www.cloudwatchhub.eu|info@cloudwatchhub.eu/@CloudWatchHubCLOUDWATCH2hasreceivedfundingfromtheEuropeanUnion'sHorizon2020programme-DGCONNECTSoftware&Services,Cloud.ContractNo.644748

D3.7CloudInteroperabilityPlugfests

FinalOutcomeReport

www.cloudwatchhub.eu|info@cloudwatchhub.eu|@cloudwatchhub

ThisdeliverableaccountsfortheresultsandimpactofCloudInteroperabilityPlugfestsconductedundertheauspicesoftheCloudWATCH2project.Basedontheresultsoftheplugfests,thereportoutlinesaseriesofconsiderationsandactionsregardingthefutureofplugfests.Thisdocumentconstitutesanupdateofitspredecessordocument(D3.3)insteadofanindependentdeliverable.Significantchangesincomparisontothepredecessordocumentaredescribedappropriately.

2

CloudWATCHMissionCloudWATCH2takesapragmaticapproachtomarketuptakeandsustainablecompetitivenessforwideruptakeandcommercialexploitation.ItprovidesasetofservicestohelpEuropeanR&IinitiativescapturethevaluepropositionandbusinesscaseaskeytoboostingtheEuropeaneconomy.CloudWATCH2servicesinclude:

v AcloudmarketstructureroadmapwithtransparentpricingtoenableR&Iprojectstochartexploitationpathsinwaystheyhadnotpreviouslyconsidered,orhelpthemavoidapproachesthatwouldnothavebeensuccessful.

v MappingtheEUcloudecosystemofproducts,servicesandsolutionsemergingfromEUR&Iprojects.Identifyingsoftwarechampionsandbestpracticesinmitigatingrisksassociatedwithopensourceprojects,andultimately,enablefastertime-to-valueandcommercialisation.

v Impactmeetingsforclusteringandconvergenceoncommonthemesandchallenges.Re-useoftechnologieswillalsobeofparamountimportance.

v Promotingtrusted&secureservicesthroughroadshowsanddeepdivetrainingsessions.GivingR&IinitiativesaroutetousersatmajorconferencesorinlocalICTclusters.

v AportfolioofstandardsforinteroperabilityandsecuritythatcanfacilitatetherealisationofanecosystemofinteroperableservicesforEurope.

v Cloudinteroperabilitytestinginaninternationaldeveloper-orientedandhands-onenvironment.Findingswillbetransferredintoguidancedocumentsandstandards.

v RiskmanagementandlegalguidestothecloudforprivateandpublicorganisationstolowerbarriersandensureatrustedEuropeancloudmarket.

Disclaimer CloudWATCH2(AEuropeanCloudObservatorysupportingcloudpolicies,standardprofilesandservices) is funded by the European Commission’s Unit on Software and Services, CloudComputingwithinDGConnectunderHorizon2020.The information, views and tips set out in this publication are those of the CloudWATCH2ConsortiumanditspoolofinternationalexpertsandcannotbeconsideredtoreflecttheviewsoftheEuropeanCommission.

3

ExecutiveSummarySincehumaninteractionhasbeenharmonisedmoreformallyinsemanticsandterminology,adherencetostandardsasaformofformalharmonisationhasbeenthesubjectofvalidation.Morerecently,thisformofvalidationhasbeenconductedinformaltestingincludingformalrecordingofoutputsandresults.Theriseofagileandleanservicedevelopmentandoperation,hasmeantthatthesetestshavebeendevelopedtoberunaslessformalevents,beingcalled“plugfests”,whichallowforrapidtestingagainstpublishedstandardsinaneasiermannerthanpreviouseventsofthisname.Similartosoftwareservices,standardsexperiencealifecyclefrominception/ideationtoobsolescence–forexampleW3CRFC2616definingtheHTTP/1.1protocol1formallyobsoletesRFC2068definingtheverysameprotocolbuttwoyearsearlier2–aswellasreceivingupdatesthroughouttheirlifetime.Althoughoftenseenaslong-lived,ifnotstatic,standardsliveinadynamicenvironmentdrivenbyneedsthatareoftenconsidereddetrimentaleventoeachother.Standardsarefrequentlyreportedasstiflingoreven“killing”thescopedmarket3.Operatingwithinthisenvironment,CloudWATCH2organisedandconductedanumberofCloudInteroperabilityPlugfestswithvaryingoutcomes.ThisdeliverablesummarisestheoutcomesofallorganisedCloudInteroperabilityPlugfests,andderivesconclusionsontheirrespectiveresultsinformofspecificandconcreteconjecturesregardingcurrentplugfestsustainabilityaslistedbelow;

1. Activedevelopmentvs.softwaremaintenancemayleadtolowerparticipation.2. ECprojectfundinginflatedeventparticipation3. Lackofincentivesforserviceproviderstoimplementstandards4. ECprojectshaveanintrinsicallydifferentperceptionofsecurity,orcustomerrequirementsin

general5. Thecadenceofinnovation,particularlydisruptiveinnovation,mayhavebecometoofast.[New]

CloudWATCH2hasaddresssomeoftheconjecturesduringitssecondyear,whileleaningonthewidercommunitytotakeupandaddresstheremainingissues.

1 https://www.ietf.org/rfc/rfc2616.txt 2 https://www.ietf.org/rfc/rfc2068.txt 3 Simply searching the Internet for something similar to “are standards killing the cloud” will provide enough sources for this claim.

4

TableofContents1 Introduction...............................................................................................................................................51.1 Whatarecloudstandardsplugfestsandwhyaretheyimportant? 51.2 HowCloudWATCHhassupportedcloudplugfests 7

2 Managingprojectrisksandanewdirectionforplugfestactivities[New].................................................83 CloudInteroperabilityPlugfests...............................................................................................................103.1 CloudInteroperabilityInitiativePlugfest 103.2 CloudInteroperabilityInitiativePlugfest24 103.3 CloudSecurityInteroperabilityPolicyworkshop 103.4 “Whystandardise?Thebusinesscasefortheadoptionofcloudstandards”–Policyworkshop[New] 153.5 Supplementarycloudinteroperabilityeventsandactivities[New] 16

4 Conclusions..............................................................................................................................................205 Finalrecommendations...........................................................................................................................237 Appendix1:QuestionsforthefinalPlugfestpanel..................................................................................26

5

1 IntroductionOverthecourseofitsduration,theCloudWATCH2projectaimedtocontinuethecloudinteroperabilitytestingworkstartedduringtheCloudWATCHproject(2013-2015).InCloudWATCH2,threedeliverableswereenvisagedandagreedupontocapturethestrategyandstructureofinteroperabilityplanning(D3.1),conductthreeinteroperabilitytestingevents(MS12,MS13,andMS14),andreportontheoutcomesoftheseevents(D3.3,andD3.7)asfollows:

• D3.1-StructureandaspiredoutcomesofCloudInteroperabilityPlugfests;• D3.3-CloudInteroperabilityPlugfestsOutcomeReport;• D3.7-CloudInteroperabilityPlugfestsFinalOutcomeReport(thisdocument).

D3.1providedabriefreviewofthethencloudinteroperabilityplugfestsetup.Locatedintheareaofexpertiseinthecloudecosystem,assessedthatsetupagainstthecloudcharacteristicsdevelopedbyNIST.Finally,thedocumentproposedanewandinnovativewayofdeliveringcloudinteroperabilityplugfestsvirtually.Thisfinaloutcomereportwillfollowthemodelofincludeandamendfordeliverablescapturingoutcomes4.ThisdeliverablewillincludethecontentfromD3.3initsentirety,andamendandextendwherevernecessaryusingappropriateindications.Thisisimportantasfirstly,theobservationsandconjecturesdescribedinD3.3stillholdtrue,andbyincludingthecontentofD3.3inthisdeliverable,becomesthefinaloutcomereport.Secondly,conclusionsareeasiertounderstandasthefullcontextandtimelineofeventsareclearlyprovided.

1.1 Whatarecloudstandardsplugfestsandwhyaretheyimportant?

CloudPlugfestsarealong-runningactivityandaretypicallyeventswheretechnologyprovidersmutuallytesttheirimplementationsofstandardisedspecificationsforconformanceandinteroperabilityinanarenawherethetestresultsareprivate,allowingthetestingofupcomingorpre-productionproducts/services.Interoperabilitytestingexistedsincetheemergenceofmoreformalisedstandardisationofanytypeofinformationthatisexchangedwithinorevenacrossdomains:Forexample,whilehistoricdefinitionsandunitsofdistancearestillactivelyusedtoday–forexample,yards,feetandinches–somehavegoneoutof“fashion”andarenolongerorrarelyused,suchasleaguesandfathoms.Otherdefinitionsareoverloaded,andarefurtherqualified,suchasamile,andanauticalmile,whichdenotedifferentdistances.Otherdefinitionshavebeenharmonisedinterminologyandsemantics,andorganisedintoaninterchangeableframeworkofunits.Forexample,themetricsystemisbasedonthedefinitionof“onemetre”.Whilemanyharmonisationsaredirectlybasedonanaturalframeofreference(suchasonefoot,onestone),themetrerepresentsasyntheticharmonisation(i.e.standardisation);yettheexactlengthisdefinedusingthelawsofphysicsas,currently,“thelengthofthepathtravelledbylightinvacuumduringatimeintervalof1/299792458ofasecond”.5Theessenceofstandardisationisthus:

