2011 Draft: Recommended Cloud Best Practices

1,823
-1

Published on

Draft Recommendations on Cloud Best Practices for NIST Cloud Computing Working Group and Cloud Computing Customer Council

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,823
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
83
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

2011 Draft: Recommended Cloud Best Practices

  1. 1. Extended Draft: Government Cloud Best Practices Recommendations Table of Contents A. Introduction .........................................................................................................1 B. Implementation Best Practice .............................................................................2 1. Design for Portability and Interoperability ...............................................................2 2. Define Government Approved Data Interfaces and Formats ......................................3 3. Use Emerging Standards ...................................................................................3 4. Implement a Federated Authentication Capability.....................................................4 5. Develop a Framework for Orchestration across Clouds .............................................5 6. Use Portable Tools for Monitoring and Managing Clouds ..........................................5 7. Choose Non-Mission Critical Applications for Initial Cloud Deployment..........................6 C Policy Best Practices ............................................................................................7 8. Develop an Enterprise Catalog............................................................................. 7 9. Document Business Use Cases.............................................................................7 10. Document Standardized Ways to Compare Cloud Computing Capabilities.....................8 11. Use Simulation-based Acquisition for Cloud Resources if possible................................9 12. Establish a Data Governance Policy ......................................................................9 13. Develop International Collaboration on Standardizations....................................................10 14. Maintain updated Cloud Reference Documents ......................................................11 D. Organizational Best Practices ...............................................................................11 15. Designate a Cloud Standards Group ...................................................................12 16. Create a Cloud Policy, Organization, and Resource Sharing Committee......................13 17. Create a Cloud Security, Auditing, Compliance, and Risk Management Group.............13 18. Create a Cloud Procurement Group ....................................................................14 19. Create a Cloud Center of Excellence ...................................................................15 20. Create a Cloud Community of Practice Group .......................................................15 E. Primary References ............................................................................................. 16 F. Additional References ...........................................................................................17 G. Guidance References (Patterns)...........................................................................18 ================================================== A. Introduction ================================================== The U.S. government has initiated the rapid deployment of Cloud services for internal and public use. There are many risks associated with possible lack of interoperability, portability, and proven security for existing Cloud implementations. In the future, emerging standards as documented in the Standards Roadmap document will help solve this problem. While these standards are maturing, best practices can be used to avoid vendor lock-in, Cloud silos, and security gaps. 1
  2. 2. The purpose of this draft is to list some best practices for Cloud implementation and organizational support based on past experience with similar technologies e.g. service oriented architectures. Accompanying each recommendation will be References to the NIST Cloud Synopsis and Recommendations Draft (Draft-NIST-SP800-146), the NIST Cloud Working Group outputs, and major external documents to provide context. See Section E for all Primary References including NIST, US Government, UK Government, Open Data Center Alliance, Cloud Standards Customer Council, and European sources. Associated with each recommendation, there is also suggested support from Cloud Providers and a link to guidance in implementing the recommended best practice. The next step should be to expand and extend the current content to provide detailed guidelines (e.g. patterns) for public sector Cloud Computing. ================================================== B. Implementation Best Practices ================================================== It is possible