NIST Cloud Computing Program Current Activities Robert Bohn, Ph.D. NIST Cloud Computing Program Manager ETSI - Cloud Standards Coordination  5 December 2012, Cannes, France

Outline Roadmap Activities Updates on PAPs/Working Groups Security RA SLA Guidance Cloud Metrics Cloud Broker Security RA Standards Update

USG Cloud Computing Roadmap – Volume I Prioritized strategic and tactical requirements that must be met for USG agencies to further cloud adoption; Interoperability, portability, and security standards, guidelines, and technology needed to satisfy these requirements; Recommended list of Priority Action Plans (PAPs) -- candidates for voluntary self-tasking by the stakeholder community. Collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group Intent is to leverage PAPs that are identified as complete or under way by cloud stakeholder community; some may fall within NIST scope

USG Cloud Computing Technology Roadmap requirements R 1:  International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards) R 2: Solutions for high priority Security Requirements (security technology) R 3:  Technical specifications to enable development of consistent, high quality Service Level Agreements (interoperability, portability, and security standards and guidance) R 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology) R 5:  Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology) R 6:  Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards and technology) R 7:  Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability and security technology) R 8:  Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and security technology) R 9:  Defined and implemented reliability design goals (interoperability, portability, and security technology) R 10: Defined and implemented cloud service metrics (interoperability and portability standards)

USG CC Roadmap – Volume II Use collaboration through public working groups & Federal Cloud Computing Standards & Technology Working Group to continue to validate findings Reference Architecture & Taxonomy Recommend Industry Mapping so that USG agencies & others can more easily and consistently compare cloud services In parallel, support formal standards development process leveraging the reference architecture Standards Provide avenue for USG agency engagement Continue standards roadmap Target Business Use Cases & SAJACC Expand initial use case set & use SAJACC to identify gaps Security leverage working groups to finalize special publication focusing on challenging security requirements Continue technical advisor role – e.g. FedRAMP, continuous monitoring, conformity assessment system

USG CC Roadmap – Volume III BUILDS ON the first two volumes of the USG Cloud Computing Technology Roadmap IS FOR USG agency technical planning and implementation teams - AND ANYONE ELSE THAT FINDS IT USEFUL HAS A GOAL to inform decision makers regarding questions and decision factors in the context of Cloud Computing use cases DESCRIBES HOW to leverage the Federal Cloud Computing Strategy Decision Framework for Cloud Migration and the collaborative NIST Cloud Computing Program work

Decision Framework

16 aspects… Selection Provision Manage Efficiency Aggregate demand Agility Innovation Security Requirements Service characteristics Market Characteristics Network infrastructure Government readiness Technology lifecycle Provision Aggregate demand Integrate services Contract effectively Realize value Manage Shift mindset Actively monitor Re-evaluate periodically

Application Categories Collaboration Tools Planning/Management Tools Web Server/Content Management Identity Management Document Retrieval/Library System PaaS IaaS

Next Steps for PAPs/Working Groups Goal 1 - Requirement 3: Address “Technical Specifications for High-Quality Service-Level Agreements”. Goal 2 - Requirement 10: Address “Defined & Implemented Cloud Service Metrics”. Goal 3 -Advanced Actor Analysis - To further the discussion on the roles of and interactions of cloud computing actors (consumer/auditor/broker/carrier).

SLA Taxonomy Chair: John Messina (NIST) and Ken Stavinoha (Cisco) Purpose: Address Roadmap Requirement 3 on Service Level Agreements (SLA)s Goals: Create a mindmap/taxonomy identifying the major elements that should appear within a high-quality SLA. Write report on how to create high-quality SLA Status: Mindmap/taxonomy draft complete (available on NIST CC twiki public website) Report draft complete (available on NIST CC twiki public website) Moving Forward: Establish Federal SLA collaborative activities Submit material to international standards bodies for further development

Mind Map of a Master Service Agreement

Contents of SLA Business Level Objectives Roles & Responsibilities Requirements Operational Policies Continuity Limitations Financial Glossary of Terms Service Level Objectives Resources Performance Indicators Service Deployment Service Management Description Security Privacy

Cloud Business Requirements

Performance Indicators

Cloud Metrics Chair: Frederic J. de Vaulx and Steve Woodward (CloudPersectives) Purpose: Address Roadmap Requirement 10 on Cloud Metrics Goals: Improve consistency & terminology to facilitate valuable comparative analysis Create a framework to help clarify measures, definitions and collection methods Align with the roadmap high priority goals like SLAs Status: Cloud reference and description list (available on NIST CC twiki public website) Draft concept model for cloud metrics, measures and usages (available on NIST CC twiki public website) Moving Forward: Present the concept model to organizations involved in cloud metrics Write the Cloud Measure document based on the draft outline