1. Harmonisationofunitsisanintrinsicelementofhumaninteraction,andhappensinevitably.2. Standardisationcanthusbeseenasharmonisationacrossculturalborders,oracrosshistoric

semanticbarriers.4 Typical sequential, back-referencing independent deliverables are more suited for progress reports linked to some sort of chronological periodity. 5 http://www.bipm.org/en/CGPM/db/17/1/

6

3. Standardisedunitsarefrequentlysynthetic,yetbasedonnaturalframesofreference.4. Standardisedunitshavealifetime,5. Standardisedunitsundergoamendmentsasrequiredbyadvancesintheirunderlyingframeof

reference.6. Standardsemergeandestablishwithinadefinedcontext,orproblemstatement.[New]7. Theremaybemultiplestandardswithinonedefinedcontext.[New]8. Theterm“standard”itselfbearsdifferentmeaningindifferentcommunities.[New]

Ifoneacceptsthisasthe“axiomsofstandardisation”,thentheseshouldberelevantandstillimpactinmodernlife,specificallyinthiscontextincloudcomputing.Infact,examiningthecurrentcloudcomputinglandscape,theseobservationsarestillinforce:

1. Somesemanticsofcloudcomputinghavebeenharmonisedintoacommonunderstanding–yetsomeareasarestillinflux.ThedefinitionofIaaS,PaaS,andSaaSclearlyhasitsroots–itsframeofreference–intheclassicthree-tierarchitectureofenterpriseapplications(data/storage,businesslogic,anduseraccess).Yet,somewhatsimilartovaryingdefinitionsofthelengthofafoot,orthevolumeofapint,diverging“schoolsofarchitecture”differentlyscopeinfrastructure,dogmasofdefinitionofinfrastructureemerge:Whilemanydefineinfrastructureasthetrinityof(bit)storage,computeandnetwork,othersincludedatabasesandotherlow-levelcomponentsintheinfrastructure.

2. Oneoftheearliest,andtodatemostciteddefinitionofcloudcomputing,isthedefinitionpublishedbyNISTinSeptember2011.6Stillrelevanttoday,thisdefinitionaimedatharmonisingtheterminologyacrossthedifferent“schoolsofarchitecture”thatexistedatthattimewithinasinglecountry.Thisdefinitionresonatedworldwide,andisnowadaysalmostcommonplace.

3. NIST’sdefinitionwasreceivedasveryintuitiveandacceptablesinceitsframeofreferenceborefromthethenveryactivelydeployedthree-tierenterprisearchitecturemodelasdescribedabove.Althoughbornandbasedonphysics,ICTitselfisnotnatural,itisentirelyartificial.Yet,withinthisframeofreferenceordomain,wasperceivedasalawofnaturewithinthatdomain–andserveditselfasaframeofreferenceforthedefinitionofcloudaspublishedbyNIST.

4. TakingNIST’sdefinitionofcloudcomputingasanexample,someofitsdefinitionshavegainedtractioninthecommunity,somehavenotatall,andsomeareontherise(onlypossiblytoinfutureloosetractionagain).Forexample,whileIaaSandSaaShavegainedtractionandcommonunderstandingearlyon,thesemanticsofPaaSarestillunclear:DoesPaaSincludeDBservices,messagingservices,etc.orarethesepartoftheIaaSmodel,anddoesPaaShencedescribeonlyapplicationservicemodelssimilartotheJ2EEdefinition?7Likewise,NISTdefines“communityclouds”,butthistermhasnotgainedtractionatall(atleastnotintheindustrysector),and“hybridcloud”isonlygainingtractionandunderstandinginthelastcoupleofyears.

5. Cloudcomputingisafast-paceddomainoftechnology,andassuchrequirementswillconstantlychange,untilauniversallyacceptedequilibriumhasbeenachieved,ineconomicterms,thestateofutility(services)orcommodity(products)hasbeenreached.Untilthen,standardiseddefinitionswillhavetobeupdated,whichisreflectedintheversioningidentifiersofmanypublisheddocumentssuchasOCCI1.1and1.28,CDMI1.0,1.0.1,1.0.2,1.19tonamebutafew.

6. WithinthecontextofAPIaccesstoIaaScloudcomputingresources,therearemanydifferentdefinitionscompetingwitheachother,eventhoughtheyalladdressthesameproblemstatement.

6 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf 7 While there is a widespread presumption in the technical community on hardware virtualisation being the main driver of cloud computing, there is however no indication or requirement to implement virtualisation to achieve cloud computing. Hence, the corollary notion of “VMs for compute, and bit buckets for storage” is an obvious first choice, but nonetheless the only or exclusive architecture of cloud computing. 8 http://occi-wg.org/about/specification/ 9 http://www.snia.org/cdmi

7

Tonameafew,thereexistOCCI,AmazonAWSEC2,CIMI,GoogleGCE,Azure,OpenNebulanative,OpenStacknative,andmany,manymore.[New]

7. TheOxfordDictionarydefines10“standard”–selectingthemostappropriatedefinitionfortheITandtechindustry–as“Somethingusedasameasure,norm,ormodelincomparativeevaluations.”,andprovidestheexampleof“thesystemhadbecomeanindustrystandard”.Thus,notonlythecontext,butalsothecommunitypertainingtoastandardiseddefinitiondeterminesthescopeandreachofthisdefinition.Oneclassificationoftypesofstandardsdifferentiatesbetweendefacto,industry,communityanddejurestandards11,12.[New]

PredatingthepublicationofNIST’sdefinitionofcloudcomputing,theCloudPlugfestInitiative13(CPI)starteditsactivitiesasearlyasApril2011withthefirstinstanceofitsCloudPlugfests.14Meanwhileinits25theventinstance,CloudPlugfestsarearecurringandnecessaryeventofharmonisationandstandardisation.

1.2 HowCloudWATCHhassupportedcloudplugfests

CloudWATCH,andalsoCloudWATCH2,havebeenlongstandingpartnersoftheCPIintheorganisationofCloudPlugfests(seeFigure1).Thecommunityfocussingontechnicalinteroperability,particularlythecloudsoftwarelandscapeasisthefocusofthisreport,needstoaddresstheimpacttheseidentifiedfactorshaveonitsbusiness.Eventhoughthesemaynotbedisruptive,theyarecertainlyexertingsignificantimpactthatweasacommunitymustaddress.CloudWATCH2supportssuchtestingandanobjectoftheprojectwastoorganisethreesucheventscombiningbothphysicalandremoteparticipation.

Figure1CloudWATCH2Outputs

However,asdescribedinD3.1‘StructureandaspiredoutcomesofCloudInteroperabilityPlugfests’theparticipationatandfrequencyoftraditionalface-to-faceplugfestsaredeclining.Thisdeliverableunderpinsthisobservationwiththeresultsofface-to-faceCloudPlugfestsorganisedbyCloudWATCH2,anddescribesthechangeofstrategyasaconsequenceoftheexperiencesitfaced:Section2accountsforhowtheprojectmanagedthemanifestationoftheriskoflackofparticipationtotraditional

10 https://en.oxforddictionaries.com/definition/standard 11 https://www.slideshare.net/MichelDrescher/a-tale-of-ice-and-fire-or-the-cloud-and-the-standards, slide 15 12 http://www.cloudwatchhub.eu/sites/default/files/05_Why%20standardise%3F_A%20Tale%20of%20Ice%20and%20Fire%20v6.pdf 13 http://www.cloudplugfest.org/ 14 http://www.cloudplugfest.org/events/past-plugfest-agendas

8

interoperabilityplugfests,andhowandwhichremedyitapplied.Section0recountstheplugfestsandinteroperabilityworkshopstheprojectorganised;theaccountsoftheplugfestsandworkshopsreflectthechangeofstrategyintheproject.Inparticularsection3.5describessupplementalandancillarystandardsrelatedactivities,includingthevirtualplugfests,tounderpinthenewprojectstrategy.Section4analysestheoutcomesoftheplugfestsinanattempttofindcommonpatternsofsuccess(orfailure).Section5concludesthedocumentwithasetofrecommendationsforfutureprojectsandpolicymakersthattaketheprojectexperiencesintoaccount.

2 Managing project risks and a new direction for plugfestactivities[New]

Duringpreparationforplugfestactivies,theCloudWATCH2consortiumidentifiedariskpertainingtoplugfestattendance15:

Risk:LackofaminimumsignificantnumberofparticipantsandorganizationrepresentedatthePlugfests.Mitigation:TheconsortiumwillbuildontheexperienceoftheorganizersofthepreviouseditionofthePlugfest,leveragetheircommunityandeventuallyco-hosttheeventswithotherrelevanttechnicalworkshopandevents.Membersoftheconsortiumareregularco-organiserstotheseevents&haveco-locatedtheireventsaroundtheminthepast.

Additionally,theprojectreviewersgavethefollowingcommentsandrecommendationsintheirInterimprojectreview16:

“Theconsortiumproposestoorganisevirtualplugfests,butdoesnotexplorefurtheraninterestingroadinvolvingmoreintenselytheeducationalinstitutionsintotheactivityandorganiseplugfestsinthissetting.TheconsortiumshouldkeepaveryclosetabontheeventinMadridandanalyseindetailwhathasworkedandwhatnot,andincludelessonslearnedinthereportontheeventtoensurethesearetakenupinfutureplugfests.”