to reduce the cost and implementation time for individual projects using Cloud resources. However best practices for implementation will be needed to ensure that downstream costs for system integration, migration, operations, and maintenance do not overwhelm the advantages of the initial deployment. The general principle is to consider potential future requirements when planning Cloud projects. ------------------------------------------------------------------------------------- 1. Design for Future Portability and Interoperability across Multiple Clouds ------------------------------------------------------------------------------------- a) For SaaS, ensure that data, documents, and other resources can be moved in and out of the Cloud using government-approved formats b) For PaaS, avoid proprietary single Cloud tools and languages for application development, monitoring, and management c) For IaaS, enable multiple external Clouds to be used for Cloud bursting and hybrid Clouds These recommendations will probably require the use of adaptors and brokers while standards are emerging. 1.1 References: - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 2, 4, 5 )  -  Draft  Cloud Reference Architecture (Slide 23 Cloud Brokers) - Cloud Synopsis and Recommendations (Suggest Multiple Cloud Extension to Section 9 General Recommendations) - Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) - UK Government ICT Strategy (Point 33 and Point 34 and Point 35) - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 2) - Open Data Center Alliance (Usage: Virtual Machine Interoperability) 2
  3. 3. 1.2 Possible Support from Cloud Providers a) Support standard well-defined formats for importing and exporting data for SaaS b) Support application generation from multiple tools and standard models c) Support standardized VM movement and interfaces between IaaS Clouds and enterprise systems 1.3 Guidance - Choosing delivery models - Cloud Computing Delivery Models from Technofriend http://m.technofriends.in/2011/03/17/cloud-computing-delivery-models/ 1.4 Practical Guide to Cloud Computing (Step 4. Select a Cloud Service Model) ------------------------------------------------------------------------------------- 2. Define Government Approved Data Interfaces and Formats for Creating, Reading, Updating, Deleting, and Batch Movement of Cloud Data and Documents. ------------------------------------------------------------------------------------- a. Transferring data between Clouds will be necessary for future interoperability and portability. Official standards e.g. Storage Networking Industry Associations’s (SNIA) Cloud Data Management Interface (CDMI) and Open Grid Forum’s (OGF) Open Cloud Computing Interface (OCCI) will simplify this transfer in the future. In the short run, the government should define approved interfaces and formats that can migrate to emerging official standards. Adaptors may be necessary to proprietary Cloud interfaces and formats. Cloud providers should be requested to supply these adaptors as part of the procurement process. b. Contractual agreements should be used to penalize Cloud Providers for failure to support data operations (e.g. data deletion) using government approved data interfaces and formats. 2.1 References: - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 3)  - Cloud Synopsis and Recommendations (Section 9.2 Data Governance and 7.5.6 Data Erase Practices) - Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services Effectively and Section IV. 6 Laying a Solid Governance Foundation) -UK Government ICT Strategy (Point 39 and Part 3 Action 15) -TechAmerica’s Cloud2 (Recommendation 10) -TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 4) 2.2 Possible Support from Cloud Providers - Support standards for accessing and moving Cloud data and files 3
  4. 4. 2..3 Guidance: Choosing Formats for Moving Data into and out of Clouds - Linked Data http://en.wikipedia.org/wiki/Linked_Data - A JSON supporter http://devcentral.f5.com/weblogs/macvittie/archive/2011/04/27/the-stealthy-ascendancy-of-json.aspx ------------------------------------------------------------------------------------- 3. Use Emerging Standards (e.g. DMTF’s Open Virtual Format) for Moving VMs between Infrastructure as a Service (IaaS) Clouds ------------------------------------------------------------------------------------- OVF is an ANSI standard that is becomingly increasing mature.See the NIST SAJACC WG’s VM Portability White Paper for a detailed discussion. OVF 1.1 is ANSI INCITS 469 2010 is . being submitted to JTC 1 as a PAS submission. DMTF is engaged in consideration of a subsequent version that may have relevance in the not too distant future. 