How serious is the Obama administration about cloud computing? Federal CIO Vivek Kundra has assigned the National Institute of Standards and Technology (NIST) the task of “accelerating” the government’s secure adoption of cloud computing. NIST is being called on to lead “efforts to develop standards and guidelines in close consultation and collaboration with standards bodies, the private sector and other stakeholders.” This comes two weeks after the White House formalized its National Strategy for Trusted Identities in Cyberspace (NSTIC) by creating a national program office in the Commerce Department to oversee the evolution of a “trusted identity ecosphere” for public cloud services.
NIST in turn has created the Standards Acceleration to Jumpstart Adoption of Cloud Computing (SAJACC) project to collect data about how different cloud system interfaces can support the cloud in the technical arenas of portability, interoperability and security. The organization has posted a wiki as an open collaboration site to collect the data and to assist in developing a cloud standards framework.
The effort is just in time, given how fast cloud services are expected to consolidate across the globe. Industry analysts predict that the multitude of services now will condense into a few powerhouse cloud providers, with Amazon.com, Google, Salesforce.com, IBM, Hewlett-Packard, Cisco Systems and Dell among the top contenders.
To IT executives, this is a serious risk: What will happen when a cloud provider chosen this year evaporates, from either competition or acquisition? What guarantees do CIOs have of workload interoperability among cloud providers when few standards exist beyond the extensible markup language (XML)?
“Today, we don’t have cloud standards,” said Judith Hurwitz, who co-authored the 2010 book, Cloud Computing for Dummies, and has a new book due out in May titled Smart or Lucky? How Technology Leaders Turn Chance into Success. “What is there? Some standards come from a service orientation, like XML, where there might be a common [application programming interface]. But there is a requirement to get to some open standards,” she said.
Cloud vendors, even as they morph into super-stacks that offer Infrastructure as a Service, Software as a Service, Platform as a Service and other emerging models, are sensitive to this issue and will be sure to include any new standards that are adopted by the industry, Hurwitz said.
Standards guidelines are particularly needed in the area of security, the No. 1 concern as enterprises evaluate public cloud risks. The NIST Cloud Computing Security Working Group, or NCC-SWG, plans to publish new guidelines for best practices in May that will be based on several factors: an analysis of threats associated with various types of cloud services, an assessment of the various controls for countering those threats and the identification of monitoring efforts needed for what it calls “continuous security assurance.”
What are the major risks? It depends on whom you ask — and I asked a lot of people. Hence, in case you missed it on SearchCIO.com, here’s an abbreviated list of the top ten public cloud risks:
- Security on the network.
- Identity management.
- Data integration.
- Vendor lock-in.
- Vendor viability.
- Shared resources.
- Legal ambiguity.