Recommendation1:TheConsortiumisrecommendedtoworkintensivelyonthetaskrelatedtopromotingstandardizationduringthenextperiodasthisisanimportantobjectiveoftheCloudWATCH2projectandlittleprogresswasachievedonthistaskduringthefirstreportingperiod.Recommendation1:PlugfestsoncloudservicecompatibilityareinterestingandvaluableoutputsofCloudWATCH2aswell.Morecarefulplanningandintensivepromotionisessentialoverthenextperiodtoensurehigherattendance.

Theprojecttookpro-activestepstoaddresstherisk,andthereviewers’recommendationsforfurtheraction.TheprojectthereforedecidedtorunvirtualplugfestsaswellasF2Fplugfestsandreviewperformanceincasefurtheractionwasnecessary.Usingtheresultsofthecloudsecuritydeepdiveevent19,CloudWATCH2decidedtotesttheconceptofaplugfestatthepolicylevelratherthetraditionalapproachoffocussingonthetechnicalinteroperabilityattheinterfacelevel:ThethirdcloudinteroperabilityplugfestinMadrid(seesection3.3).

15 CloudWATCH2 DoA, Risk 7 16 CloudWATCH2 Result of the 1st interim review

9

However,facingthepooroutcomeofthefirstvirtualplugfestandthesecondvirtualplugfesthavingtobecancelledduetolackofinterest,theprojectwasfacedwiththedilemmaofcontinuingtodrivestandardsplugfesteventsintheEuropeanICTlandscapedespitelowattendanceandconsideringappropriateandeffectiveuseofresources.Inlightoftheresultsandattendanceofpreviousplugfest,woulditmakesensetofurtherpursuetheconceptofvirtualplugfests?Whatimpactwouldalternateactivitiesyieldincomparison?Didweevenperhapsaddressthewrongissue?Ifconjectures1,2andparticularly3(seesection4)weretrue(specificallywhenfactoringinopensource),thenwindowsofopportunityshouldbeobservedforconvergenceinhowAPIsanddomainspecificlanguagesareaddressedanddeveloped.Inotherwords,otherwiseuncoordinatedandunrelatedorganisationsandgroupshappentoworkonsolvingthesameproblemwithincreasinglysimilarsolutions,untilthismovement(forthelackofabetterword)gainedsufficientmomentumtoprevail.Inthatsense,standardisationmaybecomparabletoself-ignitingfuelcombustion(i.e.dieselengines)asopposedtospark-ignitefuelcombustion(i.e.petrolengines).Didwetrytoapplyspark-combustiontosomethingthatmightbeinherentlyself-ignited?AstheCloudWATCH2CloudMarketRoadmapreports(D3.3),thecloudIaaSmarketisdominatedbythreemaybeevenfourserviceproviders:Theseareinnoparticularorder;Amazon,Microsoft,Google,andIBM.Smallerserviceproviderstendtoservenichemarkets,mostlypackagingandembeddingOpenStackdeployments–andtheyallareexposingOpenStack’simplementationoftheEC2andS3protocolsandinterfaces,whicharecontrolledbyAmazon.ThemarketsituationasseenbytheCloudWATCH2projectexposesthefollowingmechanics:

• ThereexistsadominatingsetofIaaScloudinterfaces,controlledbyonecompany.• Serviceavailabilityzones,andmultipledatacentrelocations–afeatureavailableacrossallservice

providers–makeitveryattractiveforconsumerstointegratewithoneserviceproviderwhenimplementingtheirownservicescalability,availability,andreliability;especiallyintheabsenceofinteroperability.

• TherearenoindicationsforinteroperabilityacrossthelargestIaaSserviceprovidersanytimesoon.• ThesheerhyperscaleofthedominatingIaaSprovidersmakeitveryattractivetodisregard

spreadingservicesacrosscompetingproviders(verymuchunlikedatacentreoperatorsspreadingconnectivityrisksacrossISPs)

• ThereareopensourcetoolsavailableaddressingthelackofinteroperabilityacrossIaaSserviceproviders.TheseimplementanadditionalsoftwarearchitectureabstractionlayerontopofIaaSservices,exposinganinternalcommoninterface17.

Generally,albeitnottheidealsituation,thisnonethelessprovidesasolutionthatisapparentlysufficientlyefficientandeffective,providingapathoffarlessresistance(intermsofeffortsandmoneyspent)towardsachievingthemarketparticipants’goalofshort(est)timetomarket,inordertoearnmoney.Quiteapparentlytherefore,thereisnoneedforcommercialoperators,intheirvastmajoritySMEs,toinsistoninteroperabilityorwaitfortrulyinteroperableservices.Withtheseconsiderationsverymuchinmind,theCloudWATCH2projectdecidedtochangeitsstrategyforstandardisationsupportinWP3todiscontinuethevirtualplugfestsseries.Moreover,theprojectdecidedtorepurposetheenvisionedF2FCloudInteroperabilityPlugfestsasinteroperabilitypolicyevents.To

17 For example, Apache jClouds, https://jclouds.apache.org/

10

maintainconsistencywiththeDoA,thisdeliverablewillstillrefertotheseeventsasCloudInteroperabilityPlugfests.Butinpractice,thesebecameinteroperabilitypolicyevents.

3 CloudInteroperabilityPlugfestsAsstatedinsection2,onlythoseeventsinyearonewereactualCloudInteroperabilityPlugfests.Inyeartwo,theplugfesteventseriesbecameinteroperabilitypolicyevents.Theseeventsaresummarisedinthissection.

3.1 CloudInteroperabilityInitiativePlugfest

ThefirstplugfestorganisedwithintheCloudWATCH2projectwascollocatedwiththeCloudscape2016conferenceon8-9March2016inBrussels.Thisplugfestinstance,however,hadtobecancelledduetolackofparticipation.ThisinstancehasalreadybeensubjecttodiscussionandanalysisinconjunctionwiththeY1reviewoftheCLoudWATCH2projectandwillnotbefurtherdiscussedinthisdeliverable.

3.2 CloudInteroperabilityInitiativePlugfest24

ThisplugfestwasorganisedandconductedincollaborationwithSNIAandtheirannualStorageDeveloperConference19-21September2016inSantaClara,CA,US.DuetodemandthisplugfestfeaturedF2Faswellasremoteaccessandtesting.Withfiveorganisationsrepresentedbysixparticipantsacrosslocalandremoteparticipation,attendanceatthisplugfestwassmall.ImplementationsofCDMIandOCCIweretested.However,participantsweremostlynovicesininteroperabilitytesting,whichledtosignificanttimeintheeventbeingspentmostlyoneducationandintroductiontotheconceptofplugfestsandcoordinatedtesting.Therefore,althoughtechnicaltestingdidoccur,resultswerenotformallyrecordedduetolackoftime.

3.3 CloudSecurityInteroperabilityPolicyworkshop

Withtraditionalcloudplugfestsfocussingontechnicalinteroperabilityinmachine-to-machinecommunicationusecases,process-levelinteroperability–orcompliance–isoftennotconsidered.Particularly,privacyandsecurityaremoreoftenanafterthoughtinservicedesignandimplementation,despitesecuritybeinganessentialelementofasustainableEuropeancloudmarketplaceinthewidercontextoftheDigitalSingleMarket.18IncontinuationoftheconversationswithstakeholdersateventssuchastheCloudSecuritydeepdiveeventheldatCloudscape2016inBrussels19onequestionnaturallyemerges:Howinteroperable(thatis,equivalent)arecloudservicesregardingprocess-levelstandards?Whiletechnicalinteroperabilityontheserviceintegrationlevelallowssmoothtransitionfromoneprovidertoanother,fromaserviceconsumer’spointofviewbothproviders(theformerandthecurrent)ideallyneedtoprovidethesame,oratleastanequivalentlevelofservice.Inotherwords,thesameserviceprovisionacrossserviceprovidersmaybeensuredbycompliancetothesameprocess-levelstandards.Equivalentservice,ontheotherhandmaybeachievedbycompliancetodifferentyetequivalentprocess-levelstandards.

18 http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1447773803386&uri=CELEX%3A52015DC0192; strategy item 3.4) 19 http://www.cloudscapeseries.eu/

11

OnthisbackgroundCloudWATCH2organisedaCloudInteroperabilityPlugfestonthetopicofcloudsecurity.ThePlugfestwasorganisedattheCloudSecurityAllianceEMEAevent,Madrid,14November.Thevenuewasselectedspecificallytoattractparticipationfromcloudsecurityexperts.FiveECcloudprojectswererepresentedbysixparticipants:CloudWATCH2(alsoascontributor),Witdom,MUSA,CredentialandPrismCloud.OneparticipantwasanindependentconsultantprimarilyvisitingtheCSAEMEAevent,andnotaffiliatedwithanyoftheECfundedcloudprojects.Thescopeofthecloudsecuritybusinesscasesrepresentedbytheprojectsweremanifold:

• e-Walletsystemsande-paymentinfrastructures• Advancedcryptography• Cloudgovernance• ISOandNISTstandards

InordertoobtainagrasponthelevelofoverlapbetweenexpertiseoftheparticipantsandCloudWATCH2'ssurveyconductedforDeliverable3.2‘StructureandInteroperabilityStatus’webrieflylistedanumberofcloudsecuritystandardsandtheirpresenceintheCloudWATCH2survey,andparticipant'sexpertise:Name CloudWATCH2survey WorkshopparticipantsCSAOCF20OpenCertificationFramework X XISO2700021(InformationSecurity) X XNISTSP500-29222(CloudReferenceArchitecture) X XNISTSP800-14423(GuidelinesonSecurityandPrivacyinPublicCloudComputing)

X X

ECRegulation(EU)216/679(GDPR,GeneralDataProtectionRegulation)24

X X

ISO2900025(SystemofInternationalCertification) X XCISSYS-2026(securitycontrols) XASDISM27(informationsecuritymanual) XPCI-DSS28(paymentindustrydatasecurity) - -

Table1:Cross-checkingsecuritystandardsexpertiseItwasimmediatelycleartotheworkshopparticipantsthatthislistisneithercomplete,northatitsufficientlycoversthenumberofsecuritystandardsthatexist.Participantswereabletoaddtothelist,provingtheimportanceofsuchsecuritystandardseventsintermsofpoolingtogethercollectiveknowledgeonthisimportanttopic.Italsobecameapparentveryquicklythatnotallparticipantsknewofallthestandardswhichwerelisted,demonstratingthecomplexanddispersivenatureofsecuritystandardsinthecloud.

