d3.7 cloud interoperability plugfests final outcome report€¦ · v cloud interoperability testing...
Post on 14-Jul-2020
3 Views
Preview:
TRANSCRIPT
www.cloudwatchhub.eu|info@cloudwatchhub.eu/@CloudWatchHubCLOUDWATCH2hasreceivedfundingfromtheEuropeanUnion'sHorizon2020programme-DGCONNECTSoftware&Services,Cloud.ContractNo.644748
D3.7CloudInteroperabilityPlugfests
FinalOutcomeReport
www.cloudwatchhub.eu|info@cloudwatchhub.eu|@cloudwatchhub
ThisdeliverableaccountsfortheresultsandimpactofCloudInteroperabilityPlugfestsconductedundertheauspicesoftheCloudWATCH2project.Basedontheresultsoftheplugfests,thereportoutlinesaseriesofconsiderationsandactionsregardingthefutureofplugfests.Thisdocumentconstitutesanupdateofitspredecessordocument(D3.3)insteadofanindependentdeliverable.Significantchangesincomparisontothepredecessordocumentaredescribedappropriately.
2
CloudWATCHMissionCloudWATCH2takesapragmaticapproachtomarketuptakeandsustainablecompetitivenessforwideruptakeandcommercialexploitation.ItprovidesasetofservicestohelpEuropeanR&IinitiativescapturethevaluepropositionandbusinesscaseaskeytoboostingtheEuropeaneconomy.CloudWATCH2servicesinclude:
v AcloudmarketstructureroadmapwithtransparentpricingtoenableR&Iprojectstochartexploitationpathsinwaystheyhadnotpreviouslyconsidered,orhelpthemavoidapproachesthatwouldnothavebeensuccessful.
v MappingtheEUcloudecosystemofproducts,servicesandsolutionsemergingfromEUR&Iprojects.Identifyingsoftwarechampionsandbestpracticesinmitigatingrisksassociatedwithopensourceprojects,andultimately,enablefastertime-to-valueandcommercialisation.
v Impactmeetingsforclusteringandconvergenceoncommonthemesandchallenges.Re-useoftechnologieswillalsobeofparamountimportance.
v Promotingtrusted&secureservicesthroughroadshowsanddeepdivetrainingsessions.GivingR&IinitiativesaroutetousersatmajorconferencesorinlocalICTclusters.
v AportfolioofstandardsforinteroperabilityandsecuritythatcanfacilitatetherealisationofanecosystemofinteroperableservicesforEurope.
v Cloudinteroperabilitytestinginaninternationaldeveloper-orientedandhands-onenvironment.Findingswillbetransferredintoguidancedocumentsandstandards.
v RiskmanagementandlegalguidestothecloudforprivateandpublicorganisationstolowerbarriersandensureatrustedEuropeancloudmarket.
Disclaimer CloudWATCH2(AEuropeanCloudObservatorysupportingcloudpolicies,standardprofilesandservices) is funded by the European Commission’s Unit on Software and Services, CloudComputingwithinDGConnectunderHorizon2020.The information, views and tips set out in this publication are those of the CloudWATCH2ConsortiumanditspoolofinternationalexpertsandcannotbeconsideredtoreflecttheviewsoftheEuropeanCommission.
3
ExecutiveSummarySincehumaninteractionhasbeenharmonisedmoreformallyinsemanticsandterminology,adherencetostandardsasaformofformalharmonisationhasbeenthesubjectofvalidation.Morerecently,thisformofvalidationhasbeenconductedinformaltestingincludingformalrecordingofoutputsandresults.Theriseofagileandleanservicedevelopmentandoperation,hasmeantthatthesetestshavebeendevelopedtoberunaslessformalevents,beingcalled“plugfests”,whichallowforrapidtestingagainstpublishedstandardsinaneasiermannerthanpreviouseventsofthisname.Similartosoftwareservices,standardsexperiencealifecyclefrominception/ideationtoobsolescence–forexampleW3CRFC2616definingtheHTTP/1.1protocol1formallyobsoletesRFC2068definingtheverysameprotocolbuttwoyearsearlier2–aswellasreceivingupdatesthroughouttheirlifetime.Althoughoftenseenaslong-lived,ifnotstatic,standardsliveinadynamicenvironmentdrivenbyneedsthatareoftenconsidereddetrimentaleventoeachother.Standardsarefrequentlyreportedasstiflingoreven“killing”thescopedmarket3.Operatingwithinthisenvironment,CloudWATCH2organisedandconductedanumberofCloudInteroperabilityPlugfestswithvaryingoutcomes.ThisdeliverablesummarisestheoutcomesofallorganisedCloudInteroperabilityPlugfests,andderivesconclusionsontheirrespectiveresultsinformofspecificandconcreteconjecturesregardingcurrentplugfestsustainabilityaslistedbelow;
1. Activedevelopmentvs.softwaremaintenancemayleadtolowerparticipation.2. ECprojectfundinginflatedeventparticipation3. Lackofincentivesforserviceproviderstoimplementstandards4. ECprojectshaveanintrinsicallydifferentperceptionofsecurity,orcustomerrequirementsin
general5. Thecadenceofinnovation,particularlydisruptiveinnovation,mayhavebecometoofast.[New]
CloudWATCH2hasaddresssomeoftheconjecturesduringitssecondyear,whileleaningonthewidercommunitytotakeupandaddresstheremainingissues.
1 https://www.ietf.org/rfc/rfc2616.txt 2 https://www.ietf.org/rfc/rfc2068.txt 3 Simply searching the Internet for something similar to “are standards killing the cloud” will provide enough sources for this claim.
4
TableofContents1 Introduction...............................................................................................................................................51.1 Whatarecloudstandardsplugfestsandwhyaretheyimportant? 51.2 HowCloudWATCHhassupportedcloudplugfests 7
2 Managingprojectrisksandanewdirectionforplugfestactivities[New].................................................83 CloudInteroperabilityPlugfests...............................................................................................................103.1 CloudInteroperabilityInitiativePlugfest 103.2 CloudInteroperabilityInitiativePlugfest24 103.3 CloudSecurityInteroperabilityPolicyworkshop 103.4 “Whystandardise?Thebusinesscasefortheadoptionofcloudstandards”–Policyworkshop[New] 153.5 Supplementarycloudinteroperabilityeventsandactivities[New] 16
4 Conclusions..............................................................................................................................................205 Finalrecommendations...........................................................................................................................237 Appendix1:QuestionsforthefinalPlugfestpanel..................................................................................26
5
1 IntroductionOverthecourseofitsduration,theCloudWATCH2projectaimedtocontinuethecloudinteroperabilitytestingworkstartedduringtheCloudWATCHproject(2013-2015).InCloudWATCH2,threedeliverableswereenvisagedandagreedupontocapturethestrategyandstructureofinteroperabilityplanning(D3.1),conductthreeinteroperabilitytestingevents(MS12,MS13,andMS14),andreportontheoutcomesoftheseevents(D3.3,andD3.7)asfollows:
• D3.1-StructureandaspiredoutcomesofCloudInteroperabilityPlugfests;• D3.3-CloudInteroperabilityPlugfestsOutcomeReport;• D3.7-CloudInteroperabilityPlugfestsFinalOutcomeReport(thisdocument).
D3.1providedabriefreviewofthethencloudinteroperabilityplugfestsetup.Locatedintheareaofexpertiseinthecloudecosystem,assessedthatsetupagainstthecloudcharacteristicsdevelopedbyNIST.Finally,thedocumentproposedanewandinnovativewayofdeliveringcloudinteroperabilityplugfestsvirtually.Thisfinaloutcomereportwillfollowthemodelofincludeandamendfordeliverablescapturingoutcomes4.ThisdeliverablewillincludethecontentfromD3.3initsentirety,andamendandextendwherevernecessaryusingappropriateindications.Thisisimportantasfirstly,theobservationsandconjecturesdescribedinD3.3stillholdtrue,andbyincludingthecontentofD3.3inthisdeliverable,becomesthefinaloutcomereport.Secondly,conclusionsareeasiertounderstandasthefullcontextandtimelineofeventsareclearlyprovided.