3.1 References: - NIST SAJACC WG VM Portability White Paper (http://collaborate.nist.gov/twiki-cloud- computing/bin/view/CloudComputing/SAJACCVMPortability) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 2)  - Cloud Synopsis and Recommendations (7.6 Recommendations for Infrastructure as a Service) - Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) - Open Data Center Alliance (Usage: Virtual Machine Interoperability) 3.2 Possible Support from Cloud Providers - Support OVF standards for VM movement between IaaS Clouds 3.3 Guidance - Using Emerging Standards (Standards Roadmap) - Status update on OCCI and CDMI http://www.ogf.org/SAUCG/materials/2342/Cloud+Standards+Interoperability+-+Status +Update+on+OCCI+and+CDMI+Implementations.pdf - Cloud Standards advice from David Linthicum http://www.ebizq.net/blogs/cloudsoa/2011/02/the-truth-behind-standards-soa-and-cloud-computing.php ------------------------------------------------------------------------------------- 4. Implement a Federated Authentication Capability across Clouds ------------------------------------------------------------------------------------- A federated authentication mechanism will enable more efficient access to multiple Clouds. This could be accomplished by the use of a cloud broker layer or future standards. 4
  5. 5. 4.1 References: - Cloud Synopsis and Recommendations (Suggest addition to Section 9.3 Security and Reliability) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 6)  -Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure Trustworthy Environment) -TechAmerica’s Cloud2 Report (Recommendation 2 4.2 Possible Support from Cloud Providers - Support common authentication standards (e.g. OpenID). 4.3 Guidance - Choosing a Federated Authentication Capability - Choosing the Right federation from GFIPM http://gfipm.net/choosing-the-right-federation.html ------------------------------------------------------------------------------------- 5. Use Portable Tools for Monitoring and Managing Cloud Resources if possible ------------------------------------------------------------------------------------- The use of portable tools will facilitate portability if necessary across Cloud providers (e.g. IaaS). It will also be useful for multiple Cloud architectures. . 5.1 References: - Cloud Synopsis and Recommendations (Suggest addition to Section 7.6 Recommendations for Infrastructure as a Service) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 4)  - Open Data Center Alliance (Usage: Virtual Machine Interoperability) 5.2 Possible Support from Cloud Providers - Support common error messages, notifications, and alerts from Cloud applications 5.3 Guidance - Selecting tools for development, deployment, monitoring, and managing Clouds - How to Select Tools for Managing the Clouds http://www.cioupdate.com/trends/article.php/3919446/How-to-Select-Tools-to-Manage-the-Cloud.htm ------------------------------------------------------------------------------------- 6. Develop a Framework for Orchestrating Processes across Multiple Clouds and Enterprise Systems ------------------------------------------------------------------------------------- One of he most difficult tasks will be orchestrating processes across multiple heterogeneous Clouds and possibly including enterprise systems. A pre-defined framework to support these process will reduce deployment complexity, cost, and time. The framework should utilize standards when possible. If there are no standards, cloud brokers and adaptors can be used following government policies to avoid lock-in. 5
  6. 6. 6.1 References: - Cloud Synopsis and Recommendations(Suggest addition to Section 9 General Recommendations) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 7)  6.2 Possible Support from Cloud Providers - Develop adaptors to support standardized interfaces to core functionality. Develop Cloud Brokers with standardized interfaces that enable orchestrating processes across multiple Clouds. 6.3 Guidance - Role of Cloud Broker - Cloud Brokers Presentation http://www.soasymposium.com/home2011/pdf_brazil/ Pethuru_Cheliah_and_Zaigham_Mahmood_Cloud_Brokerages.pdf ------------------------------------------------------------------------------------- 7. Choose Non-mission Critical Applications for initial Cloud deployments. ------------------------------------------------------------------------------------- It is prudent to gain experience and confidence in Cloud resources before migrating mission-critical applications. Some examples include productivity applications (SaaS), test and development (IaaS), offloading high transient processing (IaaS), and hosting Web sites (PaaS or IaaS) 7.1 References: - Cloud Computing Business Use Case Examples (http://collaborate.nist.gov/twiki- cloud-computing/bin/view/CloudComputing/BusinessUseCases ) - Federal Cloud Computing Strategy (Section II. 1 Selecting Services for Move to the Cloud) - UK Government ICT Strategy(Part 2 Action 12) - See External References 5 and 6 - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 1) 7.2 Possible Support from Cloud Providers - Create a Maturity Model that will enable customers to determine the type of Cloud deployments that are most suitable based on their current experience and expertise 7.3 Guidance - Choosing the first Cloud Application - Development and Testing is a good first choice. http://www.cio.com/article/505660/Your_First_Cloud_App_Dev_Test_a_Smart_Choice 7.4 Practical Guide to Cloud Computing (Step 8. Develop a Proof-of-Concept before Moving to Production) 6