3.3.1 Reducingthecomplexity:Howarestandardschosen?However,inrealitytheproblemislesscomplexasthereareanumberofaspectstobeconsideredwhenchoosingasetofstandardstoimplementasfollows:20 https://downloads.cloudsecurityalliance.org/initiatives/ocf/OCF_Vision_Statement_Final.pdf 21 http://www.iso.org/iso/iso27001 22 http://ws680.nist.gov/publication/get_pdf.cfm?pub_id=909505 23 http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf 24 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.119.01.0001.01.ENG 25 http://www.register-sic.com/iso-29000 26 https://www.cisecurity.org/critical-controls.cfm 27 http://www.asd.gov.au/infosec/index.htm 28 https://www.pcisecuritystandards.org/pci_security/

12

Nationalstandards.ExamplesofnationalsecuritystandardsselectionaretheNISTseriesofstandardsintheUS,GCHQTop10,BSI(Germangovernmentinstituteforsecurityininformationtechnology)andothernationalbodies.Thesearetheprimesourceofsecuritystandardsandbestpracticesindustryistappingforguidance.Internationalstandards.Althoughnotexplicitlymentioned,thedifferentiationbetweennationalandinternationalstandardsselectionseemtofollowthelifelinesofdifferentiationbetweennationalandinternationalbusinessandtraderelationships.Technicalmaturity.Ofcourse,standardsneedtobetechnicallymaturebeforeoneevenconsidersimplementingitsoastolowerthecostofimplementationandadjustmentoverdraftpublicationversions.Industrysupportvs.consumerdemand.Thedynamicsandmechanicsofindustrysupportandconsumerdemandarefrequentlyreciprocal,andconfusingly,alsocorollary.Whileusuallystrongindustrysupportisadriverforfurtheruptakeinapositivelyself-enforcingmanner,itcanalsobereciprocal,dependingonconsumerdemand.Ifconsumerdemandissatisfiedbycurrentsupply,itmaybe*adverse*toalsoimplementastandard.Ontheotherhand,ifconsumerdemandout-pacessupply,orifsupplyisyetlow,itmaybeaveryattractiveopportunitytoimplementastandardasacompetitiveadvantageoverothersupply-sidemarketparticipants.ReputationoftheSDOandSSO.StandardsDevelopmentOrganisations(suchasOASIS,DMTF,SNIA,OGF,andmanyothers)andStandardsSettingOrganisationsbothneedtomaintaintheirreputationforqualityofdelivery:Inthatsense,theredoesindeedexistcompetitionbetweenSDOseventhoughthismaybeunexpectedbythoseoutsidethecommunity.Forexample,theverycontroversialprocessofECMAstandardisingMSOffice'sXMLdocumentformat(intheOOSXMLstructure)wasperceivedasverydamagingtoitsreputation.Complexity&re-use.Complexityofstandardsplaysanimportantroleinselectionandeventuallyinadoption.Increasingscopeofaspecificationintrinsicallyaddstoitscomplexity,ifnotcomplicatedness,whichisveryreducesthepossibilityofitsre-useinotherdomains.Policydeclaration&regulation.Particularlyindysfunctionalmarketsorsegments,orwheresovereigntopicsareathand(e.g.dataprotection,andprivacy),nationalandinternationalpolicyandregulationreplacesselection.

3.3.2 “Implementers'dreamland"Itisclearthatthecloudsecuritylandscapeisstaggeringlycomplicatedandriddenwithobstaclesandhindrances.Togetagraspofthemostpressingneedswecompiledalistofthetop10issuesdevelopershavewiththecurrentcloud(security)landscape:

1) Equivalenceofpolicy-levelstandardsTherearemanystandardsouttherewhichtrytoaddressthesameissue.However,itisunclearwhetheratalltheseareequivalent,oratleastpartiallyequivalent(andwithwhichoverlap?).Dotheyoverlapintheirformalrequirements?Ordotheydivergeinterminology,andsemantics?

13

2) Toomanystandards.Clearly,thesheerdemandforstandardsistoomuch.Standardsthereforeshouldbeconsolidated.Thequestionremainshowtodothis?

3) Costofimplementation.Thecostofimplementationmustnotbeunderestimated,andtheROIonthisisakeydifferentiatorofthesuccessofonestandardovertheother.

4) Limitthescope!Naturally,atightlyscopedstandardwillcausealowercostofimplementation,andviceversa,hencesoftwarefrequentlyincludesonlypartialimplementationsofstandards.

5) Modularityandlevelsofconformance/compliance.Frequently,standardspecificationsaredesignedandwrittenaslargemonolithicbehemoths.Instead,the"architecture"ofstandardsshouldchangeintosmallcoresandoptionalmodulesthatmayormaynotbeimplementedbasedontheactualneedathand.Suchanapproach,however,hasadirectimpactontraditionalassessmentandcertificationofconformancetoastandardwhicharemoreoftenthannotstillbinarydecisions.

6) Standardisationprocessandtiming.Thisproblemisasoldasstandardsare.Thisleadsmanymarketparticipantstobelievethatstandardisationisatbestirrelevant,marketstiflingoratworstkillingthemarket.Timingisanissue,inthatonemustfindtherightpointintime,nottooearly,nottoolate,whentobeginformalstandardisation-andthenitneedstofinishintimetobestillrelevant.Theexactmechanismsarestillunclear.Yet,theoverwhelmingperceptionisthatofstandardisationfromstarttofinish,takestoolong.

7) Stabilityandbackwardscompatibility.Thereareclearlyantagonistforcesatplayinthelifecycleofstandards.Fromtheviewpointofimplementers,stablestandardshaveazerocostofupdate.Yet,standardsneedamendmentstostayrelevantandreflectmarketconditions.Theworstpossiblescenarioforimplementersareentirelynewstandardsthathavenothingtodowiththepreviousversion,maximisingcostofupdatetothecostofacompletelynewimplementation.Therefore,backwardscompatibilitybetweenintermediateversionsofstandardsareanecessitysoastonotinvalidateconformanceorcomplianceofexistingimplementationswithoutreason.

8) Referenceimplementationsandcasestudies/whitepapers.Often,standardsspecificationsaredifficulttoreadandunderstand;theyfrequentlyuseaspecificlanguageandtaxonomyalientothe"uninitiated".Also,theintellectualleapfrogfromformallanguageonpapertolivecodeproducingdata,orproceduresimplementingpolicylevelstandards,representsasteeplearningcurve.Referenceimplementationsandprimers/guidelinesfortechnicalstandards,andwhitepapersandcasestudiesforpolicy-levelstandardslowerthebarrierofimplementationsignificantly.

9) CertificationTheworldofcertificationforconformance/complianceisendlesslyfragmented.Inanattempttomakesenseofit,participantsidentifiedforarchetypicalmodesofcertification/adherencetostandardsonawholespectrumofvariations:a) Voluntaryadherence/codeofconduct(weakest)b) Selfcertification/selfassessment

14

c) 3rdpartyexternalcertificationd) Legislativeregulation(strongest)Particularly(c)risesandfallswiththecertificationauditor'squalificationandconductoftheactualaudit-afterall,externalcertificationpresentsasignificantcostforbusinesses,andthusshouldbereputable,fair,independent,comparableandrepeatable.

