Standardizing the cloud: A call to action
CIOs who hope to benefit from the low cost and convenience of cloud computing should pay attention to the evolving need for better, more consistent technological standards. According to a recent Booz & Company study, current internet-based computer services operate under surprisingly inconsistent, often incompatible standards. Resolving the situation will require a concerted effort by cloud service providers, business customers and government regulators, as well as the CIOs themselves – but until that happens, the cloud will not realize its promise.
Standardizing the cloud A call to action
Chicago Mike Connolly Senior Partner +1-312-578-4580 mike.connolly @strategyand.pwc.com Düsseldorf Dietmar Ahlemann Partner +49-211-3890-287 dietmar.ahlemann @strategyand.pwc.com
Frankfurt Olaf Acker Partner +49-69-97167-453 olaf.acker @strategyand.pwc.com Dr. Rainer Bernnat Partner +49-69-97167-414 rainer.bernnat @strategyand.pwc.com
Kuala Lumpur David Hovenden Partner +60-3-2095-3188 david.hovenden @strategyand.pwc.com London Hugo Trépant Partner +44-20-7393-3230 hugo.trepant @strategyand.pwc.com
Munich Dr. Nicolai Bieber Principal +49-89-54525-545 nicolai.bieber @strategyand.pwc.com
Marko Cavar also contributed to this report.
About the authors
Rainer Bernnat is a partner with Strategy& based in Frankfurt. He leads the firm’s public sector and IT work in Europe, and advises international clients on innovation, modernization, and restructuring initiatives. Wolfgang Zink was formerly a principal with Strategy&. Nicolai Bieber is a principal with Strategy& based in Munich. He specializes in IT strategies, application architectures, and large transformation programs, with a focus on the public and telecommunications sector. Joachim Strach is an associate with Strategy& based in Munich. He concentrates on strategic planning, reorganization, and feasibility assessment for the public and private sectors across Europe.
This report was originally published by Booz & Company in 2012.
Everyone understands the business value inherent in the promise of cloud computing. Yet in its current state, the cloud operates under any number of inconsistent, often incompatible standards — a situation that will likely hold back its ongoing development and limit the benefits the cloud offers enterprises looking to capture its potential for boosting flexibility, efficiency, and economies of scale. A recent Strategy& study of the cloud computing landscape demonstrates just how fragmented the effort to define standards has been. Resolving the situation will require a concerted movement on the part of cloud service providers and business customers alike to promote the technological, management, and regulatory standards needed to bring order to the cloud environment. And finally, it is the responsibility of all CIOs, at companies of all sizes, to understand and monitor the development of these standards, and to actively participate in determining the standards needed for their companies to meet their business objectives.
Why standards matter
The popularity of cloud computing among enterprises large and small is growing fast, thanks to its ability to increase flexibility, improve access to data, free up internal resources for more strategic tasks, and cut costs. Yet concerns remain about public cloud computing — including the efficiency and effectiveness of cloud services and the security and privacy of the information stored in the cloud. Cloud computing is the provision of software and information services over a broadband telecommunications system like the Internet. The hardware is shared across an array of networked computers, invisible to users, who can upload and receive access to files, programs, transaction opportunities, and information. The result is a utility-like approach to computer services, typically with a password-protected gateway that governs access, quality of service, and security. Among other benefits, updating and file backups take place through remote services, and much less needs to be managed at the level of individual hardware. Most large companies are now asking their IT departments to install cloud-based services, because of their convenience, versatility, and low costs, and because they fit well with the working habits of their employees. But there are many challenges for companies making a transition to the cloud, and they aren’t limited to the cloud’s technological implications. CIOs must also take into account how to manage their use of cloudbased information and software. Their companies’ IT infrastructure must be able to interact smoothly with services in the cloud, their data must be interoperable and transferable among cloud services providers, and the providers themselves must be able to cooperate in offering joint cloud-based solutions. Regulatory compliance issues also arise in the context of cloud computing, as companies strive to work with wide variations in data security and privacy legislation across the globe. To date, the effectiveness of cloud computing has been limited by nine specific challenges that affect both providers and users (see Exhibit 1, next page). All these ongoing concerns are slowing down the adoption of cloud computing in markets across the globe.
The many challenges for companies making a transition to the cloud aren’t limited to technological implications.