1.1 Whatarecloudstandardsplugfestsandwhyaretheyimportant?
CloudPlugfestsarealong-runningactivityandaretypicallyeventswheretechnologyprovidersmutuallytesttheirimplementationsofstandardisedspecificationsforconformanceandinteroperabilityinanarenawherethetestresultsareprivate,allowingthetestingofupcomingorpre-productionproducts/services.Interoperabilitytestingexistedsincetheemergenceofmoreformalisedstandardisationofanytypeofinformationthatisexchangedwithinorevenacrossdomains:Forexample,whilehistoricdefinitionsandunitsofdistancearestillactivelyusedtoday–forexample,yards,feetandinches–somehavegoneoutof“fashion”andarenolongerorrarelyused,suchasleaguesandfathoms.Otherdefinitionsareoverloaded,andarefurtherqualified,suchasamile,andanauticalmile,whichdenotedifferentdistances.Otherdefinitionshavebeenharmonisedinterminologyandsemantics,andorganisedintoaninterchangeableframeworkofunits.Forexample,themetricsystemisbasedonthedefinitionof“onemetre”.Whilemanyharmonisationsaredirectlybasedonanaturalframeofreference(suchasonefoot,onestone),themetrerepresentsasyntheticharmonisation(i.e.standardisation);yettheexactlengthisdefinedusingthelawsofphysicsas,currently,“thelengthofthepathtravelledbylightinvacuumduringatimeintervalof1/299792458ofasecond”.5Theessenceofstandardisationisthus:
1. Harmonisationofunitsisanintrinsicelementofhumaninteraction,andhappensinevitably.2. Standardisationcanthusbeseenasharmonisationacrossculturalborders,oracrosshistoric
semanticbarriers.4 Typical sequential, back-referencing independent deliverables are more suited for progress reports linked to some sort of chronological periodity. 5 http://www.bipm.org/en/CGPM/db/17/1/
6
3. Standardisedunitsarefrequentlysynthetic,yetbasedonnaturalframesofreference.4. Standardisedunitshavealifetime,5. Standardisedunitsundergoamendmentsasrequiredbyadvancesintheirunderlyingframeof
reference.6. Standardsemergeandestablishwithinadefinedcontext,orproblemstatement.[New]7. Theremaybemultiplestandardswithinonedefinedcontext.[New]8. Theterm“standard”itselfbearsdifferentmeaningindifferentcommunities.[New]
Ifoneacceptsthisasthe“axiomsofstandardisation”,thentheseshouldberelevantandstillimpactinmodernlife,specificallyinthiscontextincloudcomputing.Infact,examiningthecurrentcloudcomputinglandscape,theseobservationsarestillinforce:
1. Somesemanticsofcloudcomputinghavebeenharmonisedintoacommonunderstanding–yetsomeareasarestillinflux.ThedefinitionofIaaS,PaaS,andSaaSclearlyhasitsroots–itsframeofreference–intheclassicthree-tierarchitectureofenterpriseapplications(data/storage,businesslogic,anduseraccess).Yet,somewhatsimilartovaryingdefinitionsofthelengthofafoot,orthevolumeofapint,diverging“schoolsofarchitecture”differentlyscopeinfrastructure,dogmasofdefinitionofinfrastructureemerge:Whilemanydefineinfrastructureasthetrinityof(bit)storage,computeandnetwork,othersincludedatabasesandotherlow-levelcomponentsintheinfrastructure.
2. Oneoftheearliest,andtodatemostciteddefinitionofcloudcomputing,isthedefinitionpublishedbyNISTinSeptember2011.6Stillrelevanttoday,thisdefinitionaimedatharmonisingtheterminologyacrossthedifferent“schoolsofarchitecture”thatexistedatthattimewithinasinglecountry.Thisdefinitionresonatedworldwide,andisnowadaysalmostcommonplace.
3. NIST’sdefinitionwasreceivedasveryintuitiveandacceptablesinceitsframeofreferenceborefromthethenveryactivelydeployedthree-tierenterprisearchitecturemodelasdescribedabove.Althoughbornandbasedonphysics,ICTitselfisnotnatural,itisentirelyartificial.Yet,withinthisframeofreferenceordomain,wasperceivedasalawofnaturewithinthatdomain–andserveditselfasaframeofreferenceforthedefinitionofcloudaspublishedbyNIST.
4. TakingNIST’sdefinitionofcloudcomputingasanexample,someofitsdefinitionshavegainedtractioninthecommunity,somehavenotatall,andsomeareontherise(onlypossiblytoinfutureloosetractionagain).Forexample,whileIaaSandSaaShavegainedtractionandcommonunderstandingearlyon,thesemanticsofPaaSarestillunclear:DoesPaaSincludeDBservices,messagingservices,etc.orarethesepartoftheIaaSmodel,anddoesPaaShencedescribeonlyapplicationservicemodelssimilartotheJ2EEdefinition?7Likewise,NISTdefines“communityclouds”,butthistermhasnotgainedtractionatall(atleastnotintheindustrysector),and“hybridcloud”isonlygainingtractionandunderstandinginthelastcoupleofyears.
5. Cloudcomputingisafast-paceddomainoftechnology,andassuchrequirementswillconstantlychange,untilauniversallyacceptedequilibriumhasbeenachieved,ineconomicterms,thestateofutility(services)orcommodity(products)hasbeenreached.Untilthen,standardiseddefinitionswillhavetobeupdated,whichisreflectedintheversioningidentifiersofmanypublisheddocumentssuchasOCCI1.1and1.28,CDMI1.0,1.0.1,1.0.2,1.19tonamebutafew.
6. WithinthecontextofAPIaccesstoIaaScloudcomputingresources,therearemanydifferentdefinitionscompetingwitheachother,eventhoughtheyalladdressthesameproblemstatement.
6 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf 7 While there is a widespread presumption in the technical community on hardware virtualisation being the main driver of cloud computing, there is however no indication or requirement to implement virtualisation to achieve cloud computing. Hence, the corollary notion of “VMs for compute, and bit buckets for storage” is an obvious first choice, but nonetheless the only or exclusive architecture of cloud computing. 8 http://occi-wg.org/about/specification/ 9 http://www.snia.org/cdmi
7
Tonameafew,thereexistOCCI,AmazonAWSEC2,CIMI,GoogleGCE,Azure,OpenNebulanative,OpenStacknative,andmany,manymore.[New]
7. TheOxfordDictionarydefines10“standard”–selectingthemostappropriatedefinitionfortheITandtechindustry–as“Somethingusedasameasure,norm,ormodelincomparativeevaluations.”,andprovidestheexampleof“thesystemhadbecomeanindustrystandard”.Thus,notonlythecontext,butalsothecommunitypertainingtoastandardiseddefinitiondeterminesthescopeandreachofthisdefinition.Oneclassificationoftypesofstandardsdifferentiatesbetweendefacto,industry,communityanddejurestandards11,12.[New]
PredatingthepublicationofNIST’sdefinitionofcloudcomputing,theCloudPlugfestInitiative13(CPI)starteditsactivitiesasearlyasApril2011withthefirstinstanceofitsCloudPlugfests.14Meanwhileinits25theventinstance,CloudPlugfestsarearecurringandnecessaryeventofharmonisationandstandardisation.
1.2 HowCloudWATCHhassupportedcloudplugfests
CloudWATCH,andalsoCloudWATCH2,havebeenlongstandingpartnersoftheCPIintheorganisationofCloudPlugfests(seeFigure1).Thecommunityfocussingontechnicalinteroperability,particularlythecloudsoftwarelandscapeasisthefocusofthisreport,needstoaddresstheimpacttheseidentifiedfactorshaveonitsbusiness.Eventhoughthesemaynotbedisruptive,theyarecertainlyexertingsignificantimpactthatweasacommunitymustaddress.CloudWATCH2supportssuchtestingandanobjectoftheprojectwastoorganisethreesucheventscombiningbothphysicalandremoteparticipation.
Figure1CloudWATCH2Outputs
However,asdescribedinD3.1‘StructureandaspiredoutcomesofCloudInteroperabilityPlugfests’theparticipationatandfrequencyoftraditionalface-to-faceplugfestsaredeclining.Thisdeliverableunderpinsthisobservationwiththeresultsofface-to-faceCloudPlugfestsorganisedbyCloudWATCH2,anddescribesthechangeofstrategyasaconsequenceoftheexperiencesitfaced:Section2accountsforhowtheprojectmanagedthemanifestationoftheriskoflackofparticipationtotraditional
10 https://en.oxforddictionaries.com/definition/standard 11 https://www.slideshare.net/MichelDrescher/a-tale-of-ice-and-fire-or-the-cloud-and-the-standards, slide 15 12 http://www.cloudwatchhub.eu/sites/default/files/05_Why%20standardise%3F_A%20Tale%20of%20Ice%20and%20Fire%20v6.pdf 13 http://www.cloudplugfest.org/ 14 http://www.cloudplugfest.org/events/past-plugfest-agendas
8
interoperabilityplugfests,andhowandwhichremedyitapplied.Section0recountstheplugfestsandinteroperabilityworkshopstheprojectorganised;theaccountsoftheplugfestsandworkshopsreflectthechangeofstrategyintheproject.Inparticularsection3.5describessupplementalandancillarystandardsrelatedactivities,includingthevirtualplugfests,tounderpinthenewprojectstrategy.Section4analysestheoutcomesoftheplugfestsinanattempttofindcommonpatternsofsuccess(orfailure).Section5concludesthedocumentwithasetofrecommendationsforfutureprojectsandpolicymakersthattaketheprojectexperiencesintoaccount.
2 Managing project risks and a new direction for plugfestactivities[New]
Duringpreparationforplugfestactivies,theCloudWATCH2consortiumidentifiedariskpertainingtoplugfestattendance15:
Risk:LackofaminimumsignificantnumberofparticipantsandorganizationrepresentedatthePlugfests.Mitigation:TheconsortiumwillbuildontheexperienceoftheorganizersofthepreviouseditionofthePlugfest,leveragetheircommunityandeventuallyco-hosttheeventswithotherrelevanttechnicalworkshopandevents.Membersoftheconsortiumareregularco-organiserstotheseevents&haveco-locatedtheireventsaroundtheminthepast.
Additionally,theprojectreviewersgavethefollowingcommentsandrecommendationsintheirInterimprojectreview16:
“Theconsortiumproposestoorganisevirtualplugfests,butdoesnotexplorefurtheraninterestingroadinvolvingmoreintenselytheeducationalinstitutionsintotheactivityandorganiseplugfestsinthissetting.TheconsortiumshouldkeepaveryclosetabontheeventinMadridandanalyseindetailwhathasworkedandwhatnot,andincludelessonslearnedinthereportontheeventtoensurethesearetakenupinfutureplugfests.”
