Report from an Ad Hoc subgroup of the NIST Cloud Standards WG. It uses a mapping of a key Use Case to a Reference Architecture to derive standardization recommendations.

1. “Cloud First” Business Use Case Driven Analysis for IaaS Standards
This is a report from an Ad Hoc Subgroup within the NIST Standards Roadmap Working Group.
The Subgroup was established to explore the use of Business Use Case to drive Standards
Roadmap analysis. The analysis will directly support the Federal CIO’s Cloud Strategy: “NIST
will help to identify operationally driven priorities for cloud computing standards and guidance
by working with Federal agencies and other stakeholders to define a set of mission driven
scenarios for cloud computing implementation and operations.” The focus of the analysis will
be only be on Infrastructure as a Service (Iaas) deployments due to schedule limitations..
1. Executive Summary
Figure 1 illustrates how the process ties together the outputs of different NIST Working Groups.
Figure 1. Business Use Case Driven Cloud Standards Roadmap Process
The basis of the analysis will be Section A of the "25 POINT IMPLEMENTATION PLAN TO REFORM
FEDERAL INFORMATION TECHNOLOGY MANAGEMENT". http://www.cio.gov/documents/25-Point-
Implementation-Plan-to-Reform-Federal%20IT.pdf This Plan includes the following activities.
• NIST leadership in Cloud standards analysis
• Data center consolidation
• Default to Cloud-level deployments for new Systems
• Rapid migration from legacy systems to the Cloud
• IaaS resources available to agencies through GSA contract vehicles and government-wide
authorizations
• Publish GSA contract vehicle for Cloud-based e-mail followed by a process for other SaaS
acquisitions
• Develop a government-wide shared services strategy

2. There are specific Business Use Cases associated with the planned activities.
• Deploying services and managing access to Public Clouds
---Multiple Virtual Private IaaS services
---Multiple commodity SaaS services
• Developing, deploying, operating, and managing access to Private Clouds
--- Private IaaS Clouds
--- Private PaaS Clouds
--- Private “shared services” Community Clouds
• Interfacing enterprise systems to Clouds
• Migration of legacy systems to Clouds
• Consolidating data centers
The initial analysis will deal with the most immediate Business Use Case which is the rapid
migration of legacy systems to IaaS Cloud deployments. Each agency has been asked by the
Federal CIO to migrate 3 systems to the Cloud in the next 18 months. The GSA has approved 11
IaaS Cloud providers. The BUC-driven process will determine what standards are needed to
successfully migrate and operate systems on diverse IaaS Clouds. The key result will be the
identification of maturity gaps in the standards and recommendations for next steps.
Summary of results and recommendations for multiple IaaS Cloud Deployments
To achieve portability and interoperability across deployments, it will be necessary to have
standardization of the interfaces to IaaS Clouds (e.g. management APIs). There are several
efforts underway in this area including OGF OCCI and DMTF’s Cloud Management Working
Group. Unfortunately neither of these initiatives has yet produced a standard that will be
implemented by the government’s IaaS suppliers.
The government should consider alternatives to deal with this IaaS interface standards maturity
gap. There have been several suggestions including accelerating the standards activities, having
suppliers address future integration problems, and creating government Cloud brokering layers.
To choose the best approach, it is recommended that the government set up an IaaS Interfaces
Study Group with members from government, SDOs, and industry. The final report from this
Group should provide guidelines that will support efficient Cloud deployments while avoiding
costly future system integration problems (e.g. from vendor lock-ins).
2. Business Use Case
The Federal CIO’s 25 Point Plan mandates: “Each Agency CIO will be required to identify three
“must move” services and create a project plan for migrating each of them to cloud solutions
and retiring the associated legacy systems.. Of the three, at least one of the services must fully
migrate to a cloud solution within 12 months and the remaining two within 18 months”. The
GSA has approved 11 vendors to IaaS resources. These vendors support a diverse set of IaaS
interfaces. The “Cloud First” Business Use Case is supporting evolving business processes as
Cloud deployments are implemented. This Business Use Case will require interoperability and
portability across across multiple Cloud deployments and enterprise systems.
The Business Use Case Working Group has produced a template for documenting specific use
cases. It includes a Concept of Operations where Current System and Desired Cloud
Implementation are described. The template also requires information about“how the current
system integrates with other systems, what are security requirements, do network considerations
vary among users (local versus remote, for example), etc” to aid in migration. The “Cloud First”
Business Use Case is an expansion of this analysis to multiple interacting Current Systems and
Cloud Implementations.

