NIST Cloud Computing Program
USG Cloud Computing
Technology Roadmap…
Top “10” high priority requirements
to accelerate USG adoption of the
Cloud Computing model
NIST Mission:
To promote U.S. innovation and
industrial competitiveness by advancing measurement science,
standards, and technology
in ways that enhance economic security and improve
our quality of life ©Robert Rathe
2
Accelerate the federal government’s adoption of cloud
computing*
– Build a USG Cloud Computing Technology Roadmap which focuses on the
highest priority USG cloud computing security, interoperability and
portability requirements
– Lead efforts to develop standards and guidelines in close consultation and
collaboration with standards bodies, the private sector, and other
stakeholders
Unchanged: NIST Cloud Computing Program
Goal…
3
May
2010
Nov
2010
S
T
R
A
T
E
G
I
C
NIST
CC
Definition
Tactical efforts
Outreach & Fact finding with
USG, Industry, SDOs
Evaluate past models &
lessons learned
Define fresh approach
to support secure &
effective USG cloud
computing adoption,
prioritize interoperability,
portability, & security
requirements, collaborate,
more quickly respond to
operational needs
Launch CC Strategic
Program
Initiate Stakeholder
Meetings
Collaboratively define
working group scope &
resources
Refine
PlanMarch
2011
Execute CC Strategic
program
Continue Stakeholder
meetings
Integrate results
into tactical
priorities
NIST CC Forum & Workshop I NIST CC Forum & Workshop II NIST CC Forum & Workshop IIIOct
2011
NIST CC Forum & Workshop IVComplete
1
stdraft
Interagency
Report
Assess
Results &
Replan
USG Cloud
Computing
Technology
Roadmap
REVISITING NIST CLOUD COMPUTING PROGRAM
(PHASE 1)…
INITIATIVE TO BUILD A USG CLOUD COMPUTING TECHNOLOGY ROADMAP
How to build a USG Cloud Computing Technology Roadmap 1. Define Target USG Cloud Computing Use Cases 2. Define Neutral Cloud Computing Reference Architecture & Taxonomy 3. Generate Roadmap – Translate Requirements & Identify Gaps
4
USG Cloud Computing Technology Roadmap
requirements* - high priorities to further USG Cloud
Computing Technology Adoption:
Requirement 1: International voluntary consensus based
interoperability, portability and security standards
Requirement 2: Solutions for high priority Security
Requirements
Requirement 3: Technical specifications to enable development
of consistent, high quality Service Level Agreements
Requirement 4: Clearly and consistently categorized cloud
services
Requirement 5: Frameworks to support seamless
implementation of federated community cloud
environments
Requirement 6: Technical security solutions which are
de-coupled from organizational policy decisions
Requirement 7: Defined unique government regulatory
requirements, technology gaps, and solutions
Requirement 8: Collaborative parallel strategic “future cloud”
development initiatives
Requirement 9: Defined and implemented reliability design
goals
Requirement 10: Defined and implemented cloud service metrics
Top 10 High Priority USG
Requirements to accelerate
secure & effective cloud adoption
(interoperability, portability,
security)
And….There are practical reasons
why the requirements that are
needed for USG agencies to
securely & effectively deploy the
Cloud Computing model are also
needed by the broad cloud
computing stakeholder community
*
relationship to interoperability, portability, and security
guidance, standards, & technology highlighted in roadmap
Volume II - Highlights
• Summary of USG
target business use
case templates &
initial set
• NIST Cloud Computing
Reference Architecture
(& Taxonomy) SP 500-292
Sept 2011
Cloud Provider Cloud Service Manage ment Cloud Carrier Cloud Auditor Cloud Consumer Provisio ning/ Configur ation Portabili ty/ Interoper ability Securit y Audit Privacy Impact Audit Perfor mance Audit Business Support S ec ur it y P ri v ac y Cloud Broker Service Intermed iation Service Aggregat ion Service Arbitrag e Physical Resource Layer Hardware Facility Resource Abstraction and Control Layer Service Layer IaaS SaaS PaaS• Cloud Computing
Standards Roadmap SP
500-291 July 2011
standards & gap analysis
• SAJACC technical
use case
summary
NIST Cloud Standards Portal Use Cases Validated Specifications Reference Implementations Standards Development Organizations standards Existing Standards Working Groups information Community Outreach spec 1 spec 2 … Specifications Use Cases Case 1 Case 2 … Validation Exercises Spec 1 Spec 2 … Spec n Test 1 Test 2 … Test n
• High Priority Security Requirements - challenges,
requirements overview, risk mitigation measures
• Other related work - Reliability Research in
Cloud-based Complex Systems Koala –
SLA taxonomy,
Useful Information for Cloud
Adopters
• Summary of the work
completed November 2010
through September 2011 in
projects & working groups
• Analysis supports high
priority requirements
introduced in Volume I
• References to detailed
6
How to build a USG Cloud Computing
Technology Roadmap
1. Define Target USG Cloud Computing Business Use Cases 2. REFINE & APPLY Neutral CC Reference Architecture & Taxonomy 3. UPDATE Cloud Computing Technology Roadmap – Translate Requirements & Identify Gapspriorities risks obstacles Vendors map services
Strategic Program
(continue phase 1 activities and…)
NIST Tactical Program
USG Cloud
Computing
Technology
Roadmap
... leverage Priority Action Plans (PAPs) selected for
self-tasking by Cloud Stakeholder Community
Assess & Track: USG CC High Priority
Requirements met by Priority Action Plans
(self-tasked by NIST and other CC stakeholders)
Rqmt 1: International consensus interoperability,
security, portability standards
Rqmt 2: Solutions for High Priority Security
requirements
Rqmt 3: Technical Specifications to enable high quality
SLAs
…….