  7. 7. ================================================== C. Policy Best Practices ================================================== The efficient deployment of multiple Cloud Computing solutions across government (or any large enterprise) departments will require a common policy framework to enable future interoperability, portability, reuse of resources, and trusted security. ------------------------------------------------------------------------------------- 8. Develop an Enterprise Catalog to Enable the Discovery of Existing and Available Cloud Resources ------------------------------------------------------------------------------------- One of the advantages of Cloud computing is the ability to share resources across projects and agencies. A catalog of existing resources and access procedures will add value and reduce costs as the number of Cloud deployments increase. An “application store” capability can be used to make existing resources available to new projects. 8.1 References: - Cloud Synopsis and Recommendations(7.4.3 Portability, Interoperability with Legacy Applications) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 8)  - UK Government ICT Strategy( Points 17 and Point 31 and Part 2 Action 1 and Part 2 Action 14) - Open Data Center Alliance (Usage: Service Catalog) 8.2 Possible Support from Cloud Providers - Create and support a standard format for describing Cloud resources in a catalog 8.3 Guidance - Utilization of Existing Resources  - Data Center Consolidation and Cloud Computing Presentation http://www.actgov.org/events/managementofchange/MOC2011/MOC%202011%20Documents%20and %20Presentations/federal%20cloud%20computing%20and%20data%20center%20consolidation.pdf 8.4 Practical Guide to Cloud Computing (Step 6. Integrate with Existing Enterprise Services) ------------------------------------------------------------------------------------- 9. Document Business Use Cases using the Template from the Business Use Case Working Group ------------------------------------------------------------------------------------- The Business Use Case Working Group has developed a template for describing Use Cases and used it to document several examples. Employing a standard template will foster a more standardized development process and make it easier to exchange information across projects. 7
  8. 8. 9.1 References: - Cloud Synopsis and Recommendations (Suggest addition to Section 9 General Recommendations) - Cloud Computing Business Use Case Template (http://collaborate.nist.gov/twiki-cloud- computing/pub/CloudComputing/TemplateCoordinationSG/ Cloud_Computing_Business_Use_Case_Template.pdf ) - Federal Cloud Computing Strategy (Section IV. 1 Leveraging Cloud Computing Accelerators) - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 3) 9.2 Possible Support from Cloud Providers - Develop business use case templates in a standard format that can be made available to customers planning Cloud deployments 9.3 Guidances - Determining Benefits - Open Group Building ROI with Clouds http://www.opengroup.org/cloud/whitepapers/ccroi/roi.htm 9.4 Practical Guide to Cloud Computing (Step 2. Develop Business Justification and a Strategic Plan) ------------------------------------------------------------------------------------- 10. Document Standardized Ways of Comparing Cloud Capabilities for Procurements and Cloud Brokers ------------------------------------------------------------------------------------- A standard way of comparing product offerings and prices will be valuable for procurement decisions. 10.1 References: - Cloud Synopsis and Recommendations (Section 7.4.2 Flexible, Efficient Renting of Computing Hardware and suggest addition to Section 8.3 Economic Goals) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis)  - Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services Effectively and IV. 3 Streamlining Procurement Process) - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation) - Open Data Center Alliance (Usage: Standard Units of Measurement for IaaS) 10.2 Possible Support from Cloud Providers - Create and support a common Cloud capability and pricing description for IaaS resources. 10.3 Guidance - Standards for SLAs - SLA@SOI publications http://sla-at-soi.eu/results/publications/ 8
