Cloud Computing
Standards, SLA and Certification in Europe
Main challenges for European Companies
China Cloud Computing Conference 2013,
Session 'Cloud Computing International Standards and Accreditation Forum
5-7th June, 15:50-16:10 Peking, China
Dr. Tobias Höllwarth (Austria)
Vice-president EuroCloud Europe
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
Introduction
§ Tobias Höllwarth, Vienna, Austria
§ Chairman, EuroCloud Austria
§ Vice President, EuroCloud Europe
§ Höllwarth Consulting
§ Vienna Cloud Consulting Group
§ ICT Advisory Network
Experience
§ Vienna University of Economics and Business
§ Austrian Standards Institute (ASI)
§ Head of Austrian ISO delegation (SC38)
§ Managed Services for SME
§ Outsourcing consulting for
large enterprises
§ Cloud Consulting
§ Book “Cloud Migration”
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
European SMEs
Type Employees /
turn-over
Enterprises Employees
Gross value added *
(in Mio €)
Page § 6
Source: Eurostat/National Statistics Offices of Member States/
Cambridge Econometrics/Ecorys. 2012
GVA = an economic measure of the value of goods and services
produced in an area. It is output minus intermediate consumption
without taxes, including subsidies
European SMEs
Type Employees /
turn-over
Enterprises Employees
Gross value added *
(in Mio €)
Micro < 10 < 2m
Small < 50 < 10m
Medium < 250 < 50
Large > 250 > 50
Page § 7
Source: Eurostat/National Statistics Offices of Member States/
Cambridge Econometrics/Ecorys. 2012
GVA = an economic measure of the value of goods and services
produced in an area. It is output minus intermediate consumption
without taxes, including subsidies
European SMEs
Type Employees /
turn-over
Enterprises Employees
Gross value added *
(in Mio €)
Micro < 10 < 2m
Small < 50 < 10m
Medium < 250 < 50
All SME
Large > 250 > 50
Total
Page § 8
Source: Eurostat/National Statistics Offices of Member States/
Cambridge Econometrics/Ecorys
GVA = an economic measure of the value of goods and services
produced in an area. It is output minus intermediate consumption
without taxes, including subsidies
What is an European SME?
Type Employees /
turn-over
Enterprises Employees
Gross value added *
(in Mio €)
Micro < 10 < 2m 92,2% 29,6% 21%
Small < 50 < 10m 6,5% 20,6% 18,5%
Medium < 250 < 50 1,1% 17,2% 18,5%
All SME 99,8% 67,4% 58%
Large 0,2% 32,6% 42%
Total 100% 100% 100%
Page § 9
Source: Eurostat/National Statistics Offices of Member States/
Cambridge Econometrics/Ecorys
GVA = an economic measure of the value of goods and services
produced in an area. It is output minus intermediate consumption
without taxes, including subsidies
What are the challenges?
Pressure
from…
Compe;tors
and
market
Own
users
(shadow
IT)
Appealing
services
at
low
cost
Hidden
Cost
Technology
Network
Integra;on
Lack
of
Know-‐how
Dependency
Control
Who
is
involved?
Where
is
it
done?
How
to
review?
Loss
of
Know-‐
how?
Legal
aspects
To
many
Other
countries
Data
privacy
responsibility
Number
of
contracts
Cost
of
contract
Lack
of
experience
CONSUMER SIDE
What are the challenges?
Experience
What
to
offer
How
to
sell
How
to
run
Which
contract
and
SLA
Business
Large
investment
Small
margins
Where
is
ROI
Opera;on
Technical
issues
Large
numbers
Support
Legal
Liability
Compensa;on
Fragmented
framework
Lack
of
legal
experience
PROVIDER SIDE
What is missing?
TRUST
EXPERIENCE
KNOW-‐
HOW
CLOUD Computing & IT Outsourcing
We have more than 30 years of experience in IT-Outsourcing
Public Cloud Services is a variation of IT Outsourcing
Why not use existing standards and
traditional contracts and SLA*?
* A Service Level Agreement (SLA) is a documented
agreement between the service provider and
customer that identifies services and service targets.
[ISO/IEC 20000-1:2011].
