European Commission Public Consultation on Cloud ComputingResponse of OASIS (www.oasis-open.org)30 August 20111. Are you responding for a Company? Yes.2. Size in number of employees? 18. See question 6.3. Sector? Computing & Internet. See question 7.4. Country where legally established? United States.5. Are you a Public Administration? No.6. Size in number of employees? OASIS is a global standards consortium, with 18 employees and about 5000 participantsrepresenting over 600 companies & individuals. We have advised our own members aboutthis inquiry, in case they wish to respond. Of course, their opinions are their own, and thisresponse does not represent the views of any of our member companies, governments orindividuals, but only the observations of OASIS professional staff.7. Sector? OASIS produces data standards for Computing & Internet activity in industry andgovernments.8. Country where legally established? OASIS is a not-for-profit corporation established in the United States, with representativesalso in (among other places) China, France, Japan, the Netherlands and Switzerland.
9. If you are not a company or a public administration, are you … (Not applicable.)10. If other, please explain. (Not applicable.)11. If you are a user of cloud services, please describe your current use of cloud computing.What kind of problems do you encounter when using cloud computing solutions in the EU?Elsewhere? OASIS operates as a global venue for collaborative voluntary standards development,across many time zones, borders and languages, depend heavily on remote access andparticipation capabilities. These include database-driven administration and archiving of ourtechnical committees work, collaborative workspaces, and enterprise e-mail, the majority ofwhich are provided by third party services providers on a cloud or similar remote platform.12. If you are a potential user but not active yet: What are the main reasons for not (or notyet) using cloud computing? In some cases, we have elected to purchase self-installed and self-hosted software formission-critical functions, and declined the alternative of purchasing cloud-based software-as-a-service”. Sometimes this business decision was made in order to retain greater controlover the installation. In other cases, when we chose against a cloud service, our main reasonwas greater certainty about the survivability of our access to our data if the software providerfailed.13. If you are a provider of cloud services: Please describe your offer. What kind of barriersdo you face in providing your cloud computing services within the EU? Elsewhere? We are not a traditional provider of computing services. However, as a widely-used openstandards consortium that hosts market-driven standards projects, our principal “products” areforums and publications about data structure rules and consensus. Many of our projects affect or provide guidance to cloud computing practices, generallyincluding our cybersecurity, electronic identity, SOA and web services, and contentmanagement and semantic projects. (See the question below on “existing or emergingstandards” for a longer list.) Among other things, OASIS also participates in and has provided experts to theStandards and Interoperability for eInfrastructure implemeNtation InitiAtive (SIENA) project(http://www.sienainitiative.eu/), and hosts the International Cloud Symposium (ICS) nearLondon in October, 2011 (http://events.oasis-open.org/home/cloud/2011), at which many ofthese issues will be addressed.
Clouds for users1. Do you feel that in the cloud services you are currently using or have been evaluating (orare providing), the rights and responsibilities of both user and provider are clear? Yes.2. Please comment. As a group of computing experts, OASIS may not be a typical corporate consumer ofcloud-based services: our degree of understanding of cloud-related contractual duties maybe unusual. However, clarity is the not same thing as balance. Cloud service offerings often are massmarket offerings, made under terms wholly defined by the seller. While we may understandthe terms of cloud service contracts clearly, they may not always be attractive, marketable orfeasible.3. Are you aware of the applicable jurisdiction in different types of disputes that could ariseduring your provision or use (or potential future use) of specific cloud offerings? Yes.4. Is there an alternative approach to the determination of jurisdiction that may work betterfor both users and providers? Yes.5. If yes, please comment. As the differences among legal and regulatory requirements in different jurisdictionsbecome more clear, user preferences may respond to them, creating a “market” for the morefavorable legal frameworks. We already are aware of some instances where cloud servicesusers attempt to choose their governing law by preferring hosts venued in some locationsrather than others. The demands of some states that a global Internet service establish local servers alsopoint to the significance, in some minds, of physical location and jurisdiction. Governments may wish to consider how to better cooperate, in applying laws to multi-national entities who serve global customer bases from a given set of locations. Is it possibleto work towards a multi-national reciprocity model, where the exact location of a servicesserver becomes less significant?6. Please comment. [No answer.]7. Do you feel that the question of liability in cross-border situations is clear for cloud usersand cloud providers? No.