  9. 9. 10.4 Practical Guide to Cloud Computing (Step 7. Develop and Manage Service Level Agreements) ------------------------------------------------------------------------------------- 11. Use Simulated-based Acquisition for Cloud Solutions if possible. ------------------------------------------------------------------------------------- Simulation-based acquisition is a procurement practice that uses simulated test evaluations before finalizing procurement and full scale development. It has been advocated in the past but in many cases full scale simulation was prohibitively costly in time and resources. Cloud environments for test and evaluation can significantly reduce these costs and enable early simulation-based evaluations of potential Cloud solutions. It is also possible to evaluate Cloud solutions on internal simulation testbeds e.g NIST’s Koala. 11.1 References: - Simulation-based Acquisition Overview from Navy http://nawctsd.navair.navy.mil/Resources/Library/Acqguide/sba.htm - NIST’s Cloud Simulation Testbed http://www.nist.gov/itl/antd/upload/Koala.pdf -UK Government ICT Strategy (Point 28) 11.2 Possible Support from Cloud Providers - Create and make available testbeds to enable customers to evaluate performance and capabilities of planned Cloud deployments. 11.3 Guidance - Implementing Simulation-based Acquisition - Simulation-based Acquisition Implementation Strategy from NASA http://aeronautics.arc.nasa.gov/assets/pdf/SBAStrategy_Final_w_signatures.pdf ------------------------------------------------------------------------------------- 12. Establish a Data Governance Policy for When and How Specific Types of Data can be Stored on Externally Hosted Clouds ------------------------------------------------------------------------------------- Maintaining strict control of critical data is essential for security, privacy, and trusted government operations. A clearly stated policy should be documented and enforced internally and contractually with external resource providers 9
  10. 10. 12.1 References: - Cloud Synopsis and Recommendations (9.2 Data Governance) - Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment and Section IV. 6 Laying a Solid Governance Foundation) - TechAmerica’s Cloud2 (Recommendation 3) 12. 2 Possible Support from Cloud Providers - Provide customers the ability to audit and evaluate their data management and protection capabilities 12.3 Guidance - Choosing Deployment Models - Cloud Deployment Options http://www.zlti.com/wp-content/content/docs/Data%20Sheets/ZL%20Cloud %20Deployment%20Schemes.pdf -Tips for Choosing a Cloud Deployment Model http://kalirajanl.wordpress.com/2011/05/12/tips-for-choosing-the-cloud-deployment-model/ 12.4 Practical Guide to Cloud Computing (Step 3. Select a Cloud Deployment Model) ------------------------------------------------------------------------------------- 13. The US Government should work with other Governments and International Organizations to develop Policies and Standards enabling future Interoperability and Portability across Clouds while preserving national security and legal requirements ------------------------------------------------------------------------------------- In the future, there will be applications and data that will be shared across international public sector Clouds for multinational collaboration initiatives (e.g. scientific research). It will be necessary to work with other governments and international organizations (e.g. ISO) to ensure that Clouds will support interoperability and portability requirements. This will require coordination at the technical level (e.g. standards) and policy agreements. 13.1 References: - Cloud Synopsis and Recommendations (8.4.2 Physical Data Location) - Cloud Standards Roadmap Draft 11 (Annex D Standards Developing Organizations) - Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment, Section IV. 4 Establishing Cloud Computing Standards, and Section V. 5 Recognizing the International Directions of Cloud Computing)) - UK Government ICT Strategy (Point 40) - TechAmerica’s Cloud2 Report (Recommendation 1 and Recommendation 8) - SIENA Roadmap (International Coordination) 10
  11. 11. 13.2 Possible Support from Cloud Providers - Organize international Cloud providers associations to work with customers in enabling interoperability across national and regional boundaries. 13.3 Guidance - Issues requiring International Agreements - European Perspective from EC Executive http://blogs.ec.europa.eu/neelie-kroes/public-authorities-and-cloud/ ------------------------------------------------------------------------------------- 14. Maintain Updated Reference Documents including Cloud Standards Catalogs, Reference Architectures, Technology Roadmaps, and Best Practices. ------------------------------------------------------------------------------------- Since Cloud technology and related standards are changing rapidly, it will be necessary to update Cloud information document periodically during the next few years (e.g. once a year). Experience with specific Cloud tools, services and resources should be captured and made available for future government Cloud projects. • 14.1 References: - NIST Cloud Synopsis and Recommendations - NIST Cloud Standards Roadmap Draft 11 - Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) - UK Government ICT Strategy (Part 3 Action 21 and Part 3 Action 22) - SIENA Roadmap (Recommendations) 14.2 Possible Support from Cloud Providers - Supply accurate information to customers on current technology capabilities and support of standards. 14.3 Guidance - Development of Cloud Roadmaps - Creating a Cloud Roadmap http://soamag.com/I47/0211-1.php ================================================== D. Organizational Best Practices ================================================== In order to ensure that best practices are followed, it will be necessary to have a supporting organizational structure. The Cloud organizations can coordinate the sharing of information, resources, and guidelines across agencies and projects. The examples are a logical breakdown of responsibilities which can be allocated to groups chosen by government IT executives. See Federal Cloud Computing Strategy (Section IV. 6 Laying a Solid Governance Foundation) 11