3.3.3 AcalltoactionInconclusionoftheworkshop,participantsassembledasuccinctlistofactionsthatshouldbetackledintheshortterm.Whilesomeofthesearealreadywell-known,othersarequitenovelandalmostguaranteeacontroversialdiscussion:

a) AlignmandatorybreachnotificationwithSDO/SSOforcontinuousimprovementsofstandardsThisactionaimsatopeningup,orimproving,thecommunicationchannelbetweenStandardsDevelopmentOrganisationandimplementingbodies.Whileitisfairlyobviousthatnoorganisationlikestoadmittohavingexperiencedsecuritybreaches,outputsandresultsfrompostmortemsneedtobefedbacktoSDOsforfurtherimprovementoftherelevantexistingstandards.Suchafeedbackchannelwouldrequireasecure,saveandtrustingfoundation(likelyincludingNDAs).Ontheotherhand,similarstructuresalreadyexistfortechnicalaspectsofservices(coveredbyProblemManagement,ConfigurationManagement,ReleaseManagementandotherservicemanagementprocedures),whichmightbeadoptedandadaptedaccordingtotheneeds.

b) Referenceimplementations&WhitePapers.Thereisadireneedforreferenceimplementationsfortechnicalstandardswhichshould::

- Comefreeofcapitalexpenditure,- Beavailableinsourcecodeformat(however,whichlanguage?)- Carryanindustry-friendlyopensourcelicense(e.g.Apache2,BSDstyle)

Transposedtoprocess-levelstandards,whitepapersandcasestudiescanprovideimplementerswiththenecessaryjumpstartintheirstrategyonhowtoimplementprocess-levelstandards.

c) Freestandards.Standardsarefrequentlydevelopedwiththesupportofgovernmentexpenditure.AlignedwiththeEC'snewOpenDatapolicyfortheH2020programme,standardsdevelopedwiththefinancialsupportofgovernmentsshouldbefreelyaccessibleatnocost,justasreferenceimplementationsshouldbe(seeabove)

d) Involveacademia.Academiahasbeenlongunderestimatedintheirvalueanddriveofstandards.InordertomaintainrelevanteducationoffuturecapacitiesandleadersintheITindustry,academianeedsaconstantinfluxofrequirements,ideasandtechnologiesthatitcantransformintoeducationoffuturegenerations.Assuch,academicinvolvementinthestandardisationprocessneedstobere-evaluatedandadjustedastheprimecandidatefordevelopmentandmaintenanceofreferenceimplementationsasameansandvehicleforhighereducationonvarioustopicsofcomputerscience.

15

3.4 “Whystandardise?Thebusinesscasefortheadoptionofcloudstandards”–Policyworkshop[New]

ReturningtothemodelofconductingF2Fmeetings,CloudWATCH2organisedapanel-drivenconversationaboutthebusinesscasefortheadoptionofcloudstandards(andstandardsatlarge)attheCloudWATCH2summit201729,whichatthesametimemarkedtheproject’sfinaleventon19/20September2017.Settingthescenewithashortenedversion12oftheoriginalpresentationgivenattheEIT-Ditigal“InternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience”30,thepanelfeaturedrenownexpertsinthefieldofstandardisationcrossingtheareasofacademia,publicauthorities,andopensource:

• WolfgangZiegler,SCAI,OGFandStandICT.eu• CedricThomas,OW2• ArthurvanderWees,Arthur’sLegal• BrunoChenard,CEN/CENELEC

Theexpertsprovidedthefollowinginputregardingthestandardisationprocess:

1. Balancingstandards&thefreedomtoinnovate-Howdowefindtherightbalancebetweenstandardisationandthefreedomtoinnovate?

a. Innovationcomesfirst.Thisnormallyonlyoccurswherethereisnoopensourcetoolorservicealreadyavailable.Theinnovationthenbecomeswidespread(ordiesout)andbecomesaproduct(s)orservice(s).ItisatthispointthatstandardisationtendstoemergetogetherwithOpenSourcesolutions.

b. Thiscyclecloselyresonateswiththebusinessinnovationcycle(seeslidesforfinalevent,slide24),andSimonWardley’s“Climaticpattern:Peace,WarandWonder”31

2. Standardisationprocess&timing–Whatistherightprocesstofollowindevelopingstandards?

Andwhenisittimetobeginthestandardisationprocess?a. Thereisnosingleonerightprocess;itentirelydependsonthecontext(public

domain/international,orcommercial).b. Standardiseassoonaspossiblevs.standardiselateinthemarket:Fast-movingmarkets

meanthatindustrypushesaheadwithnewdeploymentsthatarenotinteroperable(i.e.thefreedomtoinnovate).Buildingastrongnetworkiskeyforconsensus,whichisprerequisiteforsuccessfulstandardisationtocakeplace,butthistakesalongtime.Consensusbuilding–throughinfluencers–earlyinthemarketasameanstobuildthefoundationsforformalstandardisationmeansthatwecanhelpacceleratetheprocessanddrivethemarket.

3. SMEsvs.Corporates–Whataretheadvantagesanddisadvantagesofhavingstandardsincloud

computing?Arethoseadvantagesanddisadvantagesdifferentforalargecompanycomparedtoastartup?Ifso,whoseinterestsshouldbeprioritised?

a. Standardspenetrationratesinindustryareappallinglylowbutthereisnoclearreasonwhy.Doweneedtore-fitthewayhowstandardsaredeveloped,published,anddefined?Oristhislinkedtotheinertiaofchangeoftenseeninorganisationslargeandsmall?

29 http://www.cloudwatchhub.eu/summit17 30 https://www.eitdigital.eu/news-events/events/article/international-industry-academia-workshop-on-cloud-reliability-and-resilience/ 31 Wardley Mapping, https://medium.com/wardleymaps/, chapter 9

16

b. Isthereacorrelationbetweenthecostofswitchinginnon-standardisedecosystemsandthecostofimplementation(or,forpolicy/processstandards,compliance)thatgovernswhetherandatwhichratestandardsareadopted?

Recommendations:

A. Standardsareuseful,butcannotbeseenasthebrokerforprogress.Theyarecloselyrelatedtoinnovation,andtogetherformaperpetuatingcycleofinnovationandstandardisationthatfollowineachother’sfootsteps.

B. Wearealsofacingnewchallengesasthelandscapebecomesmorecomplexwiththedigitisationofindustry,bringingindifferentculturesanddifferentspeeds.Earlyroundtablescanfacilitateconsensusbuildingaspartofthelong-term,voluntaryefforts,whichencouragecollaborationforstandardisation.

C. Thereisnosinglecorrectwayofhowstandardsdeveloporemerge.Standardscoverboththetechnicaldomain,andthepolicydomainbeingcloselyrelatedtoregulationandlaw–highlysimilarinprocesshowbothtypesofstandardsemergeandtheninitiallydevelop.

D. Fromemergencethough,technicalstandardsandpolicystandardswillthentakedifferentroutesastheyaregenerallytryingtoattainslightlydifferentgoals:Technicalstandardsaimtosimplifyandallowhigherlevelfunctionalitytobecomethedifferentiator,whereaspolicystandardsareaimingforsimpleunification.

3.5 Supplementarycloudinteroperabilityeventsandactivities[New]

TheCloudWATCH2alsoengagedaboveandbeyondthatinanumberofotherinteroperabilityrelatedactivitiesasfollows.

3.5.1 Virtualplugfest1:TryingalternativeinteroperabilityeventmodelsTheCloudWatch2projectplannedthefirstvirtualinteroperabilityplugfestforFebruary201732.Whileeventregistrations(25participants)indicatedabusyandproductivemeeting,actualattendancewasdisappointinglylow:Onlyfourparticipantsjoinedtheevent,whichwasopenforparticipationallday(toaccommodateinternationalattendanceacrossawidespanoftimezones).Outofthese,threeparticipantsdidinfactjointheplugfesteventtolearnabouttheindicatedtopic,nottoactuallytesttheirexistingimplementationsagainstthoseofotherparticipants.

3.5.2 Virtualplugfest2:TryingagainCludWATCH2scheduledasecondvirtualplugfestconjoinedwithaphysicalco-locationattheClujInnovationDays2017eventinCluj,RomaniainMarch201733.However,thissecondvirtualplugfestwascancelledduetolackofparticipation.InsteadattendanceatthiseventwasusedtopromotethestandardsandpolicyworkwithinCloudWATCH2.Thisdisappointingresultledtothefundamentalassessmentofthesituationandsubsequentadjustmentoftheprojectstrategywithregardstotechnicalinteroperabilitytestingasdescribedindetailinsection2above.

32 http://www.cloudwatchhub.eu/cloudwatch2-virtual-interoperability-plugfest 33 http://www.cloudwatchhub.eu/register-now-our-virtual-interoperability-plugfest-march-17-2017

17

3.5.3 CloudstandardsdisseminationandeducationatexternallyorganisedeventsAsdecided,theCloudWATCH2projectengagedinanumberofeventstopromote,andeducateonstandardsandstandardisationinthecloudservicesectorinEurope:

3.5.3.1 InternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience7-8November2017,Berlin,GermanyEIT-Digital,togetherwithHuaweiGermany,organisedthiseventtobringtogetherleadershipinindustryandacademiatodiscusshowcloudreliabilityandresiliencecanbeimplementedtoaddressthestilleminentproblemofserviceoutages.CloudWATCH2’spresentationfocussedontheraisingawarenessofthekeyrolethatstandardsplayincloudcomputing.Sincestandardscanhelpavoidingvendorlock-in,andsupportapplicationportabilityacrossvendors,customersofstandardssupportingcloudvendorswouldbeempoweredtoimplementtheirownapplication’sresilienceandreliability–throughactivelyincludingstandardsintheirservicearchitecture.Arguablyasomewhatexoticstanceamongthecontributorsanaudience,thepresentation11nonethelesswasreceivedwithinterest,andsparkedanengageddiscussionafterwards.

