Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
NIST Cloud Computing ProgramNIST Cloud Computing Program
Current ActivitiesCurrent Activities
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Robert Bohn, Ph.D.
NIST Cloud Computing Program Manager
ETSI - Cloud Standards Coordination
5 December 2012, Cannes, France
OutlineOutline
• Roadmap Activities
• Updates on PAPs/Working Groups
– SLA Guidance
– Cloud Metrics
2
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
– Cloud Metrics
– Cloud Broker
• Security RA
• Standards Update
USG Cloud Computing Roadmap USG Cloud Computing Roadmap ––
Volume IVolume I
Prioritized strategic and tactical requirements that must be met for
USG agencies to further cloud adoption;
Interoperability, portability, and security standards, guidelines, and
technology needed to satisfy these requirements;
Recommended list of Priority Action Plans (PAPs) -- candidates for
voluntary self-tasking by the stakeholder community.
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program3
Collaboration through public working groups & Federal Cloud Computing Standards &
Technology Working Group
Intent is to leverage PAPs that are identified as complete or under way by cloud
stakeholder community; some may fall within NIST scope
voluntary self-tasking by the stakeholder community.
USG Cloud Computing Technology USG Cloud Computing Technology
Roadmap Roadmap requirementsrequirements
R 1: International voluntary consensus based interoperability, portability and security standards
(interoperability, portability, and security standards)
R 2: Solutions for high priority Security Requirements (security technology)
R 3: Technical specifications to enable development of consistent, high quality Service Level Agreements
(interoperability, portability, and security standards and guidance)
R 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and
technology)
R 5: Frameworks to support seamless implementation of federated community cloud environments
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program4
R 5: Frameworks to support seamless implementation of federated community cloud environments
(interoperability and portability guidance and technology)
R 6: Technical security solutions which are de-coupled from organizational policy decisions (security
guidance, standards and technology)
R 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability,
portability and security technology)
R 8: Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and
security technology)
R 9: Defined and implemented reliability design goals (interoperability, portability, and security technology)
R 10: Defined and implemented cloud service metrics (interoperability and portability standards)
USG USG CC Roadmap CC Roadmap –– Volume Volume IIII
Reference Architecture & Taxonomy
• Recommend Industry Mapping so that USG agencies & others can more easily
and consistently compare cloud services
• In parallel, support formal standards development process leveraging the
reference architecture
Standards
Use collaboration through public working groups & Federal Cloud Computing Standards & Technology
Working Group to continue to validate findings
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program5
Standards
• Provide avenue for USG agency engagement
• Continue standards roadmap
Target Business Use Cases & SAJACC
• Expand initial use case set & use SAJACC to identify gaps
Security
• leverage working groups to finalize special publication focusing on challenging
security requirements
• Continue technical advisor role – e.g. FedRAMP, continuous monitoring,
conformity assessment system
USG CC Roadmap USG CC Roadmap –– Volume IIIVolume III
• BUILDS ON the first two volumes of the USG Cloud Computing Technology Roadmap
• IS FOR USG agency technical planning and implementation teams - AND ANYONE ELSE THAT FINDS IT USEFUL
6
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• HAS A GOAL to inform decision makers regarding questions and decision factors in the context of Cloud Computing use cases
•DESCRIBES HOW to leverage the Federal Cloud Computing Strategy Decision Framework for Cloud Migration and the collaborative NIST Cloud Computing Program work
Decision FrameworkDecision Framework
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
16 aspects…16 aspects…
• Provision
– Aggregate demand
– Integrate services
– Contract effectively
– Realize value
• Selection
– Efficiency
– Agility
– Innovation
– Security Requirements
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program8
– Realize value
• Manage
– Shift mindset
– Actively monitor
– Re-evaluate periodically
– Service characteristics
– Market Characteristics
– Network infrastructure
– Government readiness
– Technology lifecycle
Application CategoriesApplication Categories
• Collaboration Tools
• Planning/Management Tools
• Web Server/Content Management
• Identity Management
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• Identity Management
• Document Retrieval/Library System
• PaaS
• IaaS
Next Steps for PAPs/Working GroupsNext Steps for PAPs/Working Groups
• Goal 1 - Requirement 3: Address “Technical Specifications for High-Quality Service-Level Agreements”.