  12. 12. ------------------------------------------------------------------------------------- 15. Designate a Government Cloud Standards Group to act as a Liaison between the Government and Cloud Standards Organizations. ------------------------------------------------------------------------------------- This Group should have the following responsibilities: a) Monitoring the status of Cloud standards activities b) Update SAJACC’s Cloud Interface Catalog and the Cloud Standards Roadmap WG’s Cloud Standards Inventory c) Tracking the standardization requirements of government Cloud deployments and determine priorities d) Disseminate information about standards to projects and convey prioritized government standards requirements to standards development organizations e) Recommend standardizations to be used on government Cloud deployments f) Define compliance tests to verify conformance of Cloud resources with standards specifications Standards that should be monitored include SNIA’s Cloud Data Management Interface (CDMI) and OGF’s Open Cloud Computing Interface (OCCI). 15.1 References: - Cloud Standards Roadmap Draft 11 (7.2 Standardization Priorities Based on USG Priorities and 8.2 Recommendations for Accelerating the Development and Use of Cloud Computing Standards) - Cloud Synopsis and Recommendations (8.3.3 Portability of Workloads and 8.3.4 Interoperability between Cloud Providers and Suggest Extension to Section 9 General Recommendations) - SAJACC Cloud Interface Catalog Draft (http://collaborate.nist.gov/twiki-cloud- computing/bin/view/CloudComputing/CloudInterfaceCatalog) - UK Government ICT Strategy (Part 2 Action and Point 36) - Cloud Standards Roadmap WG Cloud Standards Inventory (http://collaborate.nist.gov/ twiki-cloud-computing/bin/view/CloudComputing/StandardsInventory) - SIENA Roadmap (Standards Coordination) 15.2 Possible Support from Cloud Providers - Participate in or monitor SDOs discussions and provide information on plans for supporting future standards. If Cloud resource providers believe that future standards are unnecessary in specific areas, they should explain if and how customers can avoid being locked-in to proprietary Cloud products. 15.3 Guidance - Creating a Government Cloud Standards Group - U.S. NIST Cloud Computing Program http://www.nist.gov/itl/cloud/ 12
  13. 13. ------------------------------------------------------------------------------------- 16. Create an Inter-agency Cloud Policy, Organization, and Resource Sharing Committee ------------------------------------------------------------------------------------- This Committee should set policies, organizational responsibilities, and maintain a Catalog of government available Cloud resources and access procedures 16.1 References: - Cloud Synopsis and Recommendations (Section 9.1 Management) - UK Government ICT Strategy (Point 32 and Point 59) - TechAmerica’s Cloud2 Buyers Guide (Best Practices CIO/CISO) 16.2 Possible Support from Cloud Providers - Support customer policies if possible. Provide specifications and usage descriptions for vendor interfaces. 16.3 Guidance - Cloud Governance and Management - G-Cloud Service Management, Organization & Governance Approach http://www.cabinetoffice.gov.uk/sites/default/files/resources/06-G-CLOUD- ServiceManagement-OrganisationandGovernance-Approach.pdf ------------------------------------------------------------------------------------- 17. Create a Cloud Security, Privacy, Auditing, Regulatory Compliance, and Risk Management Group ------------------------------------------------------------------------------------- This Group should be in charge of ensuring that all Cloud deployments satisfy government security, privacy, auditability, and regulatory compliance rules. It also issue periodic updates on risks and avoidance recommendations. 17.1 References: - Cloud Synopsis and Recommendations (Section 8.4 Compliance and Section 8.5 Information Security) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 10)  - Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment) - UK Government ICT Strategy (Part 3 Action 25) - TechAmerica’s Cloud2 Report (Recommendation 2 , Recommendation 5 , Recommendation 6 and Recommendation 9 - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 3 and Best Practices CIO/ CISO) - Open Data Center Alliance (Usage: Regulatory Framework, Security Monitoring, and Provider Security Assurance) - SIENA Roadmap (Recommendations) 13