3.5.3.2 ECworkshoptopromotepracticalcollaborationbetweentheCloudOpenSourceandStandardisation

17January2017,EC,Brussels,BelgiumInteroperabilitybetweenthedifferentcommercialCloudplatformsandalsotheinteroperabilitywithopensourcebasedapproachesislackinginseveraldimensions,e.g.,portabilityofCloudservices,VMformats,accesscontrol,dataprotectionandrightsmanagement,hinderingmovingbetweendifferentprovidersandmakingmulti-Cloudenvironmentsdifficulttorealise.Theworkshop34focussedonidentifyingsimilaritiesanddifferencesinstandardisationandopensourceprocessesandwaystobringthetwocommunitiestogether.ItalsotriedtoidentifywhichOpenSourcetechnologiesintheareaofCloudcouldbestandardised.Finally,asetofpracticalstepstheCommissioncouldtake-ascustomer,facilitator,incubatorforR&Dandpolicymaker-topromotefurthercollaborationandintegrationbetweenCloudopensourceandstandardisationwereproposed.HowOSScommunities&SDOshavebeencollaboratinghasevolvedwithbothcommunitiesoftenmadeupofthesamepeople,butdifferentculturesexistingwithSSOsfollowingstrictguidelinesinestablishingstandardsandOScommunityalotfreerfromthis.AstheOScommunitygrowsthough,thereisaneedformorestandardsinOSandagreaterhighlightingofthebenefitsofstandardsintheOScommunity.Futurecollaborationiskeyintermsofincreasingtrustincloudcomputingwhichstandardsbringandalsotosupportprocurementofcloudcomputing.TheroleoftheEuropeanCommissionissignificantascustomer,facilitator,R&Dincubatorandpolicymaker.CloudWATCHreportedtotheworkshopthechallengesithadfacedinencouragingECprojectstoparticipatetostandardstestingactivitiesandthedifficultythatprojectshaveintermsofcontributingtostandardisationdevelopmentoncefundingfortheirprojecthasceased.

3.5.3.3 1stMeetingofC-SIG’sWorkingGrouponCloudStandards18January2017,EC,Brussels,BelgiumThisforward-lookingevent35focusedontheroletheC-SIGmayplayinthefutureinaddressingtheEC’scommunicationon"ICTStandardisationPrioritiesfortheDigitalSingleMarket"(April2016).For

34 http://www.cloudwatchhub.eu/workshop-promote-practical-collaboration-between-cloud-open-source-and-standardisation-17th-january 35 http://www.cloudwatchhub.eu/1st-meeting-c-sig%E2%80%99s-working-group-cloud-standards-18th-january-2017-brussels

18

CLoudWATCH,CSAandUOXFparticipatedaspanellistsfurtherdisseminatingtheresultsofitsworkinstandardsandinteroperability(bothtechnicalconformanceandpolicycompliance).36Atthismeeting,throughthepaneldiscussions,thefirstthoughtsontakingadifferentapproachtotheprocessofstandardisationofITemerged,whicheventuallyledtotherecommendationofconsidering“standardisationascode”(seesection5,recommendationIV).

3.5.3.4 FirstplenarymeetingofCloudSelectIndustryGroup15Feb2017,Brussels,BelgiumCloudWATCH2ledasessiononmappingcloudstandardsanduserguides,andparticipatedinadiscussionpanel37.Also,CloudWATCHwasprominentlyfeaturedinthetalkgivenbyMr.LuisC.BusquetsPérezregardingnewandfollow-upworkstreamsregardingcloudcomputingpolicywork38ThissessionsawapresentationbyCloudWATCH2onstandardsmapping(T3.1),standardsplugfesttesting(T3.2)andtheimportanceofuserguidelinesforsupportingtheadoptionofcloudstandards.Themainfindingsofthesurveyonthetake-upofcloudinteroperability&securitystandardswerethatthereisalackofstandardsrelatedtocontainers(OCP),intoomanycasesunfortunately,privacyandsecurityisanafterthoughtinthedesignprocessandtheR&IprojectstheyhaveanalysedweremainlyfocussedoninteroperabilitystandardswithfewofthemcontributingtostandardisationprocesssuchasOASIS’TOSCA.CloudWATCH2alsopresentedanoverviewoftheexistingcloudstandardsineverylayerandproject’sfutureplantoprovideastatusreportonSecurityandInteroperabilitystandardsanddisseminatingcloudstandardsrelatedinformationthroughwww.cloudwatchhub.eu.ClujInnovationDays201730-31March2017,Cluj,RomaniaOurparticipationinthisevent39wasintwoparts.FirstlyProfDavidWallomgaveakeynotepresentationontheimportanceofsecurityinthecloudandhownewdevelopmentsongoingtobringanintersectionofcloudcomputingandtrustedcomputing.Thiswillenablecloudcomputingconsumerstonolongerhavetohavetotaltrustinthecloudproviderssecuritymodel,staffvettingproceduresandtechnicalcybersecuritymeasures.FollowingthiswethenledaworkshopasadeepdiveeventonEuropeanICTregulationandcloudcomputingentitled“WhatcanbetheimpactofEuropeanscaleregulationoncloudcomputingsecurity?”withpanellists;

• Marius-LeonardMotofei-Radu,UPCRomania• TudorDamian,Avaelgo• GeluVac,Crossover,• RaduStefan,MicrosoftRomania

Followingbriefpresentationsfromthepanelistsarecapwasgivenovereithersoontobeintroducedornewregulationsofimportance.TheseincludeGPDR,NISandeIDAS.Thequestionsaskedofpanelistsduringtheeventwere;

1. BestPractice:RiskManagementofcloudcomputingserviceso WhatistheroleofeIdentification,authenticationandtrustservicesundertheeIDAS

Regulationforaccessingandprovisioningcloudservices?o HowdocloudservicecustomersdecidebetweenPublicvsPrivateCloudservices?

2. Transparency:IncidentNotificationandInformationSharingforcloudcomputingserviceso Howcansuppliersdemonstratecompliancethroughoutthesupplychain?

36 http://www.cloudwatchhub.eu/sites/default/files/CloudWatch2_C-SIG_vFinal.pdf 37 http://www.cloudwatchhub.eu/first-plenary-meeting-cloud-select-industry-group-15-feb-2017 38 http://ec.europa.eu/newsroom/document.cfm?doc_id=42968 39 http://www.cloudwatchhub.eu/looking-forward-cluj-innovation-days-2017

19

o Howcouldwestrengthencooperationbetweenindustryandthepublicsectortobuildtrustincloud-basedservices?”

3. Recognition:CloudCertificationSchemes&AssuranceLevelso Howcouldweraiseawarenessofcloudsecuritythatalreadymeetsthehighest

requirementsintermsofcybersecurity?o Howcancertificationbemadeaccessibleforallcloudserviceproviders,includingSMEs?o Whatcouldbethemosteffectivemethodtoenablestandardisationagreementsormutual

recognitionofdistinctornationalcloudcertificationschemesacrosstheDigitalSingleMarket?

4. ImpactFactors:ServiceAuthentication,LawEnforcementAccess,andExportControlsoncloudservices

o WhatapproachesarenecessaryforcloudcomputingservicestosupporttheDigitalSingleMarketinrelationtoserviceauthentication,encryption,lawenforcementaccess,orexportcontrols?

o Whatserviceauthenticationpossibilitiesaremadeavailableandrecognisedacrossbordersbycloudserviceproviderstoensureasecurewayofprocessingdata?

Theprovidersand‘resellersofcloudservicesareobviouslywellversedinboththenewregulationsandtheneed to ensure that they fully understand how thesewill affect customers that are using services theyprovide. Of the consumers they all suggest that there must be great scope for support to ensure thatcomplianceisseenasagoodthingratherthanjustsomethingthatconsumerswillbepunishedfor.Thechairalsoquestionshowthepanelsawthescopeforwhowouldbetheactorinteractingwiththeregulatorybodiestowhich itwas clear thatoverall itwas felt that though cloudproviders areengagedand committed tosupportingtheseregulationstheyarecurrentlynotworkingcloselywiththeircustomerstoensurethattheywillbecompliant.Fromthepointofviewofcomplianceitwasfeltbythepanelthoughthattherewouldneedtobepublicvisibilityofcertificationandcompliancewiththeseschemesotherwisethereisalwaystheproblemofpossiblelipservicebeingpaidtoregulationwithouttheworkdoneinspiritwhichisalsorequired.WithinthiseventwewereabletoshowcasesomeoftheoutputsofCloudWATCH2anddisseminatedmaterialcreatedonthelegalguidanceforcloudcomputingtoalldelegatedthroughtheeventdocumentationpacks.