Traditional Outsourcing contracts
versus Cloud contracts and SLA
• Traditional: large B2B contracts including QoS, KPI,
Compensation, Monitoring and Auditing
• Cloud: Standard Contracts for Standard Services,
• Traditional: Individual, specific, long term, calculated
over several years
• Cloud: Standard, industrialised, shared service, large
scale, large investment, short term contract
• Traditional: One fully responsible provider with known
Sub-contractors and non-shared network
• Cloud: Provider Chain, shared services, cross-border,
Network as additional risk
• Licencing
• Identity management
• Enforcement of SLA's
• Same Cloud Service
• Different Use case
• Different SLA needs
Standardization versus individual usecase
Page § 15
IMPORTANCE
Relevance of service and/or
sensitivity of data
LOW HIGH
C
O
M
PL
EX
IT
Y
O
F
S
E
R
V
IC
E
LO
W
H
IG
H
UC
Type
2
UC
Type
1
UC
Type
3
UC
Type
4
IAAS
. Storage
Archiving of
Accountancy
Log files
IAAS
. Processing
non critical
images
SAAS
. Drivers log
T&E
Management
SAAS
. Financial
Reporting
Patient Records
Cabling Area risks Power supply
Classic IT Outsourcing risks
IT Provisioning
Cloud Service challenges
Software,
Interoperability
Data Center
and Location
Business
Operations
Data Privacy
Data Security Regulations
Contract
§ Technical and legal security
§ Legal compliance
§ Availability and SLA compliance
§ CSP reliability (including sub providers)
§ Prevention of Lock In Situations
§ Usability and sustainability
§ …
DC #2 DC #3
IT & Cloud Sourcing –Customer view
DC #4 DC #N
IaaS national
IaaS WW
SaaS CRM
SaaS Collaboration
SaaS HR
</nav>
PaaS
Private IT
Data Bridge
Private Cloud
SaaS Collaboration
Market Place
SaaS Collaboration
White Lable
DC #1
IaaS national IaaS WW
</nav>
PaaS
Identity
Cloud Challenges by Service Catergory
1 Efficiency of service provisioning
a Usage of scalable architectures
c Resource management & flexibility
d Availability of services
2 Effectiveness of Services by users
a Contracts incl. questions of liability
b Control of Services by users
c Governance/escalation mechanisms
3 Transparency of service delivery and billing
a Billing incl. license management
b Quality assurance and monitoring SLA
c Type and location of Data processing
4 Information Security
a Identity & rights management
b Privacy & integrity
c Access control, logging, attack prevention
d Verification & certification
5 Data privacy
6 Interoperability
a Migration in the/out of the Cloud
b Ability to integrate into on-premise IT
c Cloud federation
7 Portability between providers
a Service portability
b Data portability
8 Ensuring fair competition in the market
9 Compliance with regulatory requirements
Source Analyse by Booz & Company und FZI (2012)
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
What is missing?
TRUST
EXPERIENCE
KNOW-‐
HOW
Why standards, certifications, audits?
Best Practice
Standards
Certification
Trust
Experience
Know-How
TRUST
CLOUD
Is driving Innovation,
new solutions and more
cost-effective services
STANDARDS
Strong Restrictions
Legal barriers
Higher Complexity
Rising costs
Relevant standardization areas
Type of standard Examples
Technology
File & exchange format OVF, EC2, USDL, CIM SVM,EDI…
Programming models MapReduce, JAQL; PIG, HIVE
Protocols & Interface OCCI. CDMI, Cloud Audit, Google DLF, ...
Standard Components & reference architectures OpenStack, OSGI, NIST RM, IBM RM, DMTF, CTP, ...
Benchmark & tests Benchmarking Suits, Security Assessment, ...
Management
Business models IaaS, PaaS, SaaS operating models, Hybrid, Community
Service Level Agreements WS-Agreement (W3C), Business SLAs, ...
Condition of contracts EVB-IT, EU SVK, components of T&C, EULA
Management models & processes ISO 27001/27002, ITIL, COBIT, ...
Controlling models & processes SSAE, SAS 70, ...
Guidelines German BSI requirements, NIST UC, EuroCloud LDP&C
Legal
Legal requirements EU data protection directive, national directive, Safe Harbor
Voluntary Commitments Open Cloud Manifesto, ...
