The U.S. National Institute of Standards and Technology has released the final version of the U.S. Government Cloud Computing Technology Roadmap, Volumes I and II. The Roadmap focuses on a number of areas including security, inter-operability, and portability, while hinting at the future where it discusses building “nation size clouds”. The document is excellent source material for anyone moving to Cloud, in particular government. NIST is important as they have been the group that has set, and continues to set, global standards for Cloud Computing.
Here’s the abstract:
“The National Institute of Standards and Technology (NIST), consistent with its mission, has a technology leadership role in support of United States Government (USG) secure and effective adoption of the Cloud Computing model to reduce costs and improve services. This role is described in the 2011 Federal Cloud Computing Strategy as ,… a central one in defining and advancing standards, and collaborating with USG Agency CIOs, private sector experts, and international bodies to identify and reach consensus on cloud computing technology & standardization priorities. This NIST Cloud Computing program and initiative to develop a USG Cloud Computing Technology Roadmap is one of several complementary and parallel USG initiatives defined in the broader Federal Cloud Computing Strategy referenced above. The Federal Cloud Computing Strategy characterizes cloud computing as a ,profound economic and technical shift (with) great potential to reduce the cost of federal Information Technology (IT) systems while , improving IT capabilities and stimulating innovation in IT solutions. In the technology vision of Federal Cloud Computing Strategy success, USG agencies will be able to easily locate desired IT services in a mature and competitive marketplace, rapidly procure access to these services, and use them to deliver innovative mission solutions. Cloud services will be secure, interoperable, and reliable. Agencies will be able to switch between providers easily and with minimal cost, and receive equal or superior service.”
Some takeaways for me that are interesting.
First, security. It is effectively at the top of the list and it’s also being pushed as a separate discipline. NIST says that Cloud security requirements must be de-coupled from both organisational and traditional ICT policy decisions because “the
cloud computing environment presents unique security challenges.” I know within New Zealand that a couple of the more mature government departments are taking this very approach, which is excellent to see. Summary points are, it’s at the top of the list and it’s different to other security requirements. Practically, for an organisation, this presents itself as a project or programme of work that looks at what Cloud services are being consumed today, what are planned to be consumed, against a Cloud security framework.
Second, inter-operability. The ability for Cloud services to be able to connected to each other is a holy grail not quite yet discovered. In turn, inter-operability unlocks portability, that being the ability to be able to move your workloads across Cloud providers in real-time based, mostly, on cost. For example, if I have a bursty big data analytic engine and I can get processor at a 20% discount this week from a Cloud provider with additional capacity, then I should be able to move it. Also, this allows for the creation of a market where Cloud workloads are sold as commodities. Further driving down cost and increasing agility.
Last, reliability, from the perspective of SLA’s. NIST says we need standardised SLA’s because;
“The concept of reliability is a key cloud computing element addressed by providers’ SLAs. However, the definition of what is being measured, and associated guarantees vary widely. Customers are faced with evaluating SLAs from cloud providers which define reliability using different terms (uptime, resilience, or availability), cover different resources (servers, HVAC systems, data storage, customer support), cover different time periods (hours, days, years), and use different guarantees (response time versus resolution time). SLA and measurement ambiguities leave the customer at risk.”
Also included is new material that needs to provide “Frameworks to Support Federated Community Clouds.” This must only be included because there is a need by government to standardise this type, which means that government are building community clouds.
“In the case of a Community Cloud deployed by a single Cloud Provider, the cloud PaaS layer can be used by developers to create applications. If developers establish common technical policies and credentials within that Community Cloud, they can use tools and management systems from different vendors, and connect applications to others using common PaaS facilities. However, in a federated multi-cloud environment with diverse cloud implementations and policies, the modules may need manual intervention to function together. Technical policies, credentials, namespaces, and trust infrastructure must be harmonized to support a Community Cloud that spans multiple service providers’ physical environments.”
The NIST is looking down the telescope of the future toward something called “Nation Size Clouds”. This is interesting, because this drives Cloud into areas it hasn’t been before, nation sized clouds in the hundreds of thousands of server capacity across multiple providers. The example NIST gives is:
“Government target business use cases have identified examples where cloud service providers could help to support applications of great benefit to the public. USG agencies see a need to provide geospatial data for public use in emergencies. A real-life proof-of-concept precedent was established through Japan’s response to the earthquake and tsunami that struck the Greater Tohoku region in March 2011.20 In 2012, the government of Japan defined an objective to apply cloud computing to support emergency response. The Japanese agency NISC, NIST, and others are collaborating on the development of a cyber-physical cloud concept to combine cloud computing and physical device control to respond to emergencies such that resources, including robotic and automated mechanisms, could be rapidly deployed.”
Overall, it’s a weighty document that is worth reading if you are in the industry. It starts to tighten problem areas while looking to the future.