NIST Cloud Computing Program NIST Cloud Computing Program Highlights & Next Steps NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life ©Robert Rathe Secure Cloud 2012, May 10, 2012 Robert Bohn, Cloud Computing Program Manager NIST Cloud Computing 1Program Unchanged: NIST Cloud Computing Program Goal… Accelerate the federal government’s adoption of cloud computing* – Build a USG Cloud Computing Technology Roadmap which focuses on the highest priority USG cloud computing security, interoperability and portability requirements – Lead efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector, and other stakeholders * REF http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf NIST Cloud Computing 2Program 2 REVISITING NIST CLOUD COMPUTING PROGRAM (PHASE 1)… INITIATIVE TO BUILD A USG CLOUD COMPUTING TECHNOLOGY ROADMAP May 2010 S T T Outreach & Fact finding with USG, Industry, SDOs E Evaluate past models & lessons learned G I Define fresh approach to support secure & effective USG cloud computing adoption, C NIST CC Definition April 2011 NIST CC Forum & Workshop II NIST CC Forum & Workshop I R A Nov 2010 prioritize interoperability, portability, & security requirements, collaborate, more quickly respond to operational needs Nov 2011 NIST CC Forum & Workshop III Launch CC Strategic Program Initiate Stakeholder Meetings Collaboratively define working group scope & resources Refine Plan NIST CC Forum & Workshop IV Execute CC Strategic program Continue Stakeholder meetings Integrate results into tactical priorities Complete 1st draft USG Cloud Computing Technology Roadmap How to build a USG Cloud Computing Technology Roadmap 1. Define Target USG Cloud Computing Use Cases 2. Define Neutral Cloud Computing Reference Architecture & Taxonomy Tactical efforts NIST Cloud Computing 3Program Interagency Report 3. Generate Roadmap – Translate Requirements & Identify Gaps Assess Results & Replan 3 Volume I - Highlights USG Cloud Computing Technology Roadmap requirements* - high priorities to further USG Cloud Computing Technology Adoption: Requirement 1: International voluntary consensus based interoperability, portability and security standards Requirement 2: Solutions for high priority Security Requirements Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements Requirement 4: Clearly and consistently categorized cloud services Requirement 5: Frameworks to support seamless implementation of federated community cloud environments Requirement 6: Technical security solutions which are decoupled from organizational policy decisions Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions Requirement 8: Collaborative parallel strategic “future cloud” development initiatives Requirement 9: Defined and implemented reliability design goals Requirement 10: Defined and implemented cloud service metrics *relationship to interoperability, portability, and security 4 guidance, standards, & technology highlighted in roadmap NIST Cloud Computing 4Program • Summary of USG target business use case templates & initial set Cloud Provider Cloud Broker Cloud Consumer Service Layer Cloud Service Manage SaaS PaaS Cloud Auditor Securit y Audit Privacy Impact Audit Business Support IaaS Resource Abstraction and Control Layer Provisio ning/ Configur ation Physical Resource Hardware Layer Portabili ty/ Interoper ability Perfor mance Audit Service Intermed iation ment Privacy • NIST Cloud Computing Reference Architecture (& Taxonomy) SP 500-292 Sept 2011 Security Volume II - Highlights Facility Cloud Carrier • SAJACC technical use case spec 1 spec 2 summary … Community Outreach Specifications Use Cases Case 1 Case 2 … Validation Exercises Spec 1 Spec 2 … Spec n Test 1 Test 2 … Test n Existing Standards Working Groups information NIST Cloud Standards Portal Use Cases Validated Specifications Reference Implementations • Cloud Computing standards Standards Standards Roadmap SP Development Organizations 500-291 July 2011 standards & gap analysis • High Priority Security Requirements - challenges, requirements overview, risk mitigation measures • Other related work - Reliability Research in Cloud-based Complex Systems Koala – SLA taxonomy, NIST Cloud Computing 5Program Service Aggregat ion Service Arbitrag e 6 We have practical opportunities to leverage our efforts … one is identifying complementary efforts the NIST Roadmap refers to as Priority Action Plans ... leverage Priority Action Plans (PAPs) selected for self-tasking by Cloud Stakeholder Community Assess & Track: USG CC High Priority Requirements met by Priority Action Plans Strategic Program (continue phase 1 activities and…) How to build a USG Cloud Computing Technology Roadmap 1. Define Target USG Cloud Computing Business Use Cases 2. REFINE & APPLY Neutral CC Reference Architecture & Taxonomy priorities risks obstacles 3. UPDATE Cloud Computing Technology Roadmap – Translate Requirements & Identify Gaps Vendors map services USG Cloud Computing Technology Roadmap (self-tasked by NIST and other CC stakeholders) Rqmt 1: International consensus interoperability, security, portability standards Rqmt 2: Solutions for