Cloud Metrics Work Areas & Priorities

Goal 3: Advanced Actor Analysis – Cloud Broker Intermediate Cloud Service Provider dd Consumer accesses multiple provider services through a single broker interface The Cloud Consumer retains visibility into the cloud service providers they use Intermediary uses additional providers as invisible components of its own service, presented as integrated offering No consumer visibility into or control over additional cloud providers

The NIST Cloud Computing Reference Architecture Cloud Carrier Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Service Consumer Cloud Broker Service Intermediation Aggregation Arbitrage Cloud Service Provider Privacy Physical Resource Layer Hardware Facility Resource Abstraction and Control Layer Service Layer IaaS SaaS PaaS Cloud Service Management Business Support Provisioning/ Configuration Portability/ Interoperability

NIST Security Reference Architecture Physical Resource Layer Hardware Facility Resource Abstraction and Control Layer Service Layer IaaS SaaS PaaS Biz Process/ Operations App/Svc Usage Scenarios Software as a Service Cloud Provider Application Development Platform as a Service Develop, Test, Deploy and Manage Usage Scenarios Note that the supporting technology for each service model is different. This also will result in different security considerations. Each service model will likely have very different security architectures. Infrastructure as a Service Create/Install, Manage, Monitor Usage Scenarios IT Infrastructure/ Operation

Draft NIST CC Reference Architecture Cloud Consumer Cloud Consumer Cloud Provider Cloud Broker Cloud Orchestration Cloud Service Management Service Layer SaaS Service Intermediation Business Support Cloud Auditor PaaS IaaS Provisioning/ Configuration Service Aggregation Security Audit Resource Abstraction and Control Layer Privacy Impact Audit Physical Resource Layer Portability/ Interoperability Service Arbitrage Hardware Performance Audit Facility Cloud Carrier Cross Cutting Concerns: Security, Privacy, etc

NIST Security Reference Architecture – formal model

Cloud Computing Standards Developers IEEE ISO IEC IETF ITU-T PSDO SG 11 Signalling requirements, protocols and test specifications SG 13 Future networks including mobile and NGN SG 17 Security ISO TC 68 Financial services ISO/IEC JTC 1 Information Technology JTC 1 PAS Submitters OASIS OMG SNIA TCG W3C OGF CA OCC SC 2 Financial Services, security SC 7 Software & systems engineering SC 27 IT security techniques SC 38 Distributed application platforms & services ATIS CSA Kantara TIA others Key: PSDO = Partner Standards Development Organization; PAS = Publicly Available Specification; = private sector, national member-based international standards body; = UN agency, member state-based international standards body; = international consortium standards developer 23

NIST SP 500-291 Recommendations Accelerating Development and Use of Cloud Standards Contribute Agency Requirements Participate in Standards Development Encourage Compliance Testing to Accelerate Technically Sound Standards-Based Deployments Specify Cloud Computing Standards USG-Wide Use of Cloud Computing Standards Dissemination of Information on Cloud Computing Standards Contribute Agency Requirements Participate in Standards Development Encourage Compliance Testing to Accelerate Technically Sound Standards-Based Deployments Specify Cloud Computing Standards USG-Wide Use of Cloud Computing Standards Dissemination of Information on Cloud Computing Standards

New Topics for Consideration Accessibility Conformity Assessment Performance Reliability Forensics Law Enforcement Education

NIST Cloud Computing Special Publications CC Standards Roadmap ……………………..500-291 CC Reference Architecture………………….500-292 USG CC Technology Roadmap Draft......500-293 Guidelines on Security and Privacy …….800-144 Definition of Cloud Computing …………..800-145 CC Synopsis & Recommendations……....800-146 Searchable as “NIST SP xxx-nnn”

Contacts Dr. Chris Greer chris.greer@nist.gov Dr. Robert Bohn robert.bohn@nist.gov John Messina john.messina@nist.gov Dr. Michaela Iorga micheala.iorga@nist.gov Annie Sokol annie.sokol@nist.gov Mike Hogan michael.hogan@nist.gov Eric Simmon eric.simmon@nist.gov Frederic de Vaulx frederic.devaulx@nist.gov Acting SES Program Mgr RA/Tax Co-Convener Security Standards Volume III Metrics NIST ITL Cloud Computing Home Page http://www.nist.gov/itl/cloud NIST Cloud Computing Collaboration Site (twiki) http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing