There are two ways standards typically occur. The first is top-down, where some group decides to build a standard intended to fix some problem out there. The second is bottom up, like JSON, where everyone just starts using something and eventually the foggy edges are confined on paper with a standard.
It can be, however, that the threat of the first spurs the creation of the second. This has been the case at the International Organization for Standardization (ISO) where ISO/IEC JTC 1 SC 38 is formulating: a standard for “Cloud Computing and Distributed Platforms.” This is a joint effort of ISO and the International Electrotechnical Commission (IEC). The threat of outsiders instituting a standard spurred the organizations to begin work on a host of projects around cloud computing.
The big instigator was not a single entity, but rather, the world’s largest economies. The Europe, China, and Japan began threatening to build a cloud computing standard of their own. Why? Because Amazon, Azure, and all the other cloud providers were too focused on competing with each other to agree on some simple, standard terms.
Those terms are the lifeblood of government purchasing. Without them, such endeavors go unmoored as buyers attempt to rectify the meanings of SLA contracts between providers. While we all understand this stuff as programmers and operators, government officials see pure Greek.
Oracle’s chief standards officer, Dr. Don Deutsch, chairs the ISO/IEC JTC 1 SC 38 committee. He’s also a member of the executive committee for the Java Community Process (JCP), and sits on the board of the American National Standards Institute (ANSI).
Completed standards include a cloud computing reference architecture, the Open Virtualization Format, and much of what is left over from the days of Service Oriented Architecture and the Web Services Standards efforts (WS*).
The work Deutsch said is being pursued now is mostly around creating common terms and practices for clouds, so that governments have a language for purchasing, such as ISO/IEC AWI 22123: Cloud Computing — Concepts and Terminology.
“The root of this,” said Deutsch, “was eight years ago we as the US went into a meeting where other countries were proposing to do standards in three areas: web service standards, SOA standards, and cloud computing standards. This stuff is all related. We aren’t sure any of it is ready for standardization. For SOA and cloud, it was certainly the provider community that didn’t think it was ready for prime time. We went into a once-a-year plenary meeting. As the U.S., we said we think all these things are related. We offered to fund the administration oversight, and I will chair it.”
That yearly meeting just took place in San Francisco last week. It’s an interesting set of challenges to discuss, and Deutsch said this is no ordinary ISO effort.
“This cloud activity in SC 38 has been very much a customer demand pull activity, which is very unlike many of the standards activities I’ve been involved in over a 30-year career,” said Deutsch. “In the past, standards activities have been initiated at the point where the provider community has come to an agreement on the direction of the technology, and they’ve agreed on what they are going to standardize, and on which things they will and will not compete. Then the community gets together to establish standards.”
“This was established because the user community, in particular governments, were demanding standards for cloud computing and making it very clear that if the community did not provide those standards, the governments would develop them themselves,” he said. “These governments said to the industry ‘We know you’re not ready, but we need help to determine how we can specify and acquire cloud services’.”
A big area of focus for SC 38 was ISO/IEC DIS 19086, which is now on its second standard, 19086-2, which is focused on defining metrics and terms for measuring services. These standards focus on SLAs, and 19086-1 specifically provides a framework for building an SLA.
“Part one is a framework at a higher level than a template,” said Deutsch. “It says these are the kinds of things that go into an SLA, these things need to be considered, and it very particularly did not specify these things: it didn’t have any ‘shall’ statements. The word ‘shall’ means it’s mandatory. From this template, you can create something specific to your business situation. Part three is the ‘shall’ statements. If you have a requirement for availability, this is how you would specify the requirement that had to be met. Part four is a combination of the framework and the ‘shall’ statements specifically for privacy and security.
With all these complex definitions, terms, and measurements, this isn’t entirely a standard through and through, however. “The question is where do you use this and how?” asked Deutsch. “There is a proposal to do a technical report that would be something that has less weight than a standard, but the report would be a place where all the providers would submit their metrics rerecorded for the world to see, all specified in the format that is defined in part two. They would put their metrics in there as a repository to see how the different metrics are offered, and basically, would allow for the provider community to continue to do business as they want but allow the customer side to see these different mechanisms and recognize their differences to be documented.”
Projects at the ISO have a three to four-year maximum runtime, so each of the remaining standards in the works will be done before those limits hit. There is no set goal for the end of the entire Cloud Computing and Distributed Platforms committee’s work, and the efforts will be on-going, as there is still a great deal of work to be done around security, federation, and potentially cross-cloud compatibility.