High Priority Security requirements Rqmt 3: Technical Specifications to enable high quality SLAs ……. Rqmt 10: Defined and Implemented cloud service metrics Integrate results into tactical priorities Measure Results NIST Tactical Program NIST Cloud Computing Program USG Cloud Computing Technology Roadmap requirements - high priorities to further USG Cloud Computing Technology Adoption: Encourage standards & compensate with Service Level Agreements to require demonstration of data/system portability between providers Requirement 1: International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards) Requirement 2: Solutions for high priority Security Requirements (security technology) Request that cloud service vendors map their offerings to a common reference (i.e. NIST Reference Architecture) so that it is easier to compare services Recommended Priority Action Plans are tactical as well as strategic • Examples of Priority Action Plans & interim solutions to apply while cloud solutions are maturing Define unique USG/mission/sector/business Requirements (e.g. 508 compliance, e-discovery, record retention) Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements (interoperability, portability, and security standards and guidance) Requirement 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology) Requirement 5: Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology) Requirement 6: Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards and technology) Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability and security technology) Requirement 8: Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and security technology) Requirement 9: Defined and implemented reliability design goals (interoperability, portability, and security technology) Requirement 10: Defined and implemented cloud service metrics (interoperability and portability standards) 7 NIST Cloud Computing 7Program NIST COMPUTING PROGRAM TIMELINE (PHASE 2) S Nov 2011 June 2012 NIST CC Forum & Workshop IV NIST CC Forum & Workshop V 8 Nov 2012 T R A T E G I Analyze Phase 1 working group & project results Complete 1st draft for public comment USG Cloud Computing Technology Roadmap Version 1 SP 500-293 C NIST CC Forum & Workshop VI Initiate NIST CC Program Phase II Integrate & track USG Technology Roadmap Priority Action Plans (PAPs) with external stakeholders Re-Assess Progress & Phase 2 Plan USG Cloud Computing Technology Roadmap Version 2 Integrate results into tactical priorities Measure Results Tactical efforts Public & Federal Standards & Technology working groups Standards liaison, FedRamp & other technical advisory, Guidance, Koala NIST Cloud Computing Special Pubs Planned NIST Cloud Computing Special Pubs Guidelines on Security and Privacy …… 800-144 Definition of Cloud Computing …………..800-145 CC Synopsis & Recommendations……. .800-146 CC Standards Roadmap …………………500-291 CC Reference Architecture…………….. .500-292 USG CC Technology Roadmap Draft.... 500-293 •Challenging Security Requirements for US Government CC Adoption •Revised USG CC Technology Roadmap .... 500-293 1. Vol I High-priority requirements to Further USG Agency CC Adoption 2. Vol II Useful Information for Cloud Adopters 3. Draft Vol. III Technical Considerations for USG CC Deployment Decisions NIST Cloud Computing Program 9 Goals for RA/Tax Public WG • Goal 1 - Requirement 3: Address “Technical Specifications for High-Quality Service-Level Agreements” • Goal 2 - Requirement 5: Address “Frameworks to Support Federated Community Clouds”. • Goal 3 - Requirement 10: Address “Defined & Implemented Cloud Service Metrics”. • Goal 4 -Advanced Actor Analysis - To further the discussion on the roles of and interactions of cloud computing actors (consumer/auditor/broker/carrier). • Goal 5 - Develop an in-depth study on security and RA mapping. (Collaborative with CC Security WG) NIST Cloud Computing Program 10 GOAL 1: R3 - Technical Specifications for High-Quality Service-Level Agreements & PAPs Cloud SLAs represent a negotiated service contract between two parties that specifies what cloud service will be provided to the customer. This requirement must be met to ensure: – key elements required for cloud services (warranties, guarantees, performance metrics, etc.) are not left out of the SLA and therefore rendered unenforceable, – common terms and definitions are used within the SLAs to avoid costly misunderstandings between parties, – to create an environment which allows agencies to objectively compare competing services. PAPs Develop a controlled and standardized vocabulary of cloud SLA terms and definitions. Ensure consistency in guidance and policy regarding SLA relevant terms and definitions. Develop a cloud SLA Taxonomy to ensure the complete specification of key cloud computing elements that need to appear in an SLA. NIST Cloud Computing Program 2012-periodically 2012-periodically 2012-periodically Draft Master Service Taxonomy NIST Cloud Computing Program Draft SLA Cloud SLA Taxonomy NIST Cloud Computing Program 13 GOAL 2: R5- Frameworks to Support Federated Community Clouds & PAPs • The case in which a Community Cloud deployment is not implemented in an environment (private/public cloud) that accommodates the entire community, there is a need to define and implement mechanisms to support the governance and processes that enable federation and interoperability between different cloud service provider environments to form a general or mission-specific federated Community Cloud. • PAPs Define federated Community cloud requirements and scenarios. 