Recommendation1:TheConsortiumisrecommendedtoworkintensivelyonthetaskrelatedtopromotingstandardizationduringthenextperiodasthisisanimportantobjectiveoftheCloudWATCH2projectandlittleprogresswasachievedonthistaskduringthefirstreportingperiod.Recommendation1:PlugfestsoncloudservicecompatibilityareinterestingandvaluableoutputsofCloudWATCH2aswell.Morecarefulplanningandintensivepromotionisessentialoverthenextperiodtoensurehigherattendance.
Theprojecttookpro-activestepstoaddresstherisk,andthereviewers’recommendationsforfurtheraction.TheprojectthereforedecidedtorunvirtualplugfestsaswellasF2Fplugfestsandreviewperformanceincasefurtheractionwasnecessary.Usingtheresultsofthecloudsecuritydeepdiveevent19,CloudWATCH2decidedtotesttheconceptofaplugfestatthepolicylevelratherthetraditionalapproachoffocussingonthetechnicalinteroperabilityattheinterfacelevel:ThethirdcloudinteroperabilityplugfestinMadrid(seesection3.3).
15 CloudWATCH2 DoA, Risk 7 16 CloudWATCH2 Result of the 1st interim review
9
However,facingthepooroutcomeofthefirstvirtualplugfestandthesecondvirtualplugfesthavingtobecancelledduetolackofinterest,theprojectwasfacedwiththedilemmaofcontinuingtodrivestandardsplugfesteventsintheEuropeanICTlandscapedespitelowattendanceandconsideringappropriateandeffectiveuseofresources.Inlightoftheresultsandattendanceofpreviousplugfest,woulditmakesensetofurtherpursuetheconceptofvirtualplugfests?Whatimpactwouldalternateactivitiesyieldincomparison?Didweevenperhapsaddressthewrongissue?Ifconjectures1,2andparticularly3(seesection4)weretrue(specificallywhenfactoringinopensource),thenwindowsofopportunityshouldbeobservedforconvergenceinhowAPIsanddomainspecificlanguagesareaddressedanddeveloped.Inotherwords,otherwiseuncoordinatedandunrelatedorganisationsandgroupshappentoworkonsolvingthesameproblemwithincreasinglysimilarsolutions,untilthismovement(forthelackofabetterword)gainedsufficientmomentumtoprevail.Inthatsense,standardisationmaybecomparabletoself-ignitingfuelcombustion(i.e.dieselengines)asopposedtospark-ignitefuelcombustion(i.e.petrolengines).Didwetrytoapplyspark-combustiontosomethingthatmightbeinherentlyself-ignited?AstheCloudWATCH2CloudMarketRoadmapreports(D3.3),thecloudIaaSmarketisdominatedbythreemaybeevenfourserviceproviders:Theseareinnoparticularorder;Amazon,Microsoft,Google,andIBM.Smallerserviceproviderstendtoservenichemarkets,mostlypackagingandembeddingOpenStackdeployments–andtheyallareexposingOpenStack’simplementationoftheEC2andS3protocolsandinterfaces,whicharecontrolledbyAmazon.ThemarketsituationasseenbytheCloudWATCH2projectexposesthefollowingmechanics:
• ThereexistsadominatingsetofIaaScloudinterfaces,controlledbyonecompany.• Serviceavailabilityzones,andmultipledatacentrelocations–afeatureavailableacrossallservice
providers–makeitveryattractiveforconsumerstointegratewithoneserviceproviderwhenimplementingtheirownservicescalability,availability,andreliability;especiallyintheabsenceofinteroperability.
• TherearenoindicationsforinteroperabilityacrossthelargestIaaSserviceprovidersanytimesoon.• ThesheerhyperscaleofthedominatingIaaSprovidersmakeitveryattractivetodisregard
spreadingservicesacrosscompetingproviders(verymuchunlikedatacentreoperatorsspreadingconnectivityrisksacrossISPs)
• ThereareopensourcetoolsavailableaddressingthelackofinteroperabilityacrossIaaSserviceproviders.TheseimplementanadditionalsoftwarearchitectureabstractionlayerontopofIaaSservices,exposinganinternalcommoninterface17.
Generally,albeitnottheidealsituation,thisnonethelessprovidesasolutionthatisapparentlysufficientlyefficientandeffective,providingapathoffarlessresistance(intermsofeffortsandmoneyspent)towardsachievingthemarketparticipants’goalofshort(est)timetomarket,inordertoearnmoney.Quiteapparentlytherefore,thereisnoneedforcommercialoperators,intheirvastmajoritySMEs,toinsistoninteroperabilityorwaitfortrulyinteroperableservices.Withtheseconsiderationsverymuchinmind,theCloudWATCH2projectdecidedtochangeitsstrategyforstandardisationsupportinWP3todiscontinuethevirtualplugfestsseries.Moreover,theprojectdecidedtorepurposetheenvisionedF2FCloudInteroperabilityPlugfestsasinteroperabilitypolicyevents.To
17 For example, Apache jClouds, https://jclouds.apache.org/
10
maintainconsistencywiththeDoA,thisdeliverablewillstillrefertotheseeventsasCloudInteroperabilityPlugfests.Butinpractice,thesebecameinteroperabilitypolicyevents.
3 CloudInteroperabilityPlugfestsAsstatedinsection2,onlythoseeventsinyearonewereactualCloudInteroperabilityPlugfests.Inyeartwo,theplugfesteventseriesbecameinteroperabilitypolicyevents.Theseeventsaresummarisedinthissection.
3.1 CloudInteroperabilityInitiativePlugfest
ThefirstplugfestorganisedwithintheCloudWATCH2projectwascollocatedwiththeCloudscape2016conferenceon8-9March2016inBrussels.Thisplugfestinstance,however,hadtobecancelledduetolackofparticipation.ThisinstancehasalreadybeensubjecttodiscussionandanalysisinconjunctionwiththeY1reviewoftheCLoudWATCH2projectandwillnotbefurtherdiscussedinthisdeliverable.
3.2 CloudInteroperabilityInitiativePlugfest24
ThisplugfestwasorganisedandconductedincollaborationwithSNIAandtheirannualStorageDeveloperConference19-21September2016inSantaClara,CA,US.DuetodemandthisplugfestfeaturedF2Faswellasremoteaccessandtesting.Withfiveorganisationsrepresentedbysixparticipantsacrosslocalandremoteparticipation,attendanceatthisplugfestwassmall.ImplementationsofCDMIandOCCIweretested.However,participantsweremostlynovicesininteroperabilitytesting,whichledtosignificanttimeintheeventbeingspentmostlyoneducationandintroductiontotheconceptofplugfestsandcoordinatedtesting.Therefore,althoughtechnicaltestingdidoccur,resultswerenotformallyrecordedduetolackoftime.
3.3 CloudSecurityInteroperabilityPolicyworkshop
Withtraditionalcloudplugfestsfocussingontechnicalinteroperabilityinmachine-to-machinecommunicationusecases,process-levelinteroperability–orcompliance–isoftennotconsidered.Particularly,privacyandsecurityaremoreoftenanafterthoughtinservicedesignandimplementation,despitesecuritybeinganessentialelementofasustainableEuropeancloudmarketplaceinthewidercontextoftheDigitalSingleMarket.18IncontinuationoftheconversationswithstakeholdersateventssuchastheCloudSecuritydeepdiveeventheldatCloudscape2016inBrussels19onequestionnaturallyemerges:Howinteroperable(thatis,equivalent)arecloudservicesregardingprocess-levelstandards?Whiletechnicalinteroperabilityontheserviceintegrationlevelallowssmoothtransitionfromoneprovidertoanother,fromaserviceconsumer’spointofviewbothproviders(theformerandthecurrent)ideallyneedtoprovidethesame,oratleastanequivalentlevelofservice.Inotherwords,thesameserviceprovisionacrossserviceprovidersmaybeensuredbycompliancetothesameprocess-levelstandards.Equivalentservice,ontheotherhandmaybeachievedbycompliancetodifferentyetequivalentprocess-levelstandards.