3.5.3.5 DataProtection,SecurityandPrivacy(DPSP)ClustermeetingatNetFutures2017

29June2017,OrganisedbacktobackwiththeNetFutures2017conferenceandtheConcertationmeeting(organisedbyTask2.2;seealsodeliverableD2.3)thismeetingmainlyfocusedontheproceedingsofprojectswithinthecluster.CloudWATCHpartnersCSAandUOXFpresentedtheprogresstheprojectmadeintheirworkonmappingcloudsecuritystandards(CSA,Task3.1;deliverable3.6)andcloudstandardsinteroperabilitywork(Task3.2,UOXF).TheprojectsummarisedtheresultsandoutcomesoftheCloudSecurityStandardsInteroperabilityworkshop(seesection3.3).Whilethefirstcalltoaction(mandatorybreachnotification)wasdiscussedwithsomecontention,theremainingthreecallstoactionwereunanimouslyagreedupon:

• Referenceimplementations&whitepapers(closerelationshipwithacademiaandOSS)• Free[andopen]standards(toreduceaccessandparticipationbarriersforSMEs)• Involveacademia(e.g.asthelong-termstewardofastandardand/orreferenceimplementations)

20

4 ConclusionsIntheircurrentstate,CloudInteroperabilityPlugfestsarefacingseriouschallengesforrelevance.TheCloudPlugfestInitiative,withwhomCloudWATCH2collaborates,doesnotcollectuserinteractionstatisticsbeyondMailchimp’sfreesubscriptionoptions,particularlyregulareventregistrationandparticipationisnotcohesivelycollected.Henceahistoricanalysisandtrajectoryextrapolationforthefutureisnotpossible.Thismakesitdifficulttomeasurethesuccessofthemeetings,letalonemeasuringtheimpactofplugfestsassuch, even though CloudWATCH2 did collect participation information for the three testing events itorganised(ofwhichthefirsthadtobecancelled,seeabove).Itisquestionablewhetherthecurrentplugfestformatisstillrelevant.Whileparticipationlevelsbetweenthesecondandthethirdplugfestarenegligible,the starkdifferenceof the respectiveoutcomes is very sobering in termsofassessing the successof thetraditionalplugfestwithhighparticipationinitsheydayscomparedtocontemporaryevents.While,forexample,CloudPlugfest10,co-locatedwiththeEGITechnicalConference2013inMadrid40featuredthreedaysofworkshopsandactualtestingpackedwithattendeesbetween30and50onanyofthethreedays,recentplugfestsfacedparticipationlevelsoflessthan10ateachevent.Thereasonsbehindthisobservationarenotconclusive,yetseveralconjecturesserveasplausibleexplanations.Conjecture1:Activedevelopmentvs.maintenance.Lookingatthemerechronologyofevents,CloudPlugfest10tookplaceinautumn2013,andmorerecentplugfestsoverthecourseof2016.StandardssuchasOCCIandCDMI,representingtechnicalcloudinterfaces,wererelativelynew(OCCI1.1waspublishedin2011),andimplementationswererareandinanimmaturestate.Fast-forwardthreeyears,andpresumingcontinuousinterestanddemandinstandards-basedimplementations,onewouldexpectimplementationstomatureinthattime,alongsidewithmaturingandnear-perfectstandardimplementationandinteroperability.Naturally,theneedofinteroperabilitytestingandimplementationguidanceofdevelopersin2013willhavesubsidedin2016,explainingthedeclineinparticipationtoevents.Conjecture2:Correlationofeventparticipationwithprojectfunding.FromaEuropeanperspective,theheydaysofcloudplugfestscorrelatedwiththefundingofthreemajorprojectsaspartoftheECFP7programmelastingfrom2007to2013,withprojectsrunningwellinto2016.Thesethreemajorprojectswere:

• EGI-Inspire, May10–Dec14, 70M€, 25M€ECPF7contribution• EMI, May10–Apr13, 24.9M€ 12M€ECFP7contribution• IGE, Oct10–Apr13, 3.6M€ 2.3M€ECPF7contribution

AllthreeprojectstogethercomprisedinvolvementofnearlyallEUmembercountries,includingNorwayandSwitzerland,inparticulartheEGI-InSPIREprojectcoveredalmostallmembercountries.

40 https://sites.google.com/a/cloudplugfest.org/welcome/events/past-plugfest-agendas/cloud-interoperability-week

21

AllthreeprojectsreceivedsignificantfundingfromtheEC(35%,48%and63%findingforEGI-InSPIRE,EMIandIGE,respectively)continuingtheEGEEseriesofprojectsfundedbytheECintheyearsbefore.WithEGI-InSPIREinitiatingthecloud-relatedactivitiesinthisecosysteminSeptember2011asafederationofcloudinfrastructure–theEGIFederatedCloud41–basedonstandardisedinterfacessuchasOCCI,CDMI,OVF,GLUE,UsageRecordsandothers,activitiesinstandardsconformanceandinteroperabilitytestingintheacademiccloudlandscapeinEuropesharplyincreased,impactingancillaryprojectssuchasOpenNebula42,GRNET’sOkeanosproject43,andmanymorewithconnectionsandcollaborationsintheEGIcommunity.Correlatingavailablesparsehistoricinformationwiththeruntimeandfundingoftheprojectsmentionedabove,thesecondhalfoftheEGI-InSPIREprojectseeingtheEGIFederatedCloudinitiativerampingup,particularlycorrelateswiththemostsuccessfulandmostvisitedCloudPlugfests.Thisleadstoapossibleconjecture:ParticipantsattendedCloudInteroperabilityPlugfestssimplybecauseECprojectfundingwasavailabletocoverthecosts.Withoutfunding,attendancemighthavebeenconsideredoflowerimportance.Conjecture3:Lackofincentivesforserviceproviderstoimplementstandards.Industryoperatesonafairlysimplecondition:Spendaslittlemoneyforasmuchrevenueaspossible.Althoughsimplified,thisserveswellinexplainingsomeoftheunderlyingmechanismsofthisconjecture.Ifexistingservicesgeneraterevenueoverandabovethecostofsales(costofsupplyincaseofproducts)thenthisrepresentsanappropriateresponsetoanexistingdemand,inarelativelystableequilibrium.Insuchascenario,decidingtosignoffanexpensetoimplementaparticularstandardwithoutthedemandsideexpressingthisneedrepresentsahighlyspeculativecostthatisdifficulttojustify,unlessitisastandardbeingimplementedinternallyinordertoimprovecostofsupplyandthereforeincreasetheorganisation’sprofitmargin.Thisscenariocanbeobservedtimeandagain,andindustrystandardsandbestpracticesforserviceoperationsandimplementationemergeasadirectcorollaryofthis.AsexpressedbySebastianKirschofGoogleZurich,attheInternationalIndustry-AcademiaWorkshoponCloudReliabilityandResilience44hostedbyEITDigitalandHuaweiEurope,asarecollectionfrommemory,“Standardise,standardise,standardise!”.WhatSebastianmeant,however,wasnottheaimtostandardiseonthepublicinterfacelevel,butinternally,toimprovereliabilityandresilience,andthuslowerthecostofserviceintermsofserviceincidents,outages,andsoftwareerrors.Alternatively,ascenarioincludingarisingdemandofstandardisationattheserviceinterfacelevelmaysupportserviceprovidersinjustifyingtheexpensesofimplementingpreviouslydisregardedstandardsintwoways,(a)throughdirectsponsoringofimplementationinaprojectfundingmanner,or(b)asathreatandweaknessoftheirownoffercomparedtoothersinthecompetition.Whilealternative(a)isquitestraight-forwardintermsofcost-benefitanalysis(vulgo:“Paymetoimplementthestandard!”)inacustomisedsoftwareservicesbusinessmodel,alternative(b)activatescompetitionmechanicsinthatanorganisationmayconsiderrisingdemandofstandardsimplementationsinaSWOTanalysisasaweakness(“Demandrequiressupportofstandards,whichourproductsdonotprovide”)onthetechnicallevel,andasathreattobusinesssustainability(“Ourserviceswouldbeoutcompeted,thereforeourrevenueoftheservicesmaydiminish.”)onthefinanciallevel.

41 https://wiki.egi.eu/wiki/EGI_Federated_Cloud 42 https://opennebula.org/ 43 https://okeanos.grnet.gr/home/ 44 http://www.eitdigital.eu/news-events/events/article/international-industry-academia-workshop-on-cloud-reliability-and-resilience/

22

Inthiscontext,analmost30yearsoldcourtrulingregardingpolicylevelstandardsimplementationfrom198845illustratestheproblemquitewell:Inessence,thecourtruledthataprocurercannotexcludeatendererfromtheselectionprocesstowardsaninvitationtonegotiate,iftheyofferasolutionoraservicebasedonastandardthatprovidesanequivalentoutputcomparedtoacompetingstandard.Whilethisdocumentdoesnotprovidealegalanalysis,theimpacthaswidelyimpactedprocuringprocesses,sincethisrulingeffectivelyopensadoorfororganisationstodemandcompensationforbeingnotselectedinaprocurementprocesswheretheycanprovideevidencethattheselectionprocessfavouredonestandardovertheother.Aprobablyunwantedcorollarytothisrulingistheeffectivelynon-existenceofclausesmandatingthesupportforacertainstandard(orasetthereof),andtheirreplacementofclausessuchas“orequivalent”),whereequivalenceisleftundefinedorto“commonunderstanding”.Theoverallimpactisthatwiththeabsenceofdemandofstandardsinprocurementprocedures,weseelittleincentivefororganisationstoimplementandrolloutstandards-basedservicesandproducts.Conjecture4:ECprojectshaveanintrinsicallydifferentperceptionofsecurity.ISO27001etc.areconsideredanindustrybaselinesetofstandards.46However,ECprojectsseemtobeconsideredanincubatoroftechnicalinnovationandthereforefocusontechnicalmaturityoftheiroutputs.47Perhapscorrelatingwithconjecture3above,ECprojectsthusseemtooperateonthepresumptionofnothavingtointegratecustomerdemandandcustomerorientation(i.e.marketreadiness)intotheirprojectplansandactivities:WhileH2020ResearchandInnovationtypeprojectproposalsarewrittenwithcustomerdemandandneedinmind,theseseembeinginsufficientlysubjectedtoprojectoutputsandresultsassuch.Conjecture5:Thecadenceofinnovation,particularlydisruptiveinnovation,mayhavebecometoofast.ReferringbacktotheWardleyMappingmethodology,especiallythecycleof“Peace,War,andWonder”(seeabove),inintrinsicpropertyofthiscycle–andthecycleofinnovationandstandardisation–istime:Itrequirestimetoletinnovationssettleinandturnintoproducts(orservices),andfinallycommodities(orutilities).Butwhatifthefrequencyofinnovation,especiallydisruptiveinnovationbecomestoohigh,cuttingdeeplyintothetimenecessaryforinnovationstomatureandsetthesceneforstandardisationtooccur?Signalsthatthatmightbethecasearethere,forexample:

• ThebusinessmodelsandbusinessstrategiesofUber,AirBnB,FacebookandGoogleareunderseriousscrutinyorthreat,withthelatestexampleofUber’slicensetooperateinLondonbeingrevoked48

• Thesecompaniesareincreasinglyconsiderednotastechcompaniesbutascompanieswithaclassicbusinessmodelthatjusthappenstoaggressivelyusetechnology–but“dodging”thepertainingsector’sregulations:Uberinthesectorofhailridingservices,AirBnBinthesectorofhospitality,GoogleandFacebookinthenews&mediapublishingsector.