3. 3. Business Reference Architecture
The Business Reference Architecture Working Group has defined Roles, Service Delivery
Models (IaaS, PaaS, SaaS) and Service Deployment Models (Public, Private, Hybrid,
Community). The last two are based on earlier NIST work. The Cloud Services Roles include
Provider, Carrier, Consumer, Broker and Auditor.
The Models have to be extended for the “Cloud First” Business Use Case. An additional Service
Delivery Model for “Enterprise Systems” is needed to capture the requirement for migration and
interfaces between Clouds and existing systems. “Enterprise Systems” run within the enterprise.
They can use virtualization, service-oriented interfaces, and/or older technologies.
An additional Service Deployment Model for “Virtual Private Clouds” is necessary to describe
the implementation of Private Cloud capabilities on Public Clouds. For Virtual Private Clouds,
the cloud infrastructure is made available to an enterprise but is owned by an organization
selling cloud services. The policies for the use of the services are based on contracts between the
enterprise and the organization supplying the services.
Cloud Brokers are the implementors of capabilities that mediate between the Consumer and
Provider of Cloud Services. See Figure 2. The Taxonomy describes Cloud Brokerages that
“provide cloud service consumers a unified and enhanced management interface to multiple
cloud service providers.”. There are examples (e.g. GSA awards) where a Broker makes
available the resources of a single Cloud Services Provider to Cloud Consumers.
Figure 2. Cloud Broker Scenario from Reference Architecture Working Group
The “Cloud First” Business Use Case will focus on IaaS deployments. The Deployment Model
will not have a large impact in the initial analysis. In a deeper study, the differences among the
Deployment Models will have to be taken into consideration. The key role will be Cloud
Provider. However the capabilities of Cloud Brokers must be explored because of the potentially
important part they could play in supporting interoperability and portability.
4. Technical Use Cases
The SAJACC Working Group has produced a set of technical use cases including a Cloud
Management Broker. http://collaborate.nist.gov/twiki-cloud-computing/bin/view/
CloudComputing/CloudComputingUseCases and a list of existing Cloud APIs. http://
collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/CloudInterfaceCatalog

4. Their Use Cases are at varying levels of detail. For the “Cloud First” Use Case analysis, a set of
high level generic scenarios were defined to clarify the scope of the study.
The Scenarios are listed below.
Single Cloud
Scenario 1. Deployment on a Single Cloud
Scenario 2. Manage resources on a Single Cloud
Scenario 3. Interface Enterprise Systems to a Single Cloud
Scenario 4. Enterprise Systems migrated or replaced on a Single Cloud
Multiple Clouds
Scenario 5. Migration between Clouds
Scenario 6. Interface across Multiple Clouds
Scenario 7. Work with a Selected Clouds
Scenario 8. Operate across Multiple Clouds
Figure 3 illustrates the different generic scenarios
Figure 3. High Level Generic Scenarios
Based on the CIO Initial “Cloud First” Technical Use Cases will be the Single Cloud Scenarios
Scenario 1. Deployment on a Single Cloud
Scenario 2. Manage Resources on a Single Cloud
Scenario 3. Interface Enterprise Systems to a Single Cloud
Scenario 4. Enterprise Systems migrated or replaced on a Single Cloud
The role of interface standards (or a Cloud Broker) in these scenarios is to provide portability
across different Clouds for applications,data and tools. Specifically the impact of replacing one
IaaS provider with another should be minimized to prevent lock-in. The next step will then be to
consider Scenario 5 (Migrate between Clouds) and Scenario 6 (Interface Clouds) In future