18 http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1447773803386&uri=CELEX%3A52015DC0192; strategy item 3.4) 19 http://www.cloudscapeseries.eu/
11
OnthisbackgroundCloudWATCH2organisedaCloudInteroperabilityPlugfestonthetopicofcloudsecurity.ThePlugfestwasorganisedattheCloudSecurityAllianceEMEAevent,Madrid,14November.Thevenuewasselectedspecificallytoattractparticipationfromcloudsecurityexperts.FiveECcloudprojectswererepresentedbysixparticipants:CloudWATCH2(alsoascontributor),Witdom,MUSA,CredentialandPrismCloud.OneparticipantwasanindependentconsultantprimarilyvisitingtheCSAEMEAevent,andnotaffiliatedwithanyoftheECfundedcloudprojects.Thescopeofthecloudsecuritybusinesscasesrepresentedbytheprojectsweremanifold:
• e-Walletsystemsande-paymentinfrastructures• Advancedcryptography• Cloudgovernance• ISOandNISTstandards
InordertoobtainagrasponthelevelofoverlapbetweenexpertiseoftheparticipantsandCloudWATCH2'ssurveyconductedforDeliverable3.2‘StructureandInteroperabilityStatus’webrieflylistedanumberofcloudsecuritystandardsandtheirpresenceintheCloudWATCH2survey,andparticipant'sexpertise:Name CloudWATCH2survey WorkshopparticipantsCSAOCF20OpenCertificationFramework X XISO2700021(InformationSecurity) X XNISTSP500-29222(CloudReferenceArchitecture) X XNISTSP800-14423(GuidelinesonSecurityandPrivacyinPublicCloudComputing)
X X
ECRegulation(EU)216/679(GDPR,GeneralDataProtectionRegulation)24
X X
ISO2900025(SystemofInternationalCertification) X XCISSYS-2026(securitycontrols) XASDISM27(informationsecuritymanual) XPCI-DSS28(paymentindustrydatasecurity) - -
Table1:Cross-checkingsecuritystandardsexpertiseItwasimmediatelycleartotheworkshopparticipantsthatthislistisneithercomplete,northatitsufficientlycoversthenumberofsecuritystandardsthatexist.Participantswereabletoaddtothelist,provingtheimportanceofsuchsecuritystandardseventsintermsofpoolingtogethercollectiveknowledgeonthisimportanttopic.Italsobecameapparentveryquicklythatnotallparticipantsknewofallthestandardswhichwerelisted,demonstratingthecomplexanddispersivenatureofsecuritystandardsinthecloud.
3.3.1 Reducingthecomplexity:Howarestandardschosen?However,inrealitytheproblemislesscomplexasthereareanumberofaspectstobeconsideredwhenchoosingasetofstandardstoimplementasfollows:20 https://downloads.cloudsecurityalliance.org/initiatives/ocf/OCF_Vision_Statement_Final.pdf 21 http://www.iso.org/iso/iso27001 22 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505 23 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf 24 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG 25 http://www.register-sic.com/iso-29000 26 https://www.cisecurity.org/critical-controls.cfm 27 http://www.asd.gov.au/infosec/index.htm 28 https://www.pcisecuritystandards.org/pci_security/
12
Nationalstandards.ExamplesofnationalsecuritystandardsselectionaretheNISTseriesofstandardsintheUS,GCHQTop10,BSI(Germangovernmentinstituteforsecurityininformationtechnology)andothernationalbodies.Thesearetheprimesourceofsecuritystandardsandbestpracticesindustryistappingforguidance.Internationalstandards.Althoughnotexplicitlymentioned,thedifferentiationbetweennationalandinternationalstandardsselectionseemtofollowthelifelinesofdifferentiationbetweennationalandinternationalbusinessandtraderelationships.Technicalmaturity.Ofcourse,standardsneedtobetechnicallymaturebeforeoneevenconsidersimplementingitsoastolowerthecostofimplementationandadjustmentoverdraftpublicationversions.Industrysupportvs.consumerdemand.Thedynamicsandmechanicsofindustrysupportandconsumerdemandarefrequentlyreciprocal,andconfusingly,alsocorollary.Whileusuallystrongindustrysupportisadriverforfurtheruptakeinapositivelyself-enforcingmanner,itcanalsobereciprocal,dependingonconsumerdemand.Ifconsumerdemandissatisfiedbycurrentsupply,itmaybe*adverse*toalsoimplementastandard.Ontheotherhand,ifconsumerdemandout-pacessupply,orifsupplyisyetlow,itmaybeaveryattractiveopportunitytoimplementastandardasacompetitiveadvantageoverothersupply-sidemarketparticipants.ReputationoftheSDOandSSO.StandardsDevelopmentOrganisations(suchasOASIS,DMTF,SNIA,OGF,andmanyothers)andStandardsSettingOrganisationsbothneedtomaintaintheirreputationforqualityofdelivery:Inthatsense,theredoesindeedexistcompetitionbetweenSDOseventhoughthismaybeunexpectedbythoseoutsidethecommunity.Forexample,theverycontroversialprocessofECMAstandardisingMSOffice'sXMLdocumentformat(intheOOSXMLstructure)wasperceivedasverydamagingtoitsreputation.Complexity&re-use.Complexityofstandardsplaysanimportantroleinselectionandeventuallyinadoption.Increasingscopeofaspecificationintrinsicallyaddstoitscomplexity,ifnotcomplicatedness,whichisveryreducesthepossibilityofitsre-useinotherdomains.Policydeclaration®ulation.Particularlyindysfunctionalmarketsorsegments,orwheresovereigntopicsareathand(e.g.dataprotection,andprivacy),nationalandinternationalpolicyandregulationreplacesselection.
3.3.2 “Implementers'dreamland"Itisclearthatthecloudsecuritylandscapeisstaggeringlycomplicatedandriddenwithobstaclesandhindrances.Togetagraspofthemostpressingneedswecompiledalistofthetop10issuesdevelopershavewiththecurrentcloud(security)landscape:
1) Equivalenceofpolicy-levelstandardsTherearemanystandardsouttherewhichtrytoaddressthesameissue.However,itisunclearwhetheratalltheseareequivalent,oratleastpartiallyequivalent(andwithwhichoverlap?).Dotheyoverlapintheirformalrequirements?Ordotheydivergeinterminology,andsemantics?
13
2) Toomanystandards.Clearly,thesheerdemandforstandardsistoomuch.Standardsthereforeshouldbeconsolidated.Thequestionremainshowtodothis?
3) Costofimplementation.Thecostofimplementationmustnotbeunderestimated,andtheROIonthisisakeydifferentiatorofthesuccessofonestandardovertheother.
4) Limitthescope!Naturally,atightlyscopedstandardwillcausealowercostofimplementation,andviceversa,hencesoftwarefrequentlyincludesonlypartialimplementationsofstandards.
5) Modularityandlevelsofconformance/compliance.Frequently,standardspecificationsaredesignedandwrittenaslargemonolithicbehemoths.Instead,the"architecture"ofstandardsshouldchangeintosmallcoresandoptionalmodulesthatmayormaynotbeimplementedbasedontheactualneedathand.Suchanapproach,however,hasadirectimpactontraditionalassessmentandcertificationofconformancetoastandardwhicharemoreoftenthannotstillbinarydecisions.
6) Standardisationprocessandtiming.Thisproblemisasoldasstandardsare.Thisleadsmanymarketparticipantstobelievethatstandardisationisatbestirrelevant,marketstiflingoratworstkillingthemarket.Timingisanissue,inthatonemustfindtherightpointintime,nottooearly,nottoolate,whentobeginformalstandardisation-andthenitneedstofinishintimetobestillrelevant.Theexactmechanismsarestillunclear.Yet,theoverwhelmingperceptionisthatofstandardisationfromstarttofinish,takestoolong.
7) Stabilityandbackwardscompatibility.Thereareclearlyantagonistforcesatplayinthelifecycleofstandards.Fromtheviewpointofimplementers,stablestandardshaveazerocostofupdate.Yet,standardsneedamendmentstostayrelevantandreflectmarketconditions.Theworstpossiblescenarioforimplementersareentirelynewstandardsthathavenothingtodowiththepreviousversion,maximisingcostofupdatetothecostofacompletelynewimplementation.Therefore,backwardscompatibilitybetweenintermediateversionsofstandardsareanecessitysoastonotinvalidateconformanceorcomplianceofexistingimplementationswithoutreason.
8) Referenceimplementationsandcasestudies/whitepapers.Often,standardsspecificationsaredifficulttoreadandunderstand;theyfrequentlyuseaspecificlanguageandtaxonomyalientothe"uninitiated".Also,theintellectualleapfrogfromformallanguageonpapertolivecodeproducingdata,orproceduresimplementingpolicylevelstandards,representsasteeplearningcurve.Referenceimplementationsandprimers/guidelinesfortechnicalstandards,andwhitepapersandcasestudiesforpolicy-levelstandardslowerthebarrierofimplementationsignificantly.
9) CertificationTheworldofcertificationforconformance/complianceisendlesslyfragmented.Inanattempttomakesenseofit,participantsidentifiedforarchetypicalmodesofcertification/adherencetostandardsonawholespectrumofvariations:a) Voluntaryadherence/codeofconduct(weakest)b) Selfcertification/selfassessment
14
c) 3rdpartyexternalcertificationd) Legislativeregulation(strongest)Particularly(c)risesandfallswiththecertificationauditor'squalificationandconductoftheactualaudit-afterall,externalcertificationpresentsasignificantcostforbusinesses,andthusshouldbereputable,fair,independent,comparableandrepeatable.