  14. 14. 17.2 Possible Support from Cloud Providers - Enable auditing of Clouds to meet regulatory and policy requirements 17.3 Guidances - Evaluating Risks (CSA) - Top Threats to Cloud Computing from CSA https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf - Security Guidance from CSA https://cloudsecurityalliance.org/csaguide.pdf ------------------------------------------------------------------------------------- 18. Create Cloud Procurement Support Group to define SLAs, Contractual Language, and Penalty Enforcement. ------------------------------------------------------------------------------------- This Group should develop government standards for core contractual language in procurements (e.g. service level descriptions) including penalty clauses. Projects should be able to extend and/or modify the core if necessary 18. 1 References: - Cloud Synopsis and Recommendations (Section 8.2 Cloud Reliability) - Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 9)  -Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services Effectively, Section II .3 Managing Services rather than Assets and Section IV. 3 Streamlining Procurement Process) - TechAmerica’s Cloud2 Buyers Guide (Best Practices Acquisition Manager) 18.2 Possible Support from Cloud Providers - Support standardized SLA descriptions that can be used for evaluating Cloud capabilities 18.3 Guidances -  Documenting functional and performance requirements and specifying contract requirements - Cloud Contract Advice from Law.com. net-security.org, and Bizcloud Network http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202476608022&slreturn=1&hbxlogin=1 http://www.net-security.org/secworld.php?id=11056 http://bizcloudnetwork.com/cloud-procurement-best-practices-to-reduce-risk-in-cloud-contracts 18.4 Practical Guide to Cloud Computing (Step 7. Develop and Manage Service Level Agreements) 14
  15. 15. ------------------------------------------------------------------------------------- 19. Create a Cloud Center of Excellence to Provide Technical Guidance to Projects on Emerging Technologies ------------------------------------------------------------------------------------- The Center of Excellence should consist of Cloud technical experts who can advise projects on emerging Cloud technologies. This group will be necessary due to the rapid growth in Cloud products, services, tools, and open source implementations. 19.1 References: - Cloud Synopsis and Recommendations (Add to Section 9 General Recommendations) - UK Government ICT Strategy (Point 19 ,Point 38, Point 55 and Part 2 Action 11) - TechAmerica’s Cloud2 (Recommendation 4) - Open Data Center Alliance’s (Usage: Input/Output [IO]Controls 19.2 Possible Support from Cloud Providers - Provide information on current and future technology capabilities to customer technical staff. Work with customers to perform test evaluations of Cloud capabilities. 19.3 Guidance - Creating a Cloud Computing Center of Excellence - US Airforce creating Cloud Computing Center of Excellence http://www.cloudcomputingzone.com/2010/05/air-force-to-establish-cloud-computing- research-center-of-excellence/ 19.4 Practical Guide to Cloud Computing (Step 5. Determine Who Will Develop, Test and Deploy the Cloud Services) ------------------------------------------------------------------------------------- 20. Create a Cloud Community of Practice Group to Share Experiences and Collect Best Practices ------------------------------------------------------------------------------------- The Community of Practice should maintain ongoing discussions with agencies, government Cloud groups, industry, and vendors to determine the status of technology, standards, best practices, and risks. There should be periodic meetings to share this information with groups responsible for planning Cloud deployments. 20.1 References: - Cloud Synopsis and Recommendations (Add to Section 9 General Recommendations) - Federal Cloud Computing Strategy(Section III Case Examples to Illustrate Framework) - Federal Cloud Computing Strategy (Section IV. 1 Leveraging Cloud Computing Accelerators) - UK Government ICT Strategy (Part 2 Action 3 and Part 2 Action 9) - TechAmerica’s Cloud2 Report (Recommendation 14 - TechAmerica’s Cloud2 Buyers Guide (Best Practices: Program Manager and Agency Leadership) 15