2012-2014 Identify how Hybrid Cloud and Cloud Broker elements described in the cloud Reference Architecture can be leveraged and harmonized. 2012-2013 Present analysis of GRID communities’ applicability to federated cloud communities, including technology, trust infrastructure, & governance. 2012-2013 All stakeholders -- assess Intercloud efforts (e.g., Standards Developing Organizations) for applicability. 2012-2013 NEW: Document current usage patterns and projected near-term trends in grid and cloud architectures with attention to tools used for effective support of federated user communities. NIST Cloud Computing Program 14 GOAL 2: R5- Current Activities • • • • Developing SOW, project plans Invitation to the Grid communities to participate Collaboration Tools: Supplemental Wiki. Identify, assemble and make available prior Grid community documents NIST Cloud Computing Program 15 GOAL 3: R10 - Defined & Implemented Cloud Service Metrics & PAPs • In utility industries, the notion of units of measurement is fundamental to buying and selling service. However, in the case of cloud computing service delivery, which uses a utility model, IT resources are supplied as abstracted services, often characterized as Infrastructure as a Service or Platform as a Service. Abstracted services can be set to run fast or slow, to be small or large, and to be as reliable as desired (subject to underlying technology constraints). Service consumers pay for a “quantity” and a "quality" of the service, which is metered by a cloud computing system. Consumers need to be able to precisely specify and receive services. • PAPs Specify and Standardize the Units of Measurement for cloud services, seeking public comment and collaboration. 2012-2013 In parallel, incorporate Cloud Service Units of Measurement consistently in Service-Level Agreements. 2012-2013 NIST Cloud Computing Program 16 GOAL 3: R10 - Areas of Concentration & Deliverables Areas of Concentration • Specify and normalize a small set of existing units of measurement for cloud services • Define the cloud service measurement space, need atomic service units. • The integration of normalized Units of Measurement for cloud services to SLAs. Deliverables • Draft specification of the cloud service measurement space. • Template for listing and organizing Cloud Services Units of Measurement. • List of non-exhaustive Cloud Services Units of Measurement (existing or new) and normalization methods. • Report of study of Units of Measurement successfully defined and used for the IT industry (i.e. network, storage, database etc...) • List of Cloud Services Units of Measurement relevant for SLAs. NIST Cloud Computing Program 17 GOAL 4: Advanced Actor Analysis • The current NIST Reference Architecture document is very focused on the roles and responsibilities of the cloud provider. The four other roles were not studied to a similar depth. Therefore, inclusions of a fuller description of their responsibilities and the activities/functions they will perform is necessary to attain a more complete description in the NIST RA. For example, cloud carrier may provide additional services that are needed by the Cloud Consumer and Cloud Provider. Milestones • • • Expansion of Cloud Consumer / Auditor / Broker Roles & Responsibilities Generate the relevant definitions Discussion of actor interactions 2/2012 3/2012 4/2012 Deliverables • Analysis document NIST Cloud Computing Program 5/2012 18 GOAL 5: Security RA that supplements NIST RA (Collaborative with CC Security WG) • Develop a Security RA that supplements the NIST RA. • The approach - leverage on the CSA’s Reference Architecture to design a Security Reference Architecture for Cloud Computing. Public IaaS – initial exercise • Milestones • • • • • • INITIAL DRAFT: INTERNAL REVIEW ADDRESS COMMENTS & PUBLIC DRAFT PUBLIC REVIEW PROCESS & ADDRESS COMMENTS FINAL DOCUMENT 4/2012 5/2012 6/ 2012 7/ 2012 8/ 2012 9/ 2012 Deliverables • • • Internal draft Public draft Final document NIST Cloud Computing Program 4/2012 6/2012 9/2012 19 NIST invites you to collaborate with us on Cloud Computing! US Federal Cloud Computing references: www.cio.gov Public NIST cloud web site: http://www.nist.gov/itl/cloud/ Cloud Computing Forum & Workshop V: June 5-7, 2012: Washington, DC Contacts: Dawn Leaf: Senior Executive for Cloud Computing dawn.leaf@nist.gov Robert Bohn: Cloud Computing Program Manager robert.bohn@nist.gov United States Department of Commerce National Institute of Standards and Technology Information Technology Laboratory 100 Bureau Drive Stop 2000 Gaithersburg, MD 20899-2000 Tel: (301) 975-4090, cloudcomputing@nist.gov NIST Cloud Computing Program