3.3.3 AcalltoactionInconclusionoftheworkshop,participantsassembledasuccinctlistofactionsthatshouldbetackledintheshortterm.Whilesomeofthesearealreadywell-known,othersarequitenovelandalmostguaranteeacontroversialdiscussion:
a) AlignmandatorybreachnotificationwithSDO/SSOforcontinuousimprovementsofstandardsThisactionaimsatopeningup,orimproving,thecommunicationchannelbetweenStandardsDevelopmentOrganisationandimplementingbodies.Whileitisfairlyobviousthatnoorganisationlikestoadmittohavingexperiencedsecuritybreaches,outputsandresultsfrompostmortemsneedtobefedbacktoSDOsforfurtherimprovementoftherelevantexistingstandards.Suchafeedbackchannelwouldrequireasecure,saveandtrustingfoundation(likelyincludingNDAs).Ontheotherhand,similarstructuresalreadyexistfortechnicalaspectsofservices(coveredbyProblemManagement,ConfigurationManagement,ReleaseManagementandotherservicemanagementprocedures),whichmightbeadoptedandadaptedaccordingtotheneeds.
b) Referenceimplementations&WhitePapers.Thereisadireneedforreferenceimplementationsfortechnicalstandardswhichshould::
- Comefreeofcapitalexpenditure,- Beavailableinsourcecodeformat(however,whichlanguage?)- Carryanindustry-friendlyopensourcelicense(e.g.Apache2,BSDstyle)
Transposedtoprocess-levelstandards,whitepapersandcasestudiescanprovideimplementerswiththenecessaryjumpstartintheirstrategyonhowtoimplementprocess-levelstandards.
c) Freestandards.Standardsarefrequentlydevelopedwiththesupportofgovernmentexpenditure.AlignedwiththeEC'snewOpenDatapolicyfortheH2020programme,standardsdevelopedwiththefinancialsupportofgovernmentsshouldbefreelyaccessibleatnocost,justasreferenceimplementationsshouldbe(seeabove)
d) Involveacademia.Academiahasbeenlongunderestimatedintheirvalueanddriveofstandards.InordertomaintainrelevanteducationoffuturecapacitiesandleadersintheITindustry,academianeedsaconstantinfluxofrequirements,ideasandtechnologiesthatitcantransformintoeducationoffuturegenerations.Assuch,academicinvolvementinthestandardisationprocessneedstobere-evaluatedandadjustedastheprimecandidatefordevelopmentandmaintenanceofreferenceimplementationsasameansandvehicleforhighereducationonvarioustopicsofcomputerscience.
15
3.4 “Whystandardise?Thebusinesscasefortheadoptionofcloudstandards”–Policyworkshop[New]
ReturningtothemodelofconductingF2Fmeetings,CloudWATCH2organisedapanel-drivenconversationaboutthebusinesscasefortheadoptionofcloudstandards(andstandardsatlarge)attheCloudWATCH2summit201729,whichatthesametimemarkedtheproject’sfinaleventon19/20September2017.Settingthescenewithashortenedversion12oftheoriginalpresentationgivenattheEIT-Ditigal“InternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience”30,thepanelfeaturedrenownexpertsinthefieldofstandardisationcrossingtheareasofacademia,publicauthorities,andopensource:
• WolfgangZiegler,SCAI,OGFandStandICT.eu• CedricThomas,OW2• ArthurvanderWees,Arthur’sLegal• BrunoChenard,CEN/CENELEC
Theexpertsprovidedthefollowinginputregardingthestandardisationprocess:
1. Balancingstandards&thefreedomtoinnovate-Howdowefindtherightbalancebetweenstandardisationandthefreedomtoinnovate?
a. Innovationcomesfirst.Thisnormallyonlyoccurswherethereisnoopensourcetoolorservicealreadyavailable.Theinnovationthenbecomeswidespread(ordiesout)andbecomesaproduct(s)orservice(s).ItisatthispointthatstandardisationtendstoemergetogetherwithOpenSourcesolutions.
b. Thiscyclecloselyresonateswiththebusinessinnovationcycle(seeslidesforfinalevent,slide24),andSimonWardley’s“Climaticpattern:Peace,WarandWonder”31
2. Standardisationprocess&timing–Whatistherightprocesstofollowindevelopingstandards?
Andwhenisittimetobeginthestandardisationprocess?a. Thereisnosingleonerightprocess;itentirelydependsonthecontext(public
domain/international,orcommercial).b. Standardiseassoonaspossiblevs.standardiselateinthemarket:Fast-movingmarkets
meanthatindustrypushesaheadwithnewdeploymentsthatarenotinteroperable(i.e.thefreedomtoinnovate).Buildingastrongnetworkiskeyforconsensus,whichisprerequisiteforsuccessfulstandardisationtocakeplace,butthistakesalongtime.Consensusbuilding–throughinfluencers–earlyinthemarketasameanstobuildthefoundationsforformalstandardisationmeansthatwecanhelpacceleratetheprocessanddrivethemarket.
3. SMEsvs.Corporates–Whataretheadvantagesanddisadvantagesofhavingstandardsincloud
computing?Arethoseadvantagesanddisadvantagesdifferentforalargecompanycomparedtoastartup?Ifso,whoseinterestsshouldbeprioritised?
a. Standardspenetrationratesinindustryareappallinglylowbutthereisnoclearreasonwhy.Doweneedtore-fitthewayhowstandardsaredeveloped,published,anddefined?Oristhislinkedtotheinertiaofchangeoftenseeninorganisationslargeandsmall?
29 http://www.cloudwatchhub.eu/summit17 30 https://www.eitdigital.eu/news-events/events/article/international-industry-academia-workshop-on-cloud-reliability-and-resilience/ 31 Wardley Mapping, https://medium.com/wardleymaps/, chapter 9
16
b. Isthereacorrelationbetweenthecostofswitchinginnon-standardisedecosystemsandthecostofimplementation(or,forpolicy/processstandards,compliance)thatgovernswhetherandatwhichratestandardsareadopted?
Recommendations:
A. Standardsareuseful,butcannotbeseenasthebrokerforprogress.Theyarecloselyrelatedtoinnovation,andtogetherformaperpetuatingcycleofinnovationandstandardisationthatfollowineachother’sfootsteps.
B. Wearealsofacingnewchallengesasthelandscapebecomesmorecomplexwiththedigitisationofindustry,bringingindifferentculturesanddifferentspeeds.Earlyroundtablescanfacilitateconsensusbuildingaspartofthelong-term,voluntaryefforts,whichencouragecollaborationforstandardisation.
C. Thereisnosinglecorrectwayofhowstandardsdeveloporemerge.Standardscoverboththetechnicaldomain,andthepolicydomainbeingcloselyrelatedtoregulationandlaw–highlysimilarinprocesshowbothtypesofstandardsemergeandtheninitiallydevelop.
D. Fromemergencethough,technicalstandardsandpolicystandardswillthentakedifferentroutesastheyaregenerallytryingtoattainslightlydifferentgoals:Technicalstandardsaimtosimplifyandallowhigherlevelfunctionalitytobecomethedifferentiator,whereaspolicystandardsareaimingforsimpleunification.
3.5 Supplementarycloudinteroperabilityeventsandactivities[New]
TheCloudWATCH2alsoengagedaboveandbeyondthatinanumberofotherinteroperabilityrelatedactivitiesasfollows.
3.5.1 Virtualplugfest1:TryingalternativeinteroperabilityeventmodelsTheCloudWatch2projectplannedthefirstvirtualinteroperabilityplugfestforFebruary201732.Whileeventregistrations(25participants)indicatedabusyandproductivemeeting,actualattendancewasdisappointinglylow:Onlyfourparticipantsjoinedtheevent,whichwasopenforparticipationallday(toaccommodateinternationalattendanceacrossawidespanoftimezones).Outofthese,threeparticipantsdidinfactjointheplugfesteventtolearnabouttheindicatedtopic,nottoactuallytesttheirexistingimplementationsagainstthoseofotherparticipants.
3.5.2 Virtualplugfest2:TryingagainCludWATCH2scheduledasecondvirtualplugfestconjoinedwithaphysicalco-locationattheClujInnovationDays2017eventinCluj,RomaniainMarch201733.However,thissecondvirtualplugfestwascancelledduetolackofparticipation.InsteadattendanceatthiseventwasusedtopromotethestandardsandpolicyworkwithinCloudWATCH2.Thisdisappointingresultledtothefundamentalassessmentofthesituationandsubsequentadjustmentoftheprojectstrategywithregardstotechnicalinteroperabilitytestingasdescribedindetailinsection2above.
32 http://www.cloudwatchhub.eu/cloudwatch2-virtual-interoperability-plugfest 33 http://www.cloudwatchhub.eu/register-now-our-virtual-interoperability-plugfest-march-17-2017
17
3.5.3 CloudstandardsdisseminationandeducationatexternallyorganisedeventsAsdecided,theCloudWATCH2projectengagedinanumberofeventstopromote,andeducateonstandardsandstandardisationinthecloudservicesectorinEurope:
3.5.3.1 InternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience7-8November2017,Berlin,GermanyEIT-Digital,togetherwithHuaweiGermany,organisedthiseventtobringtogetherleadershipinindustryandacademiatodiscusshowcloudreliabilityandresiliencecanbeimplementedtoaddressthestilleminentproblemofserviceoutages.CloudWATCH2’spresentationfocussedontheraisingawarenessofthekeyrolethatstandardsplayincloudcomputing.Sincestandardscanhelpavoidingvendorlock-in,andsupportapplicationportabilityacrossvendors,customersofstandardssupportingcloudvendorswouldbeempoweredtoimplementtheirownapplication’sresilienceandreliability–throughactivelyincludingstandardsintheirservicearchitecture.Arguablyasomewhatexoticstanceamongthecontributorsanaudience,thepresentation11nonethelesswasreceivedwithinterest,andsparkedanengageddiscussionafterwards.