5. architectures, a Cloud Broker could support dynamic Cloud selection in Scenario 7 (Work with a
Selected Cloud) and interoperability for Scenario 8 (Operate across multiple Clouds).
Some more detailed technical use cases for IaaS deployments are:
1. Creating, accessing, updating, deleting data objects in Clouds
2. Moving VMs and virtual appliances between Clouds
3. Selecting the best IaaS vendor for private externally hosted Cloud
4.: Tools for monitoring and managing multiple Clouds
5. Moving data between Clouds
6. Single sign:on access to multiple Clouds
7. Orchestrated processes across Clouds
8. Discovering Cloud resources
9. Evaluating SLAs and penalties
10. Auditing Clouds
5. IaaS Interface Standards
There are several facets of IaaS interfaces that are candidates for standardization including:
* Management APIs
* Data Exchange Formats
* Federated Identity
* Resource Descriptions
* Data Storage APIs
Standards work is underway in all of these areas. There are several standards that have been
published from consortia e.g OGF OCCI management API and SNIA CDMI storage API.
However none of the government’s approved Cloud providers have committed to the use of IaaS
standards. In general, there is no industry roadmaps available for the release or adoption of
Cloud standard.
6. Technical Reference Architecture
The Reference Architecture Working Group has developed layered reference architecture.
Figure 4. Layer Technical Reference Architecture

6. The layered reference architectures includes Cloud Brokers which insulate users from the
underlying Cloud interfaces.
7. Available Standardizations
The Standards Roadmap Working Group has created a Standards Catalog that is available at
http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/StandardsInventory
Many of the standards are for pre-Cloud technologies such as Web Services and the Internet.
The leading new Cloud-specific standards are SNIA CDMI for Cloud data storage, OGF OCCI
for IaaS Cloud Management APIs, DMTF OVF for vendor-independent VM descriptions.
8. Roadmap Analysis
The Technical Use Cases for IaaS Deployments can be mapped to Standardizations
1. Use Case: Creating, accessing, updating, deleting data objects in Clouds
Benefits: Cross:Cloud applications
Standardizations Needed: Standard interfaces to metadata and data objects
Possible Standards: CDMI
Priority: Near term
Availability: Now for CDMI 1.0 (Level 5)
2. Use Case: Moving VMs and virtual appliances between Clouds
Benefits: Migration. Hybrid Clouds. Disaster Recovery. Cloudbursting
Standardizations Needed: Common VM description format
Possible Standards: OVF from DMTF
Priority: Near term because OVF is available and an official standard
Availability: Now for OVF (Level 6)
3. Use Case: Selecting the best IaaS vendor for private externally hosted Cloud
Benefits: Provide cost:effective reliable deployments
Standardizations Needed: Resource and performance requirements description languages
Possible Standards: TBD
Priority: Medium term
Availability: TBD
4. Use Case: Portable tools for monitoring and managing Clouds
Benefits: Simplifies operations as opposed to individual tools for each Cloud
Standardizations Needed: Standard management interfaces to IaaS resources
Possible Standards: DMTF Cloud Management WG, OGF OCCI
Priority: Medium term
Availability: TBD
5. Use Case: Moving data between Clouds
Benefits: Migration between Clouds. Cross-cloud applications
Standardizations Needed: Standard metadata/data formats for movement between Clouds.
Vendor mappings between Cloud data and standard formats
Standardized query languages (e.g. for NoSQL for IaaS)
Possible Standards: TBD
Priority: Near term to avoid lock-in
Availability: TBD
6. Use Case: Single sign:on access to multiple Clouds
Benefits: Simplified access. Cross:cloud applications
Standardizations Needed: Federated identity and authorization
Possible Standards: OpenID, OAuth, OASIS, CSA outputs
Priority: Medium term
Availability: TBD
7. Use Case: Orchestrated processes across Clouds and Enterprise Systems
Benefits: Enhanced applications
Standardizations Needed: Standards for APIs and data movement
Possible Standards: Existing SOA standards and new Intercloud standards from IEEE
Priority: Long term because new standards must be developed and tested
Availability: TBD

