A group of the world’s largest buyers of IT has released specifications that set their minimum requirements for shifting enterprise workloads to the cloud.
The Open Data Center Alliance, made up of 280 members and steered by executives from the National Australia Bank, Lockheed Martin, UBS, Deutche Bank, China Unicom, BMW and others, today released eight usage models suppliers most urgently need to consider to win the business of the world’s largest customers.
These eight usage models concern such questions as assuring the security of data stored in the cloud, agreeing on common definitions such that the performance and capabilities of services can accurately be compared, accounting for carbon emissions, portability of workloads and common management and policy controls to help win regulatory approval for cloud deployments.
The alliance described the eight papers released today as Version 1.0 in an ongoing process - seeking feedback from other end users to refine the list of demands.
The end user group's first priority was been to set minimum standards for how workloads could securely move between third party providers.
Under the banner of “federated security”, the alliance released two usage models – one asking for a tiered security accreditation system to rate and compare service providers on their security credentials, and a second that demands cloud computes allow their security posture to be remotely monitored by enterprise customers.
The Security Provider Assurance usage model (pdf) sets out four assurance levels for service provider certification. These would give the provider of cloud services "the ability to differentiate their services by offering more than the standard, while giving customers confidence that systems are securely maintained."
Enterprise Security equivalent
Financial Organization Security equivalent
Military Organization Security equivalent
The cloud provider would be audited around such areas as vulnerability management, network and firewall isolation, identity management, security incident and event monitoring, data retention and deletion, confidentiality, integrity and trust and availability, the exact requirements of which are provided in great detail.
The alliance said that Bronze levels could be self-certified, but the three higher tiers would require third-party certification.
“We need better ways to determine what capability is being offered," said Denis McGee, general manage of infrastructure and security services at National Australia Bank, "to make sure you get the right level of security at the right price.”
The Security Monitoring usage model (pdf) meanwhile demands that service providers produce a secure web-based interface for each user to view the low-level security status of the server, networking and plant infrastructure hosting their service.
It also demands a more detailed status on the security posture of the virtual machine and application being hosted, addressing whether anti-virus definitions are up-to date - for example, whether patches have been applied - and notification of security incidences (via Intrusion Prevention System and Firewall logs).
To achieve this, the alliance will most likely aid the refining of the Cloud Security Alliance-led CloudAudit standard – an API that allows users and third-party auditors to query the security status of the virtual machines running in a given cloud.
Any such monitoring system would also require “tamper-resistant functions” and “stronger levels of control and assurance against spoofing of results,” the usage model noted.
The alliance also called vendors to ensure interoperability between hypervisors and VM management consoles such that end users can shift workloads between private and public clouds with relative ease.
McGee said there was currently “no heterogeneous hypervisor environment” in the market.
This usage model (pdf) starts the job of coming up with a list of standard functions and syntax such that any new cloud provider can use to automatically recognise and apply the same policies (around security/QoS etc) a workload ran under at its last host.
At minimum, the group of power users said they would use as a foundation the Distributed Management Task Force’s Open Virtualization Format (OVF) specification, which aims to harmonise VM standards such that they can be managed by a single management console.
The alliance demanded that vendors and service providers work through I/O bottlenecks that have plagued shared infrastructure deployments to date.
As more processing power is packed into servers and VM density (virtual machines per physical host), the limited I/O available in the host is spread thinner and thinner.
There are precious few solutions, the alliance noted, that allow for management of I/O on a per-VM or per-application basis – leading to “noisy neighbour” syndrome (uncontrolled contention between virtual machines rented by different customers on the same host) and missed Quality of Service targets.
Among the proposed solutions (pdf) are technical fixes (demanding a more granular approach to I/O allocation) and market-based initiatives (a tiered pricing model, with I/O guarantees provided to those customers paying higher amounts).
The group said that protecting the performance of applications may require the throttling of I/O for others.
This would again require a new set of APIs to provide the customer with the necessary instrumentation to monitor I/O performance in relation to their workloads.
The alliance called for transparency (pdf) from providers in terms of the capabilities they offer.
It called for standard metrics (pdf) to be developed to measure this performance, such that users could adequately compare features and costs across multiple providers when making decisions on where to host workloads.
The alliance also dedicated a paper (pdf) to looking at ways of ensuring that end-users can still be accountable for the carbon used by any given workload outsourced to a third party data centre.
It called for standard service provider reporting of carbon production in data centres, which was noted as a “particularly hot issue in Australia with the carbon tax.”
How will the group ensure compliance from service providers and vendors? Read on for more...
The alliance hopes that this base level of requirements will eventually form industry standards that service providers can be audited against.
McGee told iTnews that the steering panel had discussed the potential to develop a “compliance tick of approval”, but hadn’t yet agreed on how it could be implemented.
“Ideally we’d like to have a certification body set up to do auditing against these standards,” said another member of the steering committee. “That could potentially ease the job of getting approval [for use of cloud computing] from regulators.”
McGee said that it might be impractical for “every customer to carry out compliance verifications with regulators” and that regulators might also “be reluctant to accept third party verifications.”
The most basic solution, he said, was to have a global, industry-wide agreement on common management and policy controls.
Working with industry
The ODCA also announced today the first vendor partners welcomed into the initiative, aside from Intel’s involvement as a technical steering partner.
Dell, EMC, Parallels and Red Hat were announced as industry partners.
The alliance hopes to convince vendor partners to “integrate guidance from these usage models into their product and service roadmaps.”
It also hopes to see its demands appearing in vendor products and services within 18 months.
If other users and the industry gets behind them, the alliance anticipate the initiatives could accelerate cloud adoption to the tune of US$50 billion, driving a 25 percent acceleration in adoption of services and driving down the cost of enterprise IT by some 15 percent.
McGee said that inviting vendor partners into the group had been approached with some trepidation.
"That was one of the things on my mind and the team at NAB – whether we were just getting a series of vendors driving it in their own direction," he said. "We’ve been very careful as we’ve taken each member on to make sure that they understand we want this as open as possible. So far we think we’ve been able to manage that well."