Company polices Internal polices, ...
Source Analyse by Booz & Company und FZI (2012) -
Well known certification standards
ISO/IEC 27001 specifies requirements for the establishment, implementation,
monitoring and review, maintenance and improvement of a management system - an
overall management and control framework - for managing an organization’s
information security risks. It does not mandate specific information security controls but
stops at the level of the management system.
The Payment Card Industry Data Security Standard (PCI DSS) is an information
security standard for organizations that handle cardholder information for the major
debit, credit, prepaid, e-purse, ATM, and POS cards.
Research, develop, publish and promote an authoritative, up-to-date, international set of
generally accepted information technology control objectives for day-to-day use by
business managers, IT professionals and assurance professionals
The standard ISAE 3402 and SSAE 16 require that management of the service
organization provide a written assertion attesting to the fair presentation and design of
controls (in a Type 1 report). This written assertion is separate from the written
representation obtained from management.
Cloud specific auditing
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to
promote the use of best practices for providing security assurance within Cloud
Computing, and to provide education on the uses of Cloud Computing to help secure all
other forms of computing. The Cloud Security Alliance is led by a broad coalition of
industry practitioners, corporations, associations and other key stakeholders.
The Federal Risk and Authorization Management Program (FedRAMP) is a
government-wide program that provides a standardized approach to security
assessment, authorization, and continuous monitoring for cloud products and services.
EuroCloud works close together with national and international organizations in the area
of Technology, Research, Public Administration, Security, Data Privacy and Legal topics.
This joined up competence has been used to prepare knowledge, specify quality
criteria, support cloud service provider to achieve a differentiating quality level to be
successful in a high competitive market and to show the maturity level of the services by
gaining the EuroCloud Star Audit certification.
Work within ISO
Several
Working
groups
SC
27
SC
38
Mee;ngs
2
to
4
;mes
per
year
Global
relevance
Vocabulary
Contractual
elements
Integra;on
in
exis;ng
standards
Global
players
Dura;on
Scope
Contract
and
SLA
+
-
Work of European Commission
DIGITAL
AGENDA
101 actions, in 7 pillars
help to reboot the EU economy
enable Europe's citizens and businesses
to get the most out of digital technologies.
Pillar
I:
Digital
Single
Market
Pillar
II:
Interoperability
&
Standards
Pillar
III:
Trust
&
Security
Pillar
IV:
Fast
and
ultra-‐fast
Internet
access
Pillar
V:
Research
and
innova;on
Pillar
VI:
Enhancing
digital
literacy,
skills
and
inclusion
Pillar
VII:
ICT-‐enabled
benefits
for
EU
society
Work of European Commission
DIGITAL
AGENDA
Pillar II: Interoperability &
Standards
Action 21: Propose legislation on ICT
interoperability
Action 23: Provide guidance on ICT
standardisation and public procurement
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
EuroCloud Competence
EuroCloud Star Audit
EuroCloud Benchmark
EuroCloud SLA critieria
catalog
EuroCloud Guidelines
EuroCloud
CLOUD QUALITY INFORMATION PYRAMID
Well known certification standards
ISO/IEC 27001 specifies requirements for the establishment, implementation,
monitoring and review, maintenance and improvement of a management system - an
overall management and control framework - for managing an organization’s
information security risks. It does not mandate specific information security controls but
stops at the level of the management system.
The Payment Card Industry Data Security Standard (PCI DSS) is an information
security standard for organizations that handle cardholder information for the major
debit, credit, prepaid, e-purse, ATM, and POS cards.
Research, develop, publish and promote an authoritative, up-to-date, international set of
generally accepted information technology control objectives for day-to-day use by
business managers, IT professionals and assurance professionals
The standard ISAE 3402 and SSAE 16 require that management of the service
organization provide a written assertion attesting to the fair presentation and design of
controls (in a Type 1 report). This written assertion is separate from the written
representation obtained from management.