Exhibit 1 Nine challenges in cloud computing
Efﬁciency of service provisioning
a. Usage of development tools and components b. Creation of scalable architectures c. Resource management and ﬂexibility d. Availability of services
a. Identity and rights management b. Privacy and integrity c. Access control, logging, and attack prevention d. Veriﬁcation and certiﬁcation
Effectiveness of service usage and control
a. Contracts including questions of liability b. Control of services by users c. Governance/escalation mechanisms
Data privacy Interoperability
a. Migration into/out of the cloud b. Ability to integrate into on-premise IT c. Cloud federation
Transparency of service delivery and billing
a. Billing including license management b. Quality assurance and monitoring SLA c. Type and location of data processing
Portability between providers
a. Service portability b. Data portability
Ensuring fair competition in the market Compliance with regulatory requirements
Source: Strategy& analysis; FZI Forschungszentrum Informatik
The problem underlying these concerns is a lack of standards. The only way to alleviate them is for every player with a stake in the future success of cloud computing — not just technology companies and service providers but customers and governments as well — to share in the development and adoption of industry-wide standards covering each of these nine areas. A deliberate and well-designed standards effort would provide the definitions, guidelines, and best-practice examples necessary to make the best use of the cloud. It would enable CIOs not just to better identify the opportunities available through the use of cloud computing, but also to engage in cross-industry partnerships and common ventures that would benefit their own companies. Indeed, without a more concerted effort to agree on such standards, and leadership on the part of major companies, the promise of cloud computing may never be reached.
A heterogeneous environment
Standards for cloud computing are beginning to be developed, though the process is advancing slowly. At present, the landscape consists of a confusing plethora of standards in different markets around the world. A recent Strategy& study found a total of 160 different standards covering different aspects of the cloud currently being deployed or under consideration. Some of them bear strong similarities to one another, while others are very different. Most are not fully developed yet, and their degree of market relevance is often unclear. In conducting our study, we analyzed the current state of cloud computing standards in three critical categories: technology, management, and law. We found significant gaps in all three areas (see Exhibit 2, next page). These gaps clearly indicate just how far the effort to create true standards for cloud computing still needs to mature. The majority of the efforts to define standards have concentrated on broader technological challenges, including information security, efficiency of provisioning, interoperability, and portability. Much work still remains to be done in narrower technical areas like the use of standard components and reference architectures, benchmarks and tests, and protocols and interfaces. The largest gaps, however, are to be found in the field of management standards — those that address the use of cloud computing, and the processes that govern that use. Few standards have been devised for business models, service-level agreements, management models and processes, and auditing and contractual rules. Moreover, standards have yet to be agreed on regarding binding corporate rules on data privacy that cloud providers could commit to on a voluntary basis. Finally, the public sector is only beginning to realize the role it will have to play. It is the task of governments to promulgate the legal and regulatory standards needed to ensure the consistent regulatory environment needed for the success of the cloud, and to address such specific issues as the privacy challenges that come with the storage of sensitive data in public clouds.
Exhibit 2 Gaps in the cloud computing standardization landscape
Portability Competition Compliance
Types of standards
File and exchange format Programming models
Protocols and interfaces Reference architectures Benchmarks and tests Business models Service-level agreements Condition of contracts
Management models Controlling models Guidelines Legal requirements
Self obligations Firm policies
Potential for cloud standardization: High Medium Low Nonexistent
Source: Strategy& analysis; FZI Forschungszentrum Informatik
Despite the currently low level of standardization in the cloud, several sets of standards being promulgated by a variety of standards organizations, both regional and international, have begun to mature, and already have the potential to be disseminated more widely. At the international level, the Cloud Security Alliance (CSA), a consortium of vendors and users, is already working to create standards for governance, enterprise risk, compliance and auditing, and other issues bearing on keeping the cloud secure. EuroCloud is a highly influential, pan-European association of cloud computing providers offering comprehensive guidelines on law, data privacy, and other regulations. Elsewhere in Europe, the European Telecommunications Standards Institute (ETSI) is serving as a coordinator of standardization, analyzing gaps in standards, testing systems for interoperability, and generating standardization road maps. In the U.S., the National Institute of Standards and Technology (NIST) is playing a pioneering role in developing the first cloud standardization road map, elaborating use cases, and providing other guidelines. In assessing the standardization landscape, Strategy& identified 20 of the most important standards and evaluated them in terms of their dissemination potential as well as their maturity and quality (see Exhibit 3, next page).