• Goal 2 - Requirement 10: Address “Defined &
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• Goal 2 - Requirement 10: Address “Defined & Implemented Cloud Service Metrics”.
• Goal 3 -Advanced Actor Analysis - To further the discussion on the roles of and interactions of cloud computing actors (consumer/auditor/broker/carrier).
SLA TaxonomySLA Taxonomy
Chair: John Messina (NIST) and Ken Stavinoha (Cisco)
Purpose: Address Roadmap Requirement 3 on Service Level Agreements (SLA)s
Goals:
• Create a mindmap/taxonomy identifying the major elements that should appear
within a high-quality SLA.
• Write report on how to create high-quality SLA
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program11
Status:
• Mindmap/taxonomy draft complete (available on NIST CC twiki public website)
• Report draft complete (available on NIST CC twiki public website)
Moving Forward:
• Establish Federal SLA collaborative activities
• Submit material to international standards bodies for further development
Mind Map of a Master Service AgreementMind Map of a Master Service Agreement
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Contents of SLAContents of SLA
Business Level Objectives
• Roles & Responsibilities
• Requirements
• Operational Policies
Service Level Objectives
• Resources
• Performance Indicators
• Service Deployment
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• Operational Policies
• Continuity
• Limitations
• Financial
• Glossary of Terms
• Service Deployment
• Service Management
• Description
• Security
• Privacy
Cloud Business Cloud Business RequirementsRequirements
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Performance Performance IndicatorsIndicators
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Cloud MetricsCloud MetricsChair: Frederic J. de Vaulx and Steve Woodward (CloudPersectives)
Purpose: Address Roadmap Requirement 10 on Cloud Metrics
Goals:
• Improve consistency & terminology to facilitate valuable comparative analysis
• Create a framework to help clarify measures, definitions and collection methods
• Align with the roadmap high priority goals like SLAs
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Status:
• Cloud reference and description list (available on NIST CC twiki public website)
• Draft concept model for cloud metrics, measures and usages (available on NIST
CC twiki public website)
Moving Forward:
• Present the concept model to organizations involved in cloud metrics
• Write the Cloud Measure document based on the draft outline
Cloud MetricsCloud Metrics
Work Areas & Priorities
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Goal 3: Advanced Actor Analysis Goal 3: Advanced Actor Analysis ––
Cloud BrokerCloud Broker
Cloud Broker Intermediate Cloud Service Provider
• dd
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program18
• Consumer accesses multiple provider services through a single broker interface
• The Cloud Consumer retains visibility into the cloud service providers they use
• Intermediary uses additional providers as invisible components of its own service, presented as integrated offering
• No consumer visibility into or control over additional cloud providers
The NIST Cloud Computing Reference ArchitectureThe NIST Cloud Computing Reference Architecture
19
Cloud
Auditor
Cloud
Auditor
Cloud
Service
Consumer
Cloud
Service
Consumer
Cloud
Broker
Service
Intermediation
Cloud
Broker
Service
Intermediation
Cloud Service ProviderCloud Service Provider
Sec
uri
tyS
ecu
rity
Pri
vac
yP
riv
acy
Service Layer
IaaS
SaaS
PaaS
Cloud Service
Management
Cloud Service
Management
Business
Support
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Cloud CarrierCloud Carrier
AuditorAuditor
Security
Audit
Privacy
Impact Audit
Performance
Audit
Service
Aggregation
Service
Arbitrage
Service
Aggregation
Service
Arbitrage
Sec
uri
tyS
ecu
rity
Pri
vac
yP
riv
acy
Physical Resource Layer
Hardware
Facility
Resource Abstraction and
Control Layer
IaaS Support
Provisioning/
Configuration
Portability/
Interoperability
Service Layer
IaaS
SaaS
PaaSSoftware as a ServiceBiz Process/
Operations
App/Svc
Usage
Scenarios
App/Svc
Usage
Scenarios
NIST Security Reference ArchitectureNIST Security Reference Architecture20
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Physical Resource Layer
Hardware
Facility