8. Why? There often is a definitive answer. In order to learn it, though, a buyer or user mustnavigate and analyze long textual conditions which may not be clear to average readers: theterms may not be obvious, conspicuous or easy to comprehend. It seems likely that manyconsumers of many cloud computing services do not know anything about the legalconditions under which they consume the service. However, exclusive jurisdiction clauses are not a new development. Service contractswhere providers specify that they may only be sued in their home jurisdiction long predatecloud computing. Many transactions in the commercial (“B2B”) sector address the applicationof cross-border law to multi-party situations without difficulty. The economics of cloud computing services may not always adapt well to traditional legalresolution. In a tangible commercial shipping contract -- goods and services exchanged inhigh-denomination transactions -- the amount at stake may support significant costs toresolve disputes. In contrast, cloud computing services often are offered in small,componentized units, and often on an inexpensive or even free basis. Traditional high-costlitigation & contract enforcement methods may not be efficient for resolving disputes about alarge volume of small-value data transactions.Legislative Framework1. Do you think there are updates to the current EU Data Protection Directive that couldfurther facilitate Cloud Computing while preserving the level of protection? [No answer.]2. If yes, please explain. [No answer]3. Are you aware of specificities in Member State data protection rules, or other legislation,that prevent you from using/providing cloud services within the EU? Yes.4. If yes, please detail. In some cases, we are interested is in conducting message exchanges that producelegally enforceable transactions or agreements. This sometimes will require that the entitieswho exchange messages, or their representatives, are able to associate binding assurancesof identity and contractual assent – the electronic equivalent of signatures. But the technicalstandards for acceptable and enforceable electronic signatures vary from state to state, andthe requirements of the laws may not apply well to existing technology alternatives. Forexample, the European Directive on Electronic Signatures (1999/93/EC), and certain memberstate enactments such as the German “SigG” Law Governing Framework Conditions forElectronic Signatures (Bundesgesetzblatt – BGBl, Teil I S. 876, 21 May 2001), describe andfavor some specific anticipated “advanced” technologies that were anticipated as desirable, at
the time, but may or may not have developed into feasible, widely available options, in thedecade since then.5. From your perspective, would it be useful if model Service Level Agreements or End UserAgreement existed for cloud services so that certain basic terms and conditions could easilybe incorporated into the contractual agreements. Yes.6. If no, why not? [Note our caution about mandated solutions, below.]7. If yes, further thoughts about how this might work. Model forms, as such, probably would be very helpful in the still-early commercial andlegal development of the industry and its transaction forms. However, a prescriptive set of forms that is imposed on transactions, rather than one thatevolves from market practices, might quell the natural market development of risk allocationoptions and new service models, as clouds evolve. Government traditionally provides somemarket stability though fair trade / anti-deceptive-practice laws, regulation of clarity andpersonal privacy, and mechanisms for cross-border dispute resolution. Those functions,properly carried out, ought to facilitate a robust cloud computing market of services, allowingvarious economic models and technology offerings to circulate and compete.Embracing interoperability1. Please describe interoperability or (data) portability issues you have encountered whenusing/providing cloud services or are otherwise aware of. In the case of commercial databases, limited early data export capabilities eventuallygave way to widespread shared service interfaces and formats (like ODBC, JDBC and XML).We expect that widespread adoption of cloud computing will be enabled in the same way byopen standards. Users will be able to confidently rely on cloud services, when there arewidely-known and freely-available methods for data exchange and for service discovery andservice invocation. These will reduce the risk of vendor lock-in, and reduce the costs of re-tooling in order to add a new supplier. Realizing those benefits will require the use of stablestandards, created in an open process, with well-established licensing terms and disclosure,and housed by reliable, vendor-neutral development environments.2. Which existing or emerging standards support interoperability across clouds and portabilityof data (from one cloud to another)? Please list and describe. Quite a few may apply. Among others, (a) Interoperable data content & semantic meaning is supported by OASIS OpenDocument, DITA, CMIS, QUOMOS, UnitsML, XRI/XRD & Search Web Services; W3Cs HTML, XML & RDF; and CLIF (ISO/IEC 24707);
(b) Reliable data exchanges, wide-area identity management & access control are supported by OASIS XACML, ID-Cloud, WS-Trust, XSPA, ebXML Messaging, WS- ReliableMessaging, SOA-RM, S-RAMP and ebXML Registry (some of which have been cloud-optimized); OpenID and the Kantara ID-FF; and (c) Appropriate security & privacy are supported by OASIS SAML, WS-Security & PMRM, IETFs OAuth and W3Cs P3P.One caution: browser-session-centric models from the consumer (B2C) sphere may havelimited application to complex cloud (B2B and G2B) requirements.3. What are the most important standards that are currently missing but which you feel arenecessary to insure interoperability and portability? Please describe in detail the aspectsthey should cover. Many of the needed functionalities for robust interoperable cloud services already exist, inestablished SOA, virtualization, transaction management and other computing and businessprocess methods. Its important to acknowledge that implementation of capabilities in “thecloud” often does not require a completely new set of technical or business systems. In a highly-distributed, highly-heterogenous ecosystem of cloud computing services,choosing stable open standards is a necessary part of the solution. As an additional suitability filter, it may also prove important to employ only standards thatare relatively free of obstacles to adoption. Aggregated chains of networked data transactionsamong strangers and newcomers, triggering the economic benefits of an open networkedmarket, are much more likely to occur if the base standards which participants must embraceare: (a) clear and easy to deploy; (b) well documented; (c) relatively free of licensing complexity or cost; (d) capable of optionality to support multiple platforms and designs; and (e) readily testable. As noted above, the lack of existing widely-agreed federatable standards for identityprovisioning and management retards the spread of markets of high-value data transactions,by impairing the ability of users to enter into reliable, repeated data exchanges withidentifiable counterparties.Public sector clouds1. What can the public sector do as a cloud user to support the emergence of bestpractices? (a) Publish and circulate its own RfPs and bid documents as models. (b) Require the use of vendor-neutral, interoperable methods that support the open standards ecology. (c) Participate actively (as some government agencies already do) as instigators and contributors to the development and maintenance of those shared resources (like standards projects and common repositories). (d) Deploy its own data architectures on a service-based, open-API model that models and encourages virtuous re-use.