3.5.3.2 ECworkshoptopromotepracticalcollaborationbetweentheCloudOpenSourceandStandardisation
17January2017,EC,Brussels,BelgiumInteroperabilitybetweenthedifferentcommercialCloudplatformsandalsotheinteroperabilitywithopensourcebasedapproachesislackinginseveraldimensions,e.g.,portabilityofCloudservices,VMformats,accesscontrol,dataprotectionandrightsmanagement,hinderingmovingbetweendifferentprovidersandmakingmulti-Cloudenvironmentsdifficulttorealise.Theworkshop34focussedonidentifyingsimilaritiesanddifferencesinstandardisationandopensourceprocessesandwaystobringthetwocommunitiestogether.ItalsotriedtoidentifywhichOpenSourcetechnologiesintheareaofCloudcouldbestandardised.Finally,asetofpracticalstepstheCommissioncouldtake-ascustomer,facilitator,incubatorforR&Dandpolicymaker-topromotefurthercollaborationandintegrationbetweenCloudopensourceandstandardisationwereproposed.HowOSScommunities&SDOshavebeencollaboratinghasevolvedwithbothcommunitiesoftenmadeupofthesamepeople,butdifferentculturesexistingwithSSOsfollowingstrictguidelinesinestablishingstandardsandOScommunityalotfreerfromthis.AstheOScommunitygrowsthough,thereisaneedformorestandardsinOSandagreaterhighlightingofthebenefitsofstandardsintheOScommunity.Futurecollaborationiskeyintermsofincreasingtrustincloudcomputingwhichstandardsbringandalsotosupportprocurementofcloudcomputing.TheroleoftheEuropeanCommissionissignificantascustomer,facilitator,R&Dincubatorandpolicymaker.CloudWATCHreportedtotheworkshopthechallengesithadfacedinencouragingECprojectstoparticipatetostandardstestingactivitiesandthedifficultythatprojectshaveintermsofcontributingtostandardisationdevelopmentoncefundingfortheirprojecthasceased.
3.5.3.3 1stMeetingofC-SIG’sWorkingGrouponCloudStandards18January2017,EC,Brussels,BelgiumThisforward-lookingevent35focusedontheroletheC-SIGmayplayinthefutureinaddressingtheEC’scommunicationon"ICTStandardisationPrioritiesfortheDigitalSingleMarket"(April2016).For
34 http://www.cloudwatchhub.eu/workshop-promote-practical-collaboration-between-cloud-open-source-and-standardisation-17th-january 35 http://www.cloudwatchhub.eu/1st-meeting-c-sig%E2%80%99s-working-group-cloud-standards-18th-january-2017-brussels
18
CLoudWATCH,CSAandUOXFparticipatedaspanellistsfurtherdisseminatingtheresultsofitsworkinstandardsandinteroperability(bothtechnicalconformanceandpolicycompliance).36Atthismeeting,throughthepaneldiscussions,thefirstthoughtsontakingadifferentapproachtotheprocessofstandardisationofITemerged,whicheventuallyledtotherecommendationofconsidering“standardisationascode”(seesection5,recommendationIV).
3.5.3.4 FirstplenarymeetingofCloudSelectIndustryGroup15Feb2017,Brussels,BelgiumCloudWATCH2ledasessiononmappingcloudstandardsanduserguides,andparticipatedinadiscussionpanel37.Also,CloudWATCHwasprominentlyfeaturedinthetalkgivenbyMr.LuisC.BusquetsPérezregardingnewandfollow-upworkstreamsregardingcloudcomputingpolicywork38ThissessionsawapresentationbyCloudWATCH2onstandardsmapping(T3.1),standardsplugfesttesting(T3.2)andtheimportanceofuserguidelinesforsupportingtheadoptionofcloudstandards.Themainfindingsofthesurveyonthetake-upofcloudinteroperability&securitystandardswerethatthereisalackofstandardsrelatedtocontainers(OCP),intoomanycasesunfortunately,privacyandsecurityisanafterthoughtinthedesignprocessandtheR&IprojectstheyhaveanalysedweremainlyfocussedoninteroperabilitystandardswithfewofthemcontributingtostandardisationprocesssuchasOASIS’TOSCA.CloudWATCH2alsopresentedanoverviewoftheexistingcloudstandardsineverylayerandproject’sfutureplantoprovideastatusreportonSecurityandInteroperabilitystandardsanddisseminatingcloudstandardsrelatedinformationthroughwww.cloudwatchhub.eu.ClujInnovationDays201730-31March2017,Cluj,RomaniaOurparticipationinthisevent39wasintwoparts.FirstlyProfDavidWallomgaveakeynotepresentationontheimportanceofsecurityinthecloudandhownewdevelopmentsongoingtobringanintersectionofcloudcomputingandtrustedcomputing.Thiswillenablecloudcomputingconsumerstonolongerhavetohavetotaltrustinthecloudproviderssecuritymodel,staffvettingproceduresandtechnicalcybersecuritymeasures.FollowingthiswethenledaworkshopasadeepdiveeventonEuropeanICTregulationandcloudcomputingentitled“WhatcanbetheimpactofEuropeanscaleregulationoncloudcomputingsecurity?”withpanellists;
• Marius-LeonardMotofei-Radu,UPCRomania• TudorDamian,Avaelgo• GeluVac,Crossover,• RaduStefan,MicrosoftRomania
Followingbriefpresentationsfromthepanelistsarecapwasgivenovereithersoontobeintroducedornewregulationsofimportance.TheseincludeGPDR,NISandeIDAS.Thequestionsaskedofpanelistsduringtheeventwere;
1. BestPractice:RiskManagementofcloudcomputingserviceso WhatistheroleofeIdentification,authenticationandtrustservicesundertheeIDAS
Regulationforaccessingandprovisioningcloudservices?o HowdocloudservicecustomersdecidebetweenPublicvsPrivateCloudservices?
2. Transparency:IncidentNotificationandInformationSharingforcloudcomputingserviceso Howcansuppliersdemonstratecompliancethroughoutthesupplychain?
36 http://www.cloudwatchhub.eu/sites/default/files/CloudWatch2_C-SIG_vFinal.pdf 37 http://www.cloudwatchhub.eu/first-plenary-meeting-cloud-select-industry-group-15-feb-2017 38 http://ec.europa.eu/newsroom/document.cfm?doc_id=42968 39 http://www.cloudwatchhub.eu/looking-forward-cluj-innovation-days-2017
19
o Howcouldwestrengthencooperationbetweenindustryandthepublicsectortobuildtrustincloud-basedservices?”
3. Recognition:CloudCertificationSchemes&AssuranceLevelso Howcouldweraiseawarenessofcloudsecuritythatalreadymeetsthehighest
requirementsintermsofcybersecurity?o Howcancertificationbemadeaccessibleforallcloudserviceproviders,includingSMEs?o Whatcouldbethemosteffectivemethodtoenablestandardisationagreementsormutual
recognitionofdistinctornationalcloudcertificationschemesacrosstheDigitalSingleMarket?
4. ImpactFactors:ServiceAuthentication,LawEnforcementAccess,andExportControlsoncloudservices
o WhatapproachesarenecessaryforcloudcomputingservicestosupporttheDigitalSingleMarketinrelationtoserviceauthentication,encryption,lawenforcementaccess,orexportcontrols?
o Whatserviceauthenticationpossibilitiesaremadeavailableandrecognisedacrossbordersbycloudserviceproviderstoensureasecurewayofprocessingdata?
Theprovidersand‘resellersofcloudservicesareobviouslywellversedinboththenewregulationsandtheneed to ensure that they fully understand how thesewill affect customers that are using services theyprovide. Of the consumers they all suggest that there must be great scope for support to ensure thatcomplianceisseenasagoodthingratherthanjustsomethingthatconsumerswillbepunishedfor.Thechairalsoquestionshowthepanelsawthescopeforwhowouldbetheactorinteractingwiththeregulatorybodiestowhich itwas clear thatoverall itwas felt that though cloudproviders areengagedand committed tosupportingtheseregulationstheyarecurrentlynotworkingcloselywiththeircustomerstoensurethattheywillbecompliant.Fromthepointofviewofcomplianceitwasfeltbythepanelthoughthattherewouldneedtobepublicvisibilityofcertificationandcompliancewiththeseschemesotherwisethereisalwaystheproblemofpossiblelipservicebeingpaidtoregulationwithouttheworkdoneinspiritwhichisalsorequired.WithinthiseventwewereabletoshowcasesomeoftheoutputsofCloudWATCH2anddisseminatedmaterialcreatedonthelegalguidanceforcloudcomputingtoalldelegatedthroughtheeventdocumentationpacks.