Large-scaleITtechfirmleadersbegintoatleastthinkaboutthepaceofchange,thepaceofinnovationanditsimpactonsociety49.

45 45/87 Commission vs Ireland ('Dundalk') [1988] ECR 4929 46 https://resilience.enisa.europa.eu/cloud-security-and-resilience/Cloudstandards.pdf 47 As further described in CloudWATCH2 deliverable D2.2 Mapping of EU cloud services, solutions technological readiness 48 https://www.theguardian.com/technology/2017/sep/22/uber-licence-transport-for-london-tfl 49 https://www.theguardian.com/technology/2017/oct/07/google-boss-sundar-pichai-tax-gender-equality-data-protection-jemima-kiss

23

5 FinalrecommendationsThisdeliverable,D3.7concludestheworkperformedintheCloudWatch2projectrelatingtosupportingstandardsintheEuropeanICTlandscape.WithinWP3theprojectexperiencedasituationwheretheproposal(withallitsintentionsandcommitments)facesrealitymorethanhalfayearlater.Whilethissituationisusuallynotmuchofaproblem,theICTsectorandespeciallythecloudcomputingsegmentarefacedwithanunprecedentedlevelandfrequencyofdisruptionandchange:a6-monthperiodisconsideredavery,verylongtimespaninwhichanythingcanhappen.WhilestandardsinteroperabilitytestingwasasuccessfulactivityinthefirstCloudWATCHproject,itseemedprudenttobuildonthatsuccessandcontinuewiththisactivity–onlytorealisethatallofasuddenattendanceattheseeventsplummeted.CloudWATCH2wasforcedtoreact,sowedecidedtotakeadifferentapproachasoutlinedinthisdocument.Webelievethatthedecisionwetookwastherightone,giventheoutcomesoftheactivitieshighlightedinthisdocument.Givenwhatweexperienced,wefeelweareinthepositiontosummariseandrecommendthefollowingactionsforfutureprojectsandpolicymakersalike:

I. AddressdifferentvaluepropositionsofstandardsindifferentsectorsLookingatthecommercial,public,andacademicsectors,webelievethatwhilestandardsarebeneficialforanysector,thereasonsareactuallydifferent,becauseofdifferentneeds,differentobstaclesanddifferentsectormechanics.Wethinkthatinthepast,thevaluepropositionforstandardsinICTwerenotsufficientlydifferentiated.Asaresult,marketstakeholdersandinfluencersbecamedisenfranchised,andevenadversetotheideaofstandardisation.

II. Differentmeaningsoftheterm“standard”meandifferentapproachesTherearedifferentsemanticsattachedtotheterm“standard”.Whileinessenceaddressingthesametopicofrepeatability,internalstandardisation(i.ewithinacompany,ororganisation)ismucheasiertoaddressthaninter-organisationalstandardisation.Whiletheformeristypicallyapassive,emergingactivity(anevolutionaryprocess),thelattertendstobeseenandexperiencedasamanaged/controlledortop-downactivity–perceivedasinconflictwiththefreedomofchoiceanddecisioninthecommercialmarket.

III. Offerhelpandsupportforthe“unloved”elementsofstandardisation

Asrepeatedlypointedoutinthisdocument,standardisationonthetechnicallevelacrossorganisationstendstoemergeasasuccessfulcontenderinasomewhatevolutionaryprocess.Theoutputsofthisprocessare,intheICTworld,piecesofcode,thatmanifestinteroperability.Thisiswhatprovidesvaluetocommercialorganisations–asopposedtotheformaldocumentationofthestandard,whichisperceivedas“deadwood”effortcompaniesseeasunnecessaryexpensewithoutvalue.Oneapproachtothatsolutionmaybetoeitherfinanciallysupportexpertstobepresentintheformalstandardisationprocess.TheStandICT50projectsisagoodexampleforsuchanapproachprovidingacontinuousopencalltosupportEuropeanstandardsexpertsincontributingtothestandardsprocessinthefivepillarsoftheDigitalSingleMarket:cloudcomputing,5G,datascience,cybersecurityandIoT.

50 http://standict.eu/ funded under H2020: 01/01/2018 – 31/12/2020

24

IV. Considera“standardsascode”approach

WiththerecentemergenceofDevOpsand“infrastructureascode”conceptstoliterallysubjectasmuchaspossiblenotonlysoftwaresourcecode,butalsoinfrastructureconfiguration,andevendeploymentinformationtoautomationandversioncontrol;itisviabletoapplythesametotechnicalstandardsintheICTindustry.Insteadofforcingsoftwaredeveloperstobreakthebarrieroftheirmediumandtolearntheformallanguageofstandardisation(thisisfromexperienceliterallyaneducationtask!),takethetechnicalstandardstothesoftwaredevelopersintheirownlanguage:Encodeandexpressstandardsnotinhumanlanguageandsemantics,butinSWengineeringlanguagesandtoolsthatareusedinSWengineeringtoolingchains.

V. Donotengageinformalstandardisationtooearly–ortoolate–inthemarket.

Marketsinevitablymature:Theymatureintermsofsize,numberofparticipants,numberofservicesprovided,andoperationalbestpractices.Somemarketsbecomesowidespreadandubiquitous,thattheproductsandservicesprovidedareincreasinglyperceivedasutilitiesorcommodities,respectively.Marketsinthatstagetypicallyexposeareducedlevelofinnovation,arehighlyautomatedandexchangelargevolumeswithsmallmargins.Maturemarketsarestable.However,ahighdegreeinautomationandsmallprofitmarginsbothrepresentobstaclesforstandardstopenetratesuchmarkets:thecostofchangeistoohigh.Instead,carefullyanalysewhichmarkets(orwhichifitssegments)areonthevergeofbecomingutilities/commodities,andengageinstandardisationatthatpointintime.Inouropinion,thecloudcomputingmarketatlargeisfarfrombeingcommoditised,withtheexceptionofpartsoftheIaaSmarketrelatedtocomputeandstorageresources.Whilethecloudcomputeandstoragesegmentisindeedatthevergeofbecomingcommoditised(somestakeholdersconsideritalreadycommoditised),weseethemarketatthebrinkofbeingdysfunctionalwithtoomuchinfluenceconcentratedonfewlargehyper-scaleproviders.

25

26

7 Appendix1:QuestionsforthefinalPlugfestpanelThefollowingquestionsweremadeavailabletothepanelfordiscussion:

1. Balancingstandards&innovation–Howdowefindtherightbalancebetweenstandardisationandfreedomtoinnovate?

2. Standardisationprocess&timing–Whatistherightprocesstofollowindevelopingstandards?Andwhenisittimetobeginthestandardisationprocess?

3. Standards:SMEsvs.Corporates–Whataretheadvantagesanddisadvantagesofhavingstandardsin cloud computing? Are those advantages and disadvantages different for a large companycomparedtoastartup?Ifso,whoseinterestsshouldbeprioritised?

4. Standards for cloud, IoT, 5G – Comparing IoT, 5G and cloud, what are the differences in thesegments,andhowdotheyimpactstandardisation?

5. Securitystandards&certification–Howdoyouseesecuritystandardsandcertificationsbuildingconfidencefromthepointofviewofconsumers?Doyouseecertificationasawaythattrustcanbebuiltinproviders?Whatrequirementisthereonathirdpartyverificationactivity?

6. OpenSource&(Open)Standards–HowdoyouseetherelationbetweenOpenSourceandStandards,mutuallycontradictoryormutuallybeneficial?Doyouconsideropennessofstandardsrelevantforbroaderadoptionandincreasedimpact?

7. Benefitsofcloudstandards–Whatdoyouseeasthebiggestbenefitsofhavingstandardsfor

cloudcomputing?

8. Cloudstandardstopics–Whenwetalkaboutstandardsincloudcomputing,whatsortofthingsarewetalkingaboutstandardising?

9. Standardsvs.certification–Canyoudescribehowyouseethedifferencebetweenstandardsandcertification?

10. Standards in procurements – At what point in the procurement lifecycle would you consider itimportanttothinkaboutstandards?