7. 8. Use Case: Discovering Cloud resources
Benefits: Selection of appropriate Clouds for applications
Standardizations Needed: Description languages for available resources. Catalog interfaces
Possible Standards: DMTF , TM Forum
Priority: Medium term
Availability:
9. Use Case: Evaluating SLAs and penalties
Benefits: Selection of appropriate Cloud resources
Standardizations Needed: SLA description language
Possible Standards: TBD
Priority: Long term because it is a hard problems
Availability: TBD
10. Use Case: Auditing Clouds
Benefits: Ensure regulatory compliance. Verify information assurance.
Standardizations Needed: Auditing standards and verification check lists
Possible Standards: CSA Cloud Audit
Priority: Near term because it is needed to avoid risky deployments
Availability: TBD
For all of the required standardizations, there are no clear cut mature standards solutions.
Ongoing Roadmap analysis should track the development of the standards and update the
Standards Inventory as necessary.
9. Evaluations
The available standards should be evaluated for maturity on detailed technical use cases and the
results published. See Table 1.
Availability Level Description Recommendation
1. No Standards Standardization needed Encourage standards development
2. Under Development Discussions within standards groups.
Open source project launched.
Monitor and provide feedback to
standards development
3. Specification
Document Published
Initial specification posted for public
review
Review specification and plan
testing
4. Initial Reference
Implementation
Reference implementation available Evaluate reference implementation
5. Early Third Party Testing Evaluation in test environments Pilot Projects should consider use
6. Initial Production
Implementations
Successful use in production Mainstream projects should consider
use
7. Many Deployments Widespread use by many groups Projects should use the standard as a
default
8. Accepted Standard De facto or de jure acceptance as a
standards
Projects should use unless special
circumstances require exemption
9. Aging Standards New standards are under development Projects should explore alternatives
Table 1. Standards Maturity Model Table
Possible approaches in the absence of mature standards could also be tested. These alternatives
could include adaptors based on government specifications that could provide standardized
interfaces to IaaS Clouds. The impact of the adaptors on functionality and performance could be
documented.

8. 10. Recommendations
One of the key issues for a Cloud Standards Roadmap is recommendations for deployments
while waiting for standard to mature. This issue is especially significant for large enterprises (e.g.
US Government) that will deploy multiple Cloud applications often interfaced to existing
systems.
In the current state of enterprise Cloud Computing, standards are immature and eventual
dominant products have not been decided. The emphasis at this time should be on maintaining
flexibility. The general principle is to design deployments to minimize the impact of change
without significantly compromising functionality. There are key Cloud architecture design
decisions where this principle can be use to avoid vendor lock-in.
For the “Cloud First” Business Use Case of multiple IaaS deployments, the use of tightly
coupled non-standard interfaces from enterprise to Clouds can increase the effort required for
future portability. Unfortunately mature standard IaaS interfaces are not available at this time.
This will increase costs when applications have to be migrated across Clouds in the future. There
are several possible ways to address this problem. Note that different aspects of the interfaces
(e.g. APIs, VM movement, Federated Identity, data exchange formats) can be handled separately
as standards become available. The alternative approaches can be grouped into three categories.
* Not require any constraints on IaaS interfaces now or in the future
- Let Cloud Providers optimize their current IaaS interfaces
- Let agencies choose the approved Cloud Provider that best meets their needs
- Use system integrators or Cloud Providers to implement migrations when necessary
* Use formal standards in the future with no current IaaS interface constraints
- Accelerate the creation and adoption of standards
- Require Cloud Providers to natively support standards when they become available
- Require Cloud Providers to create adaptors to support standards when available
* Use government IaaS interface specifications now while moving to future formal standards
- Develop consensus government specifications that can migrate to future formal standards
- Require Cloud Providers to build adaptors to support government specifications
- Create a modular distributed Cloud Brokering layer to support government specifications
Selecting the correct alternatives will be critical to ensure the cost-effective future government
Cloud deployment architectures. These decisions will require a structured process based on
empirical data and evaluations.
Recommendation: The Cloud Computing Standards Roadmap Working Group should
provide specific recommendations related to interface standards for IaaS Cloud
deployments. The recommendations can include the use of existing standards, emerging
standards that need to be evaluated, areas where standards should be accelerated, tactical
solutions while awaiting for standards to mature, and potential risks in proprietary interfaces. The
key question is how to create robust, flexible architectures while deploying applications on
diverse IaaS Clouds.