I had the pleasure to participate in the NIST Cloud Computing Forum and Workshop V, held last week in Washington DC. The event had a mixture of participants from the public sector, private sector and standards development organizations (SDOs) and was an interesting look into the state of cloud computing standards as we reach the middle of the journey to maturity in cloud computing.
While at the Forum, I was happy to announce that the remainders of the DMTF VMAN specifications have been adopted by ANSI. These specifications allow for a standard set of models and interfaces for managing virtual machines and their resources. I anticipate even greater adoption of these specifications in the years to come.
The big news at the Forum was that FedRAMP was launched on June 6th. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services across government agencies. The goals of the program, from their website (www.FedRAMP.gov) are to:
- Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations
- Increase confidence in security of cloud solutions
- Achieve consistent security authorizations using a baseline set of agreed upon standards to be used for Cloud product approval inside or outside of FedRAMP
- Ensure consistent application of existing security practices
- Increase confidence in security assessments
- Increase automation and near real-time data for continuous monitoring
The FedRAMP program is just starting and may have a few kinks to be ironed out, but it’s a good first step in the right direction!
One of the two panels on which I participated was USG Cloud Computing Technology Roadmap Priority Action Plan (PAP) Progress and Examples. These are documented more fully in NIST Special Publication 500-293
Here is a list of the top ten requirements from that specification:
- Requirement 1: International voluntary consensus-based interoperability, portability, and security standards (interoperability, portability, and security standards)
- Requirement 2: Solutions for high-priority Security Requirements (security technology
- Requirement 3: Technical specifications to enable development of consistent, high-quality Service-Level Agreements (interoperability, portability, and security standards and guidance)
- Requirement 4: Clearly and consistently categorized cloud services (interoperability and portability guidance and technology)
- Requirement 5: Frameworks to support seamless implementation of federated community cloud environments (interoperability and portability guidance and technology)
- Requirement 6: Technical security solutions which are de-coupled from organizational policy decisions (security guidance, standards, and technology)
- Requirement 7: Defined unique government regulatory requirements, technology gaps, and solutions (interoperability, portability, and security technology)
- Requirement 8: Collaborative parallel strategic “future cloud” development initiatives (interoperability, portability, and security technology)
- Requirement 9: Defined and implemented reliability design goals (interoperability, portability, and security technology)
- Requirement 10: Defined and implemented cloud service metrics (interoperability and portability standards)
At the Forum, we also got a glimpse of some other NIST programs, including an update on their Cyber Security Center of Excellence, work on their health records in the cloud, new identity management standards activities and work that is being started on standards for Big Data.
It is clear that there’s a lot going on at the NIST, and that interoperability, portability and security standards are a key part of that and the governments top priority to achieve the vision of cloud computing.