  16. 16. 20.2 Possible Support from Cloud Providers - Provide suggested best practices and industry case studies to help customers planning Cloud deployments. 20.3 Guidance - Creating Communities of Practice - Building Communities of Practice http://www.adb.org/Documents/Information/Knowledge-Solutions/Building-Communities- Practice.pdf ================================================== E. Primary References ================================================== 1. NIST Draft Cloud Computing Synopsis and Recommendations http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf (See Appendix F NIST Publications for additional security-related documents) 2. NIST Cloud Computing Standards Roadmap Draft http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/StandardsRoadmap/ NIST_CCSRWG_040_4th_Draft_02_16_11_NIST_Cloud_Computing_Standards_Roadmap.pdf (See Bibliography for multiple external references) 3. Federal Cloud Computing Strategy http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf (See Appendix 2. Agency Resources for Cloud Computing for additional government links) 4. UK Government ICT Strategy http://www.cabinetoffice.gov.uk/resource-library/uk-government-ict-strategy-resources 5. TechAmerica’s Cloud2 Report from the TechAmerica Foundation’s Commission on the Leadership Opportunity in U.S. Deployment of the Cloud http:// www.techamericafoundation.org/content/wp-content/uploads/2011/07/TechAmerica’s Cloud2.pdf 6. TechAmerica’s Cloud2 Cloud Buyers Guide http://www.cloudbuyersguide.org/the-guide/ 7. Open Data Center Alliance’s Usage Models http://www.opendatacenteralliance.org/publications 8. SIENA European Roadmap on Grid and Cloud Standards for e-Science and Beyond http://www.sienainitiative.eu/Repository/FileScaricati/8ee3587a-f255-4e5c- aed4-9c2dc7b626f6.pdf 9. Practical Guide to Cloud Computing from the Cloud Standards Customer Council (To be published 4Q 2011) 16
  17. 17. ================================================== F. Additional References ================================================== 1. Cloud Best Practices Website http://www.cloudbestpractices.info/ 2. Cloud Interoperability and Best Practices from Computerworld http://www.computerworld.com/s/article/9217158/ Cloud_interoperability_Problems_and_best_practices 3. Best Practices for Cloud Computing from Gartner Group http://www.gartner.com/it/page.jsp?id=1689914 4. Architecting for the Cloud: Best Practices from Amazon http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf 5. Summary of Planned Agency Cloud Projects http://www.fiercegovernmentit.com/story/agencies-have-identified-78-services-cloud- migration-says-omb/2011-05-25 6. Details of Planned Agency Cloud Projects http://assets.fiercemarkets.com/public/sites/govit/agencieshaveidentifiedsystems.pdf 7. Ten Papers on Best Practices in Cloud Computing from 2010 http://www.datacenterknowledge.com/archives/2010/12/16/best-practices-in-cloud- computing-for-2010/ 8. Cloud Security Alliance Governance, Risk Management And Compliance Stack https://cloudsecurityalliance.org/research/projects/grc-stack/ 9. G-Cloud Phase 2 Documents from the UK http://www.cabinetoffice.gov.uk/resource-library/g-cloud-programme-phase-2 10. An Open Interoperable Cloud (OGF, CDMI, OCCI) http://www.infoq.com/articles/open-interoperable cloud;jsessionid=7EE0D90CD3A4E0968FF5C411C68BAC59 11. The Future of Cloud Computing:Opportunities for European Cloud Computing 2010 and Beyond http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf 12 Upcoming international public sector Cloud event http://events.oasis-open.org/home/cloud/2011/about 13. Cloud-Standards.org http://cloud-standards.org 17
  18. 18. ================================================== G. Guidance References (Patterns) ================================================== Design pattern (computer science) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Design_pattern Cloud Patterns Many Cloud App Design Patterns http://www.slideshare.net/shl0m0/many-cloud-app-design-datterns Lockheed Martin Deployment Cloud Design Patterns http://www.slideshare.net/kvjacksn/lockheed-martin-deployment-cloud-design-patterns Patterns For Cloud Computing http://www.slideshare.net/simonguest/patterns-for-cloud-computing SOA Design Patterns in the Cloud | SOA World Magazine http://soa.sys-con.com/node/1654420  Cloud Computing Design Patterns | Bob on Medical Device Software http://rdn-consulting.com/blog/2009/06/28/cloud-computing-design-patterns/  SOA Patterns SOA Patterns http://www.soapatterns.org/ SOA Patterns article http://www.soabooks.com/soa_patterns/soa_patterns_article.pdf  Vendor-Specific Cloud Design Patterns Design Patterns in the Windows Azure Platform | Cloud Computing Journal http://cloudcomputing.sys-con.com/node/1627248  AWS Architecting Cloud Apps - Best Practices and Design Patterns  http://www.slideshare.net/AmazonWebServices/aws-architectingjvariafinal  VMware: VMware vCloud Blog: Cloud Architecture Patterns: Overview http://blogs.vmware.com/vcloud/2010/10/cloud-architecture-patterns-overview.html 18
  19. 19. Force.com Architecture Design Principles | Force Architects: Delivered Innovation Blog http://forcearchitects.deliveredinnovation.com/2011/03/07/force-com-architecture- design-principles/  Cloud Computing Patterns, Architectures, and Best Practices from Sun http://wikis.sun.com/display/cloud/Patterns Design Patterns Conference | Cloud Connect 2011 http://www.cloudconnectevent.com/cloud-computing-conference/design-patterns.php SOA Design Patterns in the Cloud (Oracle, Amazon) http://srinivasansundararajan.sys-con.com/node/1654420/mobile 19

×