Resource Abstraction and
Control Layer
IaaS
Platform as a Service
Infrastructure as a Service
Cloud Provider
IT Infrastructure/
Operation
Application
Development
Develop, Test,
Deploy and Manage
Usage Scenarios
Create/Install,
Manage, Monitor
Usage Scenarios
Draft NIST CC Reference ArchitectureDraft NIST CC Reference Architecture
Cloud ConsumerCloud Consumer
Cloud ProviderCloud Provider
Cloud Service
Management
Cloud Service
Management
Cloud AuditorCloud Auditor
Cloud
Consumer
Cloud
Consumer
Provisioning/Security
Business
Support
Service Layer
IaaS
SaaS
PaaS
Cloud Orchestration
Cloud BrokerCloud Broker
Service
Intermediation
Service
21
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Cloud ConsumerCloud Consumer
Cloud CarrierCloud Carrier
Provisioning/
Configuration
Portability/
Interoperability
Security
Audit
Privacy Impact
Audit
Performance
Audit
Physical Resource Layer
Hardware
Facility
Resource Abstraction and Control
Layer
Cross Cutting Concerns: Security, Privacy, etc
Service
Aggregation
Service
Arbitrage
NIST Security Reference Architecture NIST Security Reference Architecture ––
formal modelformal model
22
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program22
ISO/IEC JTC 1 Information
IECISO
ISO TC 68Financial
PSDOIEEE
Cloud Computing Standards Cloud Computing Standards DevelopersDevelopers
ITU-TIETF
SG 17
Security
SG 13
Future networks including mobile
and NGN
SG 11
Signalling requirements,
protocols and test specifications
JTC 1 PAS Submitters
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program23
Information
Technology
SC 27IT security
techniques
Financial services
SC 7Software &
systems engineering
SC 38Distributed application platforms &
services
SC 2Financial Services, security
W3COASIS TCGOMG SNIA
OGF CAOCC
ATIS CSA Kantara TIA
JTC 1 PAS Submitters
others
Key: PSDO = Partner Standards Development Organization; PAS = Publicly Available Specification; = private sector,
national member-based international standards body; = UN agency, member state-based international standards body;
= international consortium standards developer
NIST SP 500NIST SP 500--291 Recommendations291 RecommendationsAccelerating Development and Use of Cloud StandardsAccelerating Development and Use of Cloud Standards
Contribute Agency Requirements
Participate in Standards Development
Encourage Compliance Testing to Accelerate
• Contribute Agency Requirements
• Participate in Standards Development
• Encourage Compliance Testing to Accelerate
Technically Sound Standards-Based Deployments
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
Encourage Compliance Testing to Accelerate
Technically Sound Standards-Based Deployments
Specify Cloud Computing Standards
USG-Wide Use of Cloud Computing Standards
Dissemination of Information on Cloud Computing
Standards
Technically Sound Standards-Based Deployments
• Specify Cloud Computing Standards
• USG-Wide Use of Cloud Computing Standards
• Dissemination of Information on Cloud
Computing Standards
New Topics for ConsiderationNew Topics for Consideration
• Accessibility
• Conformity Assessment
• Performance
• Reliability
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• Reliability
• Forensics
• Law Enforcement
• Education
NIST Cloud Computing Special Publications
• CC Standards Roadmap ……………………..500-291
• CC Reference Architecture………………….500-292
• USG CC Technology Roadmap Draft......500-293
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program
• Guidelines on Security and Privacy …….800-144
• Definition of Cloud Computing …………..800-145
• CC Synopsis & Recommendations……....800-146
Searchable as “NIST SP xxx-nnn”
ContactsContacts
Dr. Chris Greer [email protected]
Dr. Robert Bohn [email protected]
John Messina [email protected]
Dr. Michaela Iorga [email protected]
Annie Sokol [email protected]
Mike Hogan [email protected]
Eric Simmon [email protected]
Acting SES
Program Mgr
RA/Tax Co-Convener
Security
Standards
Standards
Volume III
NIST Information NIST Information Technology Laboratory Cloud Computing ProgramTechnology Laboratory Cloud Computing Program27
NIST ITL Cloud Computing Home Page http://www.nist.gov/itl/cloud
NIST Cloud Computing Collaboration Site (twiki)
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing
Eric Simmon [email protected]
Frederic de Vaulx [email protected]
Volume III
Metrics