3.5.3.5 DataProtection,SecurityandPrivacy(DPSP)ClustermeetingatNetFutures2017
29June2017,OrganisedbacktobackwiththeNetFutures2017conferenceandtheConcertationmeeting(organisedbyTask2.2;seealsodeliverableD2.3)thismeetingmainlyfocusedontheproceedingsofprojectswithinthecluster.CloudWATCHpartnersCSAandUOXFpresentedtheprogresstheprojectmadeintheirworkonmappingcloudsecuritystandards(CSA,Task3.1;deliverable3.6)andcloudstandardsinteroperabilitywork(Task3.2,UOXF).TheprojectsummarisedtheresultsandoutcomesoftheCloudSecurityStandardsInteroperabilityworkshop(seesection3.3).Whilethefirstcalltoaction(mandatorybreachnotification)wasdiscussedwithsomecontention,theremainingthreecallstoactionwereunanimouslyagreedupon:
• Referenceimplementations&whitepapers(closerelationshipwithacademiaandOSS)• Free[andopen]standards(toreduceaccessandparticipationbarriersforSMEs)• Involveacademia(e.g.asthelong-termstewardofastandardand/orreferenceimplementations)
20
4 ConclusionsIntheircurrentstate,CloudInteroperabilityPlugfestsarefacingseriouschallengesforrelevance.TheCloudPlugfestInitiative,withwhomCloudWATCH2collaborates,doesnotcollectuserinteractionstatisticsbeyondMailchimp’sfreesubscriptionoptions,particularlyregulareventregistrationandparticipationisnotcohesivelycollected.Henceahistoricanalysisandtrajectoryextrapolationforthefutureisnotpossible.Thismakesitdifficulttomeasurethesuccessofthemeetings,letalonemeasuringtheimpactofplugfestsassuch, even though CloudWATCH2 did collect participation information for the three testing events itorganised(ofwhichthefirsthadtobecancelled,seeabove).Itisquestionablewhetherthecurrentplugfestformatisstillrelevant.Whileparticipationlevelsbetweenthesecondandthethirdplugfestarenegligible,the starkdifferenceof the respectiveoutcomes is very sobering in termsofassessing the successof thetraditionalplugfestwithhighparticipationinitsheydayscomparedtocontemporaryevents.While,forexample,CloudPlugfest10,co-locatedwiththeEGITechnicalConference2013inMadrid40featuredthreedaysofworkshopsandactualtestingpackedwithattendeesbetween30and50onanyofthethreedays,recentplugfestsfacedparticipationlevelsoflessthan10ateachevent.Thereasonsbehindthisobservationarenotconclusive,yetseveralconjecturesserveasplausibleexplanations.Conjecture1:Activedevelopmentvs.maintenance.Lookingatthemerechronologyofevents,CloudPlugfest10tookplaceinautumn2013,andmorerecentplugfestsoverthecourseof2016.StandardssuchasOCCIandCDMI,representingtechnicalcloudinterfaces,wererelativelynew(OCCI1.1waspublishedin2011),andimplementationswererareandinanimmaturestate.Fast-forwardthreeyears,andpresumingcontinuousinterestanddemandinstandards-basedimplementations,onewouldexpectimplementationstomatureinthattime,alongsidewithmaturingandnear-perfectstandardimplementationandinteroperability.Naturally,theneedofinteroperabilitytestingandimplementationguidanceofdevelopersin2013willhavesubsidedin2016,explainingthedeclineinparticipationtoevents.Conjecture2:Correlationofeventparticipationwithprojectfunding.FromaEuropeanperspective,theheydaysofcloudplugfestscorrelatedwiththefundingofthreemajorprojectsaspartoftheECFP7programmelastingfrom2007to2013,withprojectsrunningwellinto2016.Thesethreemajorprojectswere:
• EGI-Inspire, May10–Dec14, 70M€, 25M€ECPF7contribution• EMI, May10–Apr13, 24.9M€ 12M€ECFP7contribution• IGE, Oct10–Apr13, 3.6M€ 2.3M€ECPF7contribution
AllthreeprojectstogethercomprisedinvolvementofnearlyallEUmembercountries,includingNorwayandSwitzerland,inparticulartheEGI-InSPIREprojectcoveredalmostallmembercountries.
40 https://sites.google.com/a/cloudplugfest.org/welcome/events/past-plugfest-agendas/cloud-interoperability-week
21
AllthreeprojectsreceivedsignificantfundingfromtheEC(35%,48%and63%findingforEGI-InSPIRE,EMIandIGE,respectively)continuingtheEGEEseriesofprojectsfundedbytheECintheyearsbefore.WithEGI-InSPIREinitiatingthecloud-relatedactivitiesinthisecosysteminSeptember2011asafederationofcloudinfrastructure–theEGIFederatedCloud41–basedonstandardisedinterfacessuchasOCCI,CDMI,OVF,GLUE,UsageRecordsandothers,activitiesinstandardsconformanceandinteroperabilitytestingintheacademiccloudlandscapeinEuropesharplyincreased,impactingancillaryprojectssuchasOpenNebula42,GRNET’sOkeanosproject43,andmanymorewithconnectionsandcollaborationsintheEGIcommunity.Correlatingavailablesparsehistoricinformationwiththeruntimeandfundingoftheprojectsmentionedabove,thesecondhalfoftheEGI-InSPIREprojectseeingtheEGIFederatedCloudinitiativerampingup,particularlycorrelateswiththemostsuccessfulandmostvisitedCloudPlugfests.Thisleadstoapossibleconjecture:ParticipantsattendedCloudInteroperabilityPlugfestssimplybecauseECprojectfundingwasavailabletocoverthecosts.Withoutfunding,attendancemighthavebeenconsideredoflowerimportance.Conjecture3:Lackofincentivesforserviceproviderstoimplementstandards.Industryoperatesonafairlysimplecondition:Spendaslittlemoneyforasmuchrevenueaspossible.Althoughsimplified,thisserveswellinexplainingsomeoftheunderlyingmechanismsofthisconjecture.Ifexistingservicesgeneraterevenueoverandabovethecostofsales(costofsupplyincaseofproducts)thenthisrepresentsanappropriateresponsetoanexistingdemand,inarelativelystableequilibrium.Insuchascenario,decidingtosignoffanexpensetoimplementaparticularstandardwithoutthedemandsideexpressingthisneedrepresentsahighlyspeculativecostthatisdifficulttojustify,unlessitisastandardbeingimplementedinternallyinordertoimprovecostofsupplyandthereforeincreasetheorganisation’sprofitmargin.Thisscenariocanbeobservedtimeandagain,andindustrystandardsandbestpracticesforserviceoperationsandimplementationemergeasadirectcorollaryofthis.AsexpressedbySebastianKirschofGoogleZurich,attheInternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience44hostedbyEITDigitalandHuaweiEurope,asarecollectionfrommemory,“Standardise,standardise,standardise!”.WhatSebastianmeant,however,wasnottheaimtostandardiseonthepublicinterfacelevel,butinternally,toimprovereliabilityandresilience,andthuslowerthecostofserviceintermsofserviceincidents,outages,andsoftwareerrors.Alternatively,ascenarioincludingarisingdemandofstandardisationattheserviceinterfacelevelmaysupportserviceprovidersinjustifyingtheexpensesofimplementingpreviouslydisregardedstandardsintwoways,(a)throughdirectsponsoringofimplementationinaprojectfundingmanner,or(b)asathreatandweaknessoftheirownoffercomparedtoothersinthecompetition.Whilealternative(a)isquitestraight-forwardintermsofcost-benefitanalysis(vulgo:“Paymetoimplementthestandard!”)inacustomisedsoftwareservicesbusinessmodel,alternative(b)activatescompetitionmechanicsinthatanorganisationmayconsiderrisingdemandofstandardsimplementationsinaSWOTanalysisasaweakness(“Demandrequiressupportofstandards,whichourproductsdonotprovide”)onthetechnicallevel,andasathreattobusinesssustainability(“Ourserviceswouldbeoutcompeted,thereforeourrevenueoftheservicesmaydiminish.”)onthefinanciallevel.
41 https://wiki.egi.eu/wiki/EGI_Federated_Cloud 42 https://opennebula.org/ 43 https://okeanos.grnet.gr/home/ 44 http://www.eitdigital.eu/news-events/events/article/international-industry-academia-workshop-on-cloud-reliability-and-resilience/
22
Inthiscontext,analmost30yearsoldcourtrulingregardingpolicylevelstandardsimplementationfrom198845illustratestheproblemquitewell:Inessence,thecourtruledthataprocurercannotexcludeatendererfromtheselectionprocesstowardsaninvitationtonegotiate,iftheyofferasolutionoraservicebasedonastandardthatprovidesanequivalentoutputcomparedtoacompetingstandard.Whilethisdocumentdoesnotprovidealegalanalysis,theimpacthaswidelyimpactedprocuringprocesses,sincethisrulingeffectivelyopensadoorfororganisationstodemandcompensationforbeingnotselectedinaprocurementprocesswheretheycanprovideevidencethattheselectionprocessfavouredonestandardovertheother.Aprobablyunwantedcorollarytothisrulingistheeffectivelynon-existenceofclausesmandatingthesupportforacertainstandard(orasetthereof),andtheirreplacementofclausessuchas“orequivalent”),whereequivalenceisleftundefinedorto“commonunderstanding”.Theoverallimpactisthatwiththeabsenceofdemandofstandardsinprocurementprocedures,weseelittleincentivefororganisationstoimplementandrolloutstandards-basedservicesandproducts.Conjecture4:ECprojectshaveanintrinsicallydifferentperceptionofsecurity.ISO27001etc.areconsideredanindustrybaselinesetofstandards.46However,ECprojectsseemtobeconsideredanincubatoroftechnicalinnovationandthereforefocusontechnicalmaturityoftheiroutputs.47Perhapscorrelatingwithconjecture3above,ECprojectsthusseemtooperateonthepresumptionofnothavingtointegratecustomerdemandandcustomerorientation(i.e.marketreadiness)intotheirprojectplansandactivities:WhileH2020ResearchandInnovationtypeprojectproposalsarewrittenwithcustomerdemandandneedinmind,theseseembeinginsufficientlysubjectedtoprojectoutputsandresultsassuch.Conjecture5:Thecadenceofinnovation,particularlydisruptiveinnovation,mayhavebecometoofast.ReferringbacktotheWardleyMappingmethodology,especiallythecycleof“Peace,War,andWonder”(seeabove),inintrinsicpropertyofthiscycle–andthecycleofinnovationandstandardisation–istime:Itrequirestimetoletinnovationssettleinandturnintoproducts(orservices),andfinallycommodities(orutilities).Butwhatifthefrequencyofinnovation,especiallydisruptiveinnovationbecomestoohigh,cuttingdeeplyintothetimenecessaryforinnovationstomatureandsetthesceneforstandardisationtooccur?Signalsthatthatmightbethecasearethere,forexample:
• ThebusinessmodelsandbusinessstrategiesofUber,AirBnB,FacebookandGoogleareunderseriousscrutinyorthreat,withthelatestexampleofUber’slicensetooperateinLondonbeingrevoked48
• Thesecompaniesareincreasinglyconsiderednotastechcompaniesbutascompanieswithaclassicbusinessmodelthatjusthappenstoaggressivelyusetechnology–but“dodging”thepertainingsector’sregulations:Uberinthesectorofhailridingservices,AirBnBinthesectorofhospitality,GoogleandFacebookinthenews&mediapublishingsector.
