Cloud computing standards

With responsible adoption of cloud computing services at front of mind for many organisations and policy makers, it is timely to consider the global context and New Zealand's work to advance trustworthy computing. This article was originally published by Standards NZ in Touchstone Issue 48 - April 2013 as An update on standards for cloud computing and has been re-published with permission.

The international standards community is working together to address many of the common challenges of cloud computing. These challenges include clarifying exactly what is meant by 'cloud computing', managing its risks, increasing security, and improving the governance and management of cloud-based services. The goal is to make cloud computing easier for your organisation – whether that's as a cloud computing consumer or provider.

The work of ISO Joint Technical Committee 1/SC 38

The main International Standards Organisation (ISO) group that deals with cloud computing is joint technical committee (JTC) 1/subcommittee (SC) 38, Distributed applications, platforms, and services. SC 38 was created about 3 years ago and is one of the rapidly growing JTC 1 subcommittees.

Working group (WG) 3 is the cloud working group within SC 38.

WG 3 is working with the International Telecommunications Union (ITU), a United Nations agency, to develop:

  • a cloud-computing vocabulary, draft Standard ISO/IEC 17788, to help cloud computing users to communicate in a common and clearly understood way
  • a reference architecture, draft Standard ISO/IEC 17789, to help cloud-computing users to understand the overall capabilities of a cloud computing service and the pieces within it.

As you can imagine, cloud computing is a large topic and has a lot of interest from many participants around the world. The Standards team (known officially as ITU-T SG 13/WP 6 and ISO/IEC JTC 1/SC 38/WG 3 Collaborative Team on Cloud Computing) that is working on these Standards is from three Standards bodies – ISO, the International Electrotechnical Commission (IEC), and the ITU – so there is plenty of discussion and work to ensure the best outcome for everyone.

The last meeting of this collaborative team was held in Geneva in February 2013. At that meeting, it was apparent that the vocabulary and reference architecture documents were closely intertwined and over 200 comments on both Standards were received from participants.

The next plenary and working group meeting of SC 38 will be in Madrid in April 2013, where additional topics such as service delivery and service level agreements will also be addressed.

Helping to make cloud computing more 'business friendly'

Cloud computing isn't just about understanding the terms and architecture of this new computing model. The international Standards bodies (of which New Zealand is a prominent participant) are also helping to make cloud computing more 'business friendly', with guidance and codes of practice for the governance, security, and use of cloud computing.

Other ISO committees and SCs are also understanding the value that cloud computing brings to business and government and are extending their work to ensure that the cloud computing approach can be addressed.

Information technology security techniques

JTC 1/SC 27, Security techniques, has produced the widely used ISO/IEC 27000 Information technology – Security techniques series of Standards that help organisations develop and maintain information security management systems. SC 27 is now working on a number of cloud specific Standards including:

  • the draft Standard ISO/IEC 27017 Information technology – Security techniques – Information security management – Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002
    • the existing ISO/IEC 27002 Standard, Information technology – Security techniques – Code of practice for information management is used as a reference for selecting controls (such as asset inventory and credential controls) within the process of implementing an Information Security Management System
    • the draft Standard ISO 27017 provides additional implementation for relevant information security controls based on ISO 27002, particularly as they relate to cloud computing
    • the draft Standard ISO 27017 is aimed at both providers and consumers of cloud services.
  • the draft Standard ISO/IEC 27018 Code of practice for data protection controls for public cloud computing services. This Standard is aimed at cloud-computing providers to provide them with a common set of security categories and controls that are aligned with legislation around the world that regulates personally identified information (PII). By selecting public cloud-computing providers that implement this Standard, users of these services will more easily be able to meet their own data protection obligations. It is expected that this Standard will align with the proposed European Union's General Data Protection Regulation
  • the draft Standard ISO/IEC 27036 Information security for supplier relationships. This multi-part Standard describes security issues from the user (acquirer) of the information services as well as those from the vendor (supplier) perspectives. By implementing the processes in the Standard, the business objectives of both parties can be met with reduced risk. Part four of this Standard will deal specifically with the security for supplier relationships relating to cloud services.

Risk management

The economy of scale and utility approaches provided through cloud computing allow for huge cost savings compared to running similar services within your business. However, there is naturally an element of risk along with these benefits. ISO 31000 Risk management – Principles and guidelines provides a formal approach to understand and address the risk when considering a cloud-based option. Its approach consists of three main parts: a set of principles, a risk life cycle framework, and a process to deal with risk.

Governance of IT

ISO/IEC JTC 1 has created a newly formed WG 8 to look at the Governance of IT. WG 8 brings together other groups and aims to maintain the existing ISO/IEC 38500 Corporate governance of information technology Standard. ISO/IEC 38500 offers guidance to governing bodies (such as the board of directors) to help with information technology in general. The origin of ISO/IEC 38500 was the Australian and New Zealand Standard AS/NZS 8015.

Work continues on ISO/IEC Technical Report, 38501, which provides implementation guidance for ISO/IEC 38500, while ISO/IEC 38502 will describe a framework and model for the governance of IT and the relationship with associated functions and systems for the management of IT systems.

WG 8 will also develop Standards for the governance of forensics and the governance of IT audit.

Service management system requirements

The ISO/IEC 20000 Information technology – Service management series of Standards includes the design, transition, delivery, and improvement of services for the benefit of both the customer and the service provider. This Standard has its origins in the British Standards Institute BS 15000 Standard and uses a 'Plan-Do-Check-Act' approach to inform the development of outsourcing agreements, which may include cloud-computing components.

You may notice that these international Standards cover similar ground to other national Standards and regulations. That's no coincidence, because an objective of international Standards is to bring best practices from around the world and harmonise the Standards and regulations across different countries. The result is that compliance with international Standards minimises trade barriers and creates new opportunities for local businesses to expand internationally.

Article by Geoff Clarke, Regional Standards Officer at Microsoft (covering Australia and New Zealand).