standards. The Open Group Cloud Work Group prioritizes collaboration on standard models and frameworks, aimed at enterprises looking to benefit from cloud products and services.
The Open Group Cloud Work Group was created to develop a common understanding between buyers and suppliers of how enterprises, regardless of size or scale of operation, can include cloud computing technology in a safe and secure way in their architectures to realize its significant cost, scalability and agility benefits. The newly-formed group includes some of the industry's leading cloud providers and end-user organizations and emphasizes customer input, drawing on The Open Group's global membership.
While that may sound pretty generic as charters go, the exciting element of this announcement was the availability of the group's first deliverable:
The first deliverable of the Cloud Work Group will be to publish a Business Scenario for Enterprise Cloud Computing, based on end-user requirements discussed at The Open Group's July Enterprise Architecture Conference held in Toronto. Business scenarios, an important technique that is fully explored as part of The Open Group's TOGAF(TM) framework, can be used at various stages of enterprise architectures to derive architecture requirements directly from high-level requirements for each business organization. The Enterprise Cloud Business Scenario will help companies identify and understand business needs relative to cloud computing and thereby derive the requirements that the architecture development must address. For more information on this report, please click here (PDF).
This document is a pretty well done list of the key benefits/concerns for cloud, and has a great quotable list of statements about cloud from a variety of enterprise participants.
The other effort that made itself public this week was Chris Hoff's call for participants in developing a standard for security assessment and management. The idea behind this API--codenamed the Audit, Assertion, Assessment, and Assurance API (A6)--is quite simple, as Hoff notes:
So I propose -- as I did to a group of concerned government organizations yesterday -- that we take this concept a step further, beyond just "vulnerability scanning."
Let's solve (both the question of vulnerability scanning of the cloud, and the challenge of auditing cloud services for contractual and compliance purposes) with one solution.
Specifically, let's take the capabilities of something like SCAP and embed a standardized and open API layer into each IaaS, PaaS, and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.
Krishnan Subramanian has an excellent overview of the effort. If you are a service provider looking to gain credibility regarding the security of your service, I would highly recommend getting involved in this effort.