Cloud Computing Needs Standards
Cloud computing is the latest phenomenon in the IT world. However, the emergence of standards is a sign of market maturity, and it can be a big mistake to commit to products from a market that is not mature. That’s why everyone is asking, “When will we see some cloud standards?”
Unfortunately, there’s no simple answer.
The protocol, data format and program-interface standards for using cloud services are mostly in place, which is why the market has been able to grow so fast. But standards for configuration and management of cloud services are not here yet. What’s more, the crucial contextual standards for practices, methods and conceptual frameworks are still evolving.
Cloud computing will not reach its full potential until the management and contextual standards are fully developed and stable. In the meantime, there will be pitfalls, so buyers of cloud services should beware.
Cloud standards start with TCP/IP. Internet standards were probably the biggest market enablers of all time, even before the cloud markets of infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) were added to the voice and data communication services they already supported.
On top of TCP/IP, the cloud uses established standard Web and Web Service data formats and protocols. The programming interface standards on which Cloud PaaS offerings are based are equally well-established. They include the single-vendor .NET standards and multivendor standards such as Unix, Linux, Java and SQL.
This means that companies can use cloud services—and make those services available to their customers—secure in the knowledge that they and their customers can use off-the-shelf products without being locked into a particular cloud vendor by proprietary interfaces. Then this essential precondition for market growth is fulfilled.
Configuration and Management
When it comes to configuration and management, the lack of effective, widely accepted standards is beginning to be felt. Resource and configuration management can vary substantially between cloud suppliers, even for IaaS.
This may not seem particularly important but, with a typical pay-per-use model, fine-tuning can make a big difference in your monthly bill. While it is unlikely that standards can make it possible for an enterprise to have a single management regime for all its cloud suppliers, it will make it easier to move from one supplier to another.
There are several industry bodies working on cloud configuration and management standards, including the Distributed Management Task Force (www.dmtf.org), the Open Grid Forum (www.ogf.org) and the Storage Networking Industry Association (www.snia.org).
Contextual Cloud Standards
The lack of contextual standards is the biggest problem for the cloud. There are as yet no widely accepted frameworks to assist the integration of cloud services into enterprise architectures, to support the transfer of information between different clouds, or to enable swift procurement and contract negotiation.
This is not necessarily a bad thing: A period of experimentation with different practices is needed so that the best ones can be identified. But, during this period, cloud users must put significant effort into deciding how to proceed, and they should be prepared to make changes in light of their experiences and the experiences of others.
The first area in which most users will start to worry is the legal one. For example, if an on-line retailer stores customers’ information in the cloud, can the cloud provider sell that data if the retailer fails to pay its service charges? If so, where does that leave the retailer and its customers? This is an important part of the context for cloud computing standards.
Steve McDonald, general counsel at the Rhode Island School of Design, identifies 16 legal and quasi-legal issues that can arise in contracts with vendors for cloud computing services (tinyurl.com/2erpewk). These issues include privacy and confidentiality, location and ownership of data, unauthorized use of data and service-level agreements. Until there is a commonly agreed upon approach to these issues, contractual negotiations for cloud services will be protracted and difficult.
The next area of concern is the possibility of changing cloud suppliers. You should have an exit strategy before signing a cloud contract. There’s no point in insisting that you own the data and can remove it from the provider’s systems at any time if you have nowhere else to store the data, and no other systems to support your business.
This is an area where industry bodies can help, by developing migration frameworks based on the existing accepted protocol and data-format standards.
The problem is relatively straightforward for IaaS and PaaS, because the processing logic is supplied by the user, and the data is likely to be stored in a standard format. It is wise to check, though, that the particular formats you use can be supported by other cloud providers, or that there is a transformation mechanism.
For example, if you use the Persistent Data Objects supported by GoogleApps, can you easily migrate to a cloud provider that supports SQL?
The problem is typically harder for SaaS, because the processing logic is supplied by the provider, and the data formats might be proprietary. It is unlikely that another provider will have the same processing logic, and a change of provider could mean changes to the business processes. Custom code might be needed for data transformation.
Changing your SaaS provider is likely to be a difficult and risky operation. Standard frameworks, perhaps industry-specific, could mitigate this. Industry bodies such as the Association for Retail Technology Standards (www.nrf-arts.org), which is active in the cloud space, could play a role here.
Another area in which lack of contextual standards causes concern is that of enterprise architecture. When an enterprise uses cloud computing, its architecture team should ensure that:
• the cloud services form a stable, reliable component of the architecture for the long term;
• they are integrated with each other and with the IT systems operated by the enterprise; and
• they support the business operations effectively and efficiently.
This underscores why it is so important for each cloud contract to be backed by an exit strategy. More generally, there can be multiple cloud suppliers providing various capabilities, perhaps with some load-sharing between them. The enterprise architecture should provide for this to be done in a risk-free and cost-effective way. You should also provide for a smooth transition as suppliers are added or dropped.
The enterprise architecture should define the relationships between the cloud services and other architecture components—and prescribe their interface data format and protocol standards—so these interoperate effectively, and information flows between them as needed.
Identity management is a particular problem for the integration of cloud services. There is no lack of standards, but it can be difficult to understand which ones to use and how to use them. The Cloud Security Alliance has produced “Guidance for Identity & Access Management” (tinyurl.com/2crjtep), which maps the identity management standards terrain—even if it does not yet show a highway through it.
Enterprise architecture is an established discipline. The experience of professional enterprise architects is encapsulated in standard reference models, methods and frameworks. Because cloud computing is a new phenomenon, the reference models, methods and frameworks are still being developed. These are the key contextual standards that cloud computing lacks.
This is an area in which industry bodies are actively working to help both consumers and providers of cloud services. For example, The Open Group is focused on Enterprise Architecture, and its Cloud Work Group (www.opengroup.org/cloudcomputing) is developing models and best practices to help enterprise architects decide where and how to use cloud services to benefit enterprises.
Other active groups include the U.S. National Institute of Standards and Technology (http://csrc.nist.gov), the Object Management Group (www.omg.org) and the Organization for Advancement of Structured Information Systems (www.oasis-open.org).
Use of cloud computing will expand massively, as the growing speed and power of the Internet make it easier for enterprises to outsource their technology. Established Internet, Web and software-platform standards form a ready-made initial basis of standards for this expansion. But configuration and management standards, and contextual standards for models and practices, which are currently lacking, are essential if cloud computing is to reach its full potential.
While these standards are being developed, enterprises will find it harder to adopt the cloud than it should be; mistakes will be made. It is tempting to call for instant solutions, but history shows that effective standards can only be created based on experience.
You can stay up to date with this market by participating in one of the cloud standards developments under way. Join the cloud community, gain a deeper knowledge and understanding that will benefit your business, and help the industry move forward.
Chris Harding, Ph.D., is forum director for SOA and Semantic Interoperability at The Open Group. Prior to that, he was a consultant, as well as a designer and development manager of communications software.