Rqmt 10: Defined and Implemented cloud service
metrics
Integrate results into tactical priorities
Measure Results
We have practical opportunities to leverage our efforts … one
is identifying complementary efforts the NIST Roadmap refers
7
Recommended
Priority Action
Plans are tactical
as well as
strategic
• Examples of
Priority Action
Plans & interim
solutions to apply
while cloud
solutions are
maturing
USG Cloud Computing Technology Roadmap requirements - high priorities to further USG Cloud Computing Technology Adoption:
Requirement 1: International voluntary consensus based interoperability, portability and security standards (interoperability, portability, and security standards) Requirement 2: Solutions for high priority Security Requirements
(security technology)
Requirement 3: Technical specifications to enable development of consistent, high quality Service Level Agreements
(interoperability, portability, and security standards and guidance)
Requirement 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology) Requirement 5: Frameworks to support seamless implementation
of federated community cloud environments
(interoperability and portability guidance and technology) Requirement 6: Technical security solutions which are de-coupled
from organizational policy decisions (security guidance, standards and technology)
Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions
(interoperability, portability and security technology) Requirement 8: Collaborative parallel strategic “future cloud”
development initiatives (interoperability, portability, and security technology)
Requirement 9: Defined and implemented reliability design goals (interoperability, portability, and security technology) Requirement 10: Defined and implemented cloud service metrics
(interoperability and portability standards)
Encourage standards & compensate with Service
Level Agreements to require demonstration of
data/system portability between providers
Request that cloud service vendors map their
offerings to a common reference (i.e. NIST
Reference Architecture) so that it is easier to
compare services
Define unique
USG/mission/sector/business
Requirements (e.g. 508
compliance, e-discovery, record
retention
)8
NIST COMPUTING PROGRAM TIMELINE
(PHASE 2)
Nov
2011
March
2012
S
T
R
A
T
E
G
I
C
NIST Cloud Computing Special Pubs
Guidelines on Security and Privacy …… 800-144 Definition of Cloud Computing …………..800-145 CC Synopsis & Recommendations……. .800-146 CC Standards Roadmap ………500-291
Tactical efforts
Public & Federal Standards & Technology working groups
Initiate NIST CC Program Phase II
Integrate & track USG Technology
Roadmap Priority Action Plans (PAPs)
with external stakeholders
Integrate results into tactical priorities
Measure Results
NIST CC Forum & Workshop IV NIST CC Forum & Workshop VNov
2012
NIST CC Forum & Workshop VIRe-Assess
Progress &
Phase 2 Plan
Standards liaison, SAJACC, FedRamp & other technical advisory, Guidance, Koala
USG Cloud
Computing
Technology
Roadmap
Version
2
Analyze Phase
1 working
group & project
results
Complete
1
stdraft
for public
comment
USG Cloud
Computing
Technology
Roadmap
Version 1
SP 500-293
Planned NIST Cloud Computing Special Pubs
•Challenging Security Requirements for US Government CC Adoption •Revised USG CC Technology Roadmap .... 500-293
1. Vol I High-priority requirements to Further USG Agency CC Adoption 2. Vol II Useful Information for Cloud Adopters