Exhibit 3 Classification of 20 prototypical cloud standards
OAuth OpenStack High OCCI EuroCloud-SA CDMI OVF USDL Hive WS-* SCAP
NIST-UC GRC Stack CloudAudit Medium CTP OCM
BSI-ESCC SSAE 16
CCRA (Cloud Computing Reference Architecture) Reference architecture for cloud services CDMI (Cloud Data Management Interface) API for data access in IaaS/DaaS scenarios CIM SVM (CIM System Virtualization Model) Object model and interfaces for virtual systems and components CloudAudit Automated audit, assertion, assessment, and assurance (API) CTP (CloudTrust Protocol) Uniform techniques and nomenclature to boost transparency Hive (Apache Hive) Programming model for data requests OAuth (Web Authorization Protocol) Protocol and interface for identity management OCCI (Open Cloud Computing Interface) API for cloud management (especially IaaS) OpenStack (OpenStack Cloud Software) Framework for the building of cloud infrastructures OVF (Open Virtualization Format) File format for virtual machines SCAP (Security Content Automation Protocol) Protocol and interface to download security content USDL (Uniﬁed Service Description Language) Description language for virtual services WS-* (Web Services Standards) Speci cations and standards for web services
Low Medium High
BSI-ESCC Basic security recommendations for cloud computing providers EuroCloud-SA (EuroCloud Star Audit) Certi cate for providers of cloud services GRC Stack (Governance, Risk Management, Compliance Stack) Framework for risk assessment of cloud providers NIST-UC (Cloud Computing Use Cases) Guidelines in cloud computing with a focus on U.S. agencies SSAE 16 (Statement on Standards for Attestation Engagements) Certi cate for providers of cloud services
OCM (Open Cloud Manifesto) Voluntary commitment to openness for cloud providers 95/46/EC (E.U. Directive 95/46/EC: Data Protection Directive) E.U. data protection rules
Source: Strategy& analysis; FZI Forschungszentrum Informatik
Call for action
The next several years will be critical in determining the standards that will ultimately govern the cloud computing environment. Currently, much of the effort to create standards is being led by a number of IT vendors, including AMD, Cisco Systems, Citrix Systems, and IBM. All of them are trying to establish open standards for the cloud, in part as a response to the efforts of other cloud providers, such as Amazon.com, to establish their own proprietary standards for particular services and commercial ventures. The chief responsibility for ensuring the success of such open standards, however, lies with the community of current and future customers of cloud computing — including enterprises both large and small. Without their active engagement in the process, their need for effective and affordable cloud computing services may be subsumed by the IT industry’s temptation to provide off-the-shelf proprietary solutions that have the added effect of locking customers into their services. At the same time, regional government action — and ultimately cooperation among regions — will also be necessary to promote the growth of the cloud computing market. The appropriate legal and regulatory frameworks must be put in place in order to minimize ambiguity and ensure that both providers and customers can operate in an environment they trust. The objective in establishing policy should be twofold: contributions in terms of guidance on content, and the establishment of an appropriate policy environment. Key fields of action include certification, information on usage guidelines, compatibility with the law, central coordination, supporting communications, and the establishment of the necessary rules and regulations. In setting legal and regulatory standards, policymakers should make sure that their activities include as wide a range of voices from the IT industry and the business community as possible. And they need to move quickly, before competing standards can be established that might hinder the growth of the cloud.
The role of the CIO
Given just how important cloud computing is likely to become, it is the responsibility of CIOs at all companies to ensure that the cloud environment evolves according to rational, consistent standards that will provide the most economic benefit. Therefore, CIOs should start now to understand how cloud standards are developing and to define their companies’ role and objectives in standardization development. Doing so is critical not just for them to understand how best to integrate cloud computing into their IT infrastructures, but also to participate in and help influence the development of cloud computing standards. Enterprise-level strategic objectives should be defined through a consistent three-step approach: 1. Understand existing cloud computing standards. Understand the current standardization environment and the influence of emerging standards on your business, as well as the cloud solutions already available on the market. Determine what elements of the cloud may already be employed at your company, such as the use by employees of online storage. 2. Define your position and objectives. Define your company’s position with regard to cloud standardization. This exercise should include the determination of the minimum requirements in standardization your company is willing to tolerate in terms of technology, management, and legal compliance as it makes use of external cloud computing services. 3. Decide on tangible actions. Decide on the tangible actions to be taken, given your strategic objectives. These actions might include concrete steps to define, enforce, and monitor cloud standardization policies within your organization and measures to build up expertise and even to participate actively in the standardization process.
CIOs at all companies must ensure that the cloud environment evolves according to consistent standards that will provide economic benefit.
The promise of cloud computing is too great to let it be diluted in a sea of conflicting standards. It is incumbent on all players with a stake in this technology — IT vendors, cloud service providers, business customers, and governments alike — to begin now to settle on the technological, management, and regulatory standards needed to bring order to the cloud. And it is up to CIOs everywhere to take the lead in guiding their companies’ actions in helping to develop these standards.
“The Standardisation Environment for Cloud Computing” study commissioned by the Federal Ministry of Economics and Technology and produced by Strategy& in cooperation with the FZI Forschungszentrum Informatik, 2012. www.trusted-cloud.de/documents/BMWi_Cloud_Standards_ Studie_e_web.pdf
Strategy& is a global team of practical strategists committed to helping you seize essential advantage. We do that by working alongside you to solve your toughest problems and helping you capture your greatest opportunities.
These are complex and high-stakes undertakings — often game-changing transformations. We bring 100 years of strategy consulting experience and the unrivaled industry and functional capabilities of the PwC network to the task. Whether you’re
charting your corporate strategy, transforming a function or business unit, or building critical capabilities, we’ll help you create the value you’re looking for with speed, confidence, and impact.
We are a member of the PwC network of firms in 157 countries with more than 195,000 people committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at strategyand.pwc.com.
This report was originally published by Booz & Company in 2012.
© 2012 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Disclaimer: This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.