(e) Simplify its own copyright & similar licensure terms, where applicable, to remove transactional-complexity barriers to reuse.2. Please elaborate in particular on public procurement of cloud services. Government use of cloud services for critical functions raises some additional possiblejurisdictional issues. Multiple nations have sought local server co-location from various globaldata providers in the last few years -- often unsuccessfully, and presumably driven in part by adesire for physical jurisdictional ability to enforce their rights against the services. Apreferable solution may be: (a) the development of service models and remediation methodsthat give a purchasing government some reasonable remedies & assurance of reliability andrecovery, regardless of service provider location; and (b) significant demands for moreportable and replicable data & services, so that a purchasing government can readily maintainmultiply redundant backup capabilities, as protection against the risks of any one provider.3. In particular, can the deployment of eGovernment and eScience infrastructures by thepublic sector act as an example for other sectors? E-government service offerings often serve as early lead instances of data transactionsthat provide models for other sectors to follow. The strong roles of government agencies inthe initial development of the Internet itself, as well as automated supply chain and invoicingtransactions and e-health transactions, evidence this. If public administrations insist on, andhelp measure and define, levels of predictability, reliability and interoperability, thoseinstances may serve as positive models that influence the commercial markets for cloudservices as well.4. Please list Member State initiatives in the area of Cloud Computing that you are aware of. Many of our standards and experts have been involved at the regional level on large-scale, Commission-promoted projects like PEPPOL (http://www.peppol.eu/), eCODEX(http://www.ecodex.eu/), SIENA (http://www.sienainitiative.eu/) and SPOCS (http://www.eu-spocs.eu/). While these are not technology research projects, they are deployment plans,each of which assume wide-spread data and transaction promulgation that necessarily reliesin large part on cloud methodologies and services.5. Do you think they are [adequate / go too far / not enough]? [No answer.]6. Please elaborate. [No answer.]7. How can Member States best cooperate to create interoperability solutions and sharedbest practices? By participating in, and donating their relevant nonconfidential use cases to, openstandardization projects.
Future Research and Innovation programmes1. Which are the most important technical aspects of cloud computing that researchers arecurrently working on? While the list of useful research fields in this general topic area is long, as a datastandards organization, we are particularly interested in: (a) common models for data registries, directories and repositories, in support of complex transaction models and data governance; (b) federated identity provisioning and management, to enable reliable electronic interchanges with reasonably known parties; (c) data transformation, modeling, mapping and interface methods that may help bring about greater interoperability and data portability across diverse systems (and better service recovery); and (d) tools and methods that make conformance and interoperability tests more widely available and useable.2. Beyond these, do you see technical problems/limitations of current cloud service offeringsthat will require further research in the coming years? Yes.3. Please elaborate. Interoperability and conformance testing is a sine qua non requirement of growing openmarkets of transactional capabilities that rely on shared data structures (like open standards).But the prevailing model is one of large, relatively expensive testing, episodically gated bysoftware release schedules. As the desire to participate in data exchanges spreads to amuch larger group of new and diverse entrants, we will experience a need for easier, simplerand self-help-oriented testing and validation mechanisms. Research to design and facilitatethe evolution of services and tools for "DIY" or "nanotesting" would be helpful to widespreadadoption and market growth. Also, current computing security models, to a large extent, were developed in the contextof centralized controls and select trusted systems. The different risks and needs of widely-distributed and loosely-coupled data transactions, in a cloud environment, are still in earlystages of definition. So cloud-based services do not yet always have the benefit of widely-known and widely-implemented security guidance.4. Should public R&I funding be used to establish prototypes of new cloud infrastructures? Yes.5. If yes, please describe types of projects/prototypes you would see as useful, and explainwhy. Ideally, public authorities would develop cloud capabilities to fulfill their own business andpolicy functions more effectively. These, if well documented and designed, could serve"double duty" also as prototypes and models for further similar developments in other sectors.
Global solutions for global problems1. What are the most important Cloud Computing solutions that have to be discussed at theglobal level? Please list and explain. (a) Identify pre-existing standards-based solutions already in use, likely in sets with multiple possible combinations, in the areas of security, content representation, access control (identity/privacy), and service deployment & access, to demonstrate the immediate feasibility of reliable, interoperable cloud functions. (b) Seek collaboration on vocabulary, identifier and data architecture resources for use in wide-scale service discovery and service invocation. (c) International cooperation (including reciprocity and comity) on practical resolutions to cloud computing jurisdictional issues. (d) Promote automatable representation of policy and rule constraints on cloud transactions & exchanges.2. What would be the right fora/approaches to tackle them? Please expand. Carefully-scoped and government-encouraged cooperative work by established openstandards bodies with relevant expertise.Respectfully submitted,James Bryce Clark, General Counsel, for OASIS