Large-scaleITtechfirmleadersbegintoatleastthinkaboutthepaceofchange,thepaceofinnovationanditsimpactonsociety49.
45 45/87 Commission vs Ireland ('Dundalk') [1988] ECR 4929 46 https://resilience.enisa.europa.eu/cloud-security-and-resilience/Cloudstandards.pdf 47 As further described in CloudWATCH2 deliverable D2.2 Mapping of EU cloud services, solutions technological readiness 48 https://www.theguardian.com/technology/2017/sep/22/uber-licence-transport-for-london-tfl 49 https://www.theguardian.com/technology/2017/oct/07/google-boss-sundar-pichai-tax-gender-equality-data-protection-jemima-kiss
23
5 FinalrecommendationsThisdeliverable,D3.7concludestheworkperformedintheCloudWatch2projectrelatingtosupportingstandardsintheEuropeanICTlandscape.WithinWP3theprojectexperiencedasituationwheretheproposal(withallitsintentionsandcommitments)facesrealitymorethanhalfayearlater.Whilethissituationisusuallynotmuchofaproblem,theICTsectorandespeciallythecloudcomputingsegmentarefacedwithanunprecedentedlevelandfrequencyofdisruptionandchange:a6-monthperiodisconsideredavery,verylongtimespaninwhichanythingcanhappen.WhilestandardsinteroperabilitytestingwasasuccessfulactivityinthefirstCloudWATCHproject,itseemedprudenttobuildonthatsuccessandcontinuewiththisactivity–onlytorealisethatallofasuddenattendanceattheseeventsplummeted.CloudWATCH2wasforcedtoreact,sowedecidedtotakeadifferentapproachasoutlinedinthisdocument.Webelievethatthedecisionwetookwastherightone,giventheoutcomesoftheactivitieshighlightedinthisdocument.Givenwhatweexperienced,wefeelweareinthepositiontosummariseandrecommendthefollowingactionsforfutureprojectsandpolicymakersalike:
I. AddressdifferentvaluepropositionsofstandardsindifferentsectorsLookingatthecommercial,public,andacademicsectors,webelievethatwhilestandardsarebeneficialforanysector,thereasonsareactuallydifferent,becauseofdifferentneeds,differentobstaclesanddifferentsectormechanics.Wethinkthatinthepast,thevaluepropositionforstandardsinICTwerenotsufficientlydifferentiated.Asaresult,marketstakeholdersandinfluencersbecamedisenfranchised,andevenadversetotheideaofstandardisation.
II. Differentmeaningsoftheterm“standard”meandifferentapproachesTherearedifferentsemanticsattachedtotheterm“standard”.Whileinessenceaddressingthesametopicofrepeatability,internalstandardisation(i.ewithinacompany,ororganisation)ismucheasiertoaddressthaninter-organisationalstandardisation.Whiletheformeristypicallyapassive,emergingactivity(anevolutionaryprocess),thelattertendstobeseenandexperiencedasamanaged/controlledortop-downactivity–perceivedasinconflictwiththefreedomofchoiceanddecisioninthecommercialmarket.
III. Offerhelpandsupportforthe“unloved”elementsofstandardisation
Asrepeatedlypointedoutinthisdocument,standardisationonthetechnicallevelacrossorganisationstendstoemergeasasuccessfulcontenderinasomewhatevolutionaryprocess.Theoutputsofthisprocessare,intheICTworld,piecesofcode,thatmanifestinteroperability.Thisiswhatprovidesvaluetocommercialorganisations–asopposedtotheformaldocumentationofthestandard,whichisperceivedas“deadwood”effortcompaniesseeasunnecessaryexpensewithoutvalue.Oneapproachtothatsolutionmaybetoeitherfinanciallysupportexpertstobepresentintheformalstandardisationprocess.TheStandICT50projectsisagoodexampleforsuchanapproachprovidingacontinuousopencalltosupportEuropeanstandardsexpertsincontributingtothestandardsprocessinthefivepillarsoftheDigitalSingleMarket:cloudcomputing,5G,datascience,cybersecurityandIoT.
50 http://standict.eu/ funded under H2020: 01/01/2018 – 31/12/2020
24
IV. Considera“standardsascode”approach
WiththerecentemergenceofDevOpsand“infrastructureascode”conceptstoliterallysubjectasmuchaspossiblenotonlysoftwaresourcecode,butalsoinfrastructureconfiguration,andevendeploymentinformationtoautomationandversioncontrol;itisviabletoapplythesametotechnicalstandardsintheICTindustry.Insteadofforcingsoftwaredeveloperstobreakthebarrieroftheirmediumandtolearntheformallanguageofstandardisation(thisisfromexperienceliterallyaneducationtask!),takethetechnicalstandardstothesoftwaredevelopersintheirownlanguage:Encodeandexpressstandardsnotinhumanlanguageandsemantics,butinSWengineeringlanguagesandtoolsthatareusedinSWengineeringtoolingchains.
V. Donotengageinformalstandardisationtooearly–ortoolate–inthemarket.
Marketsinevitablymature:Theymatureintermsofsize,numberofparticipants,numberofservicesprovided,andoperationalbestpractices.Somemarketsbecomesowidespreadandubiquitous,thattheproductsandservicesprovidedareincreasinglyperceivedasutilitiesorcommodities,respectively.Marketsinthatstagetypicallyexposeareducedlevelofinnovation,arehighlyautomatedandexchangelargevolumeswithsmallmargins.Maturemarketsarestable.However,ahighdegreeinautomationandsmallprofitmarginsbothrepresentobstaclesforstandardstopenetratesuchmarkets:thecostofchangeistoohigh.Instead,carefullyanalysewhichmarkets(orwhichifitssegments)areonthevergeofbecomingutilities/commodities,andengageinstandardisationatthatpointintime.Inouropinion,thecloudcomputingmarketatlargeisfarfrombeingcommoditised,withtheexceptionofpartsoftheIaaSmarketrelatedtocomputeandstorageresources.Whilethecloudcomputeandstoragesegmentisindeedatthevergeofbecomingcommoditised(somestakeholdersconsideritalreadycommoditised),weseethemarketatthebrinkofbeingdysfunctionalwithtoomuchinfluenceconcentratedonfewlargehyper-scaleproviders.
25
26
7 Appendix1:QuestionsforthefinalPlugfestpanelThefollowingquestionsweremadeavailabletothepanelfordiscussion:
1. Balancingstandards&innovation–Howdowefindtherightbalancebetweenstandardisationandfreedomtoinnovate?
2. Standardisationprocess&timing–Whatistherightprocesstofollowindevelopingstandards?Andwhenisittimetobeginthestandardisationprocess?
3. Standards:SMEsvs.Corporates–Whataretheadvantagesanddisadvantagesofhavingstandardsin cloud computing? Are those advantages and disadvantages different for a large companycomparedtoastartup?Ifso,whoseinterestsshouldbeprioritised?
4. Standards for cloud, IoT, 5G – Comparing IoT, 5G and cloud, what are the differences in thesegments,andhowdotheyimpactstandardisation?
5. Securitystandards&certification–Howdoyouseesecuritystandardsandcertificationsbuildingconfidencefromthepointofviewofconsumers?Doyouseecertificationasawaythattrustcanbebuiltinproviders?Whatrequirementisthereonathirdpartyverificationactivity?
6. OpenSource&(Open)Standards–HowdoyouseetherelationbetweenOpenSourceandStandards,mutuallycontradictoryormutuallybeneficial?Doyouconsideropennessofstandardsrelevantforbroaderadoptionandincreasedimpact?
7. Benefitsofcloudstandards–Whatdoyouseeasthebiggestbenefitsofhavingstandardsfor
cloudcomputing?
8. Cloudstandardstopics–Whenwetalkaboutstandardsincloudcomputing,whatsortofthingsarewetalkingaboutstandardising?
9. Standardsvs.certification–Canyoudescribehowyouseethedifferencebetweenstandardsandcertification?
10. Standards in procurements – At what point in the procurement lifecycle would you consider itimportanttothinkaboutstandards?
top related