Overview and Scope
Standard General Scope Areas addressed Cloud Readiness Comments
ISO 27001 Information Security Management System Security, Compliance Limited
Very generic. Need to
understand which entity
and what has been
audited
COBIT Information technology IT Management No General Quality Framework
SAS 70/SSAE16/
ESAE3402
Transactions and
Accounting
Book keeping
compliance Limited
Add on for ERP Cloud
Services
EuroCloud Star Audit Cloud Service (SaaS, PaaS, IaaS)
EU and national Law,
Security, Compliance,
EU and national Data
Privacy, Interoperability
Yes Common Scope, easy to understand for SMEs
FedRamp Cloud Service Provider
Security, US
Compliance, Continuous
monitoring
Yes
Huge bureaucracy,
partially self assessment
Control against NIST SP
800-53 R3
CSA Cloud Security Security, Interoperability Yes Excellent security assessment
PCI DSS CC Payment Services Security Limited Very limited scope
EuroCloud Star Audit
Sicherheitsrichtlinien
Cloud Computing
Expertengruppe
Recht & Compliance
Wirtschaftsprüfer
Risiko
Management
IT Audit Framework ISPRAT Studie
Cloud
Computing
ENISA
Cloud
Computing
Risiko
Report
Cloud Service
Provider
Cloud Computing
Eckpunktepapier zur
Informationssicherheit
Leading standardisation organisations in
cloud computing
Eu
ro
pe
CC EuroCloud Comprehensive guidelines on law, data privacy and compliance, EuroCloud Star Audit (“Cloud Service quality mark”)
ITC ETSI (European Telecommunications Standard Institute
Standards, analysis of gaps and testing systems for interoperability,
specifications, use cases, co-ordination, standardization roadmap
ITC ENISIA (European Network and Information Security Agency)
Cloud Computing – SME Survey, Cloud Computing Information Assurance
Framework, Cloud Computing Risk Assessment
Source Analyse by Booz & Company und FZI (2012)
Cloud Service challenges
Software,
Interoperability
Data Center
and Location
Business
Operations
Data Privacy
Data Security Regulations
Contract
§ Technical and legal security
§ Legal compliance
§ Availability and SLA compliance
§ CSP reliability (including sub providers)
§ Prevention of Lock In Situations
§ Usability and sustainability
§ …
DC #2 DC #3
IT & Cloud Sourcing –Customer view
DC #4 DC #N
IaaS national
IaaS WW
SaaS CRM
SaaS Collaboration
SaaS HR
</nav>
PaaS
Private IT
Data Bridge
Private Cloud
SaaS Collaboration
Market Place
SaaS Collaboration
White Lable
DC #1
IaaS national IaaS WW
</nav>
PaaS
Identity
» Statement about the reliability of the
Cloud service, the service provider and involved sub-providers
» Examination of the specific contractual
elements with view on
• Commissioned Data Processing
• Data Protection Regulations
• Book Keeping Regulations
» Operational processes
» SLA compliance
» Lock-in situations and vendor change options
» Training and support
» Interoperability
EuroCloud Star Audit has a common scope
Data Center
and Location
Software,
Inter-
operability
Business
Operations
Data
Security
Data Privacy
Contract/
Law
EuroCloud Star Audit is the only multi-dicipline
certification with common scope
SAS 70
SSAE 16
Cobit ITIL
ISO 27001
ISO 9000
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
What is missing?
TRUST
EXPERIENCE
KNOW-‐
HOW
The necessary next steps
TRUST
Contract
SLA
Cer;fica;on
EXPERIENCE
Roles
Checklists
PoC
KNOW-‐HOW
Strategy
Policies
Process
Build up and gain:
CLOUD Contracts
Catalogue of recommended
contractual components in
General Terms and Conditions
of Business and Service Level
Agreements (SLA) for Cloud
Service Providers
CLOUD Contracts
CLOUD Contracts
Rules on all companies involved in
delivering the service
The following items should be taken into account, confirmed,
or stated in sufficient detail in the contract:
Information on the company with which the
contract is to be concluded as given by
public registers, such as the company
register, commercial registers or registers
of associations.
CLOUD Contracts
Rules on all companies involved in
delivering the service
The following items should be taken into account, confirmed,
or stated in sufficient detail in the contract:
Statement on where the service provider
has its registered main office and what
national laws may apply to this company
(head office and branches).
CLOUD Contracts
Rules on all companies involved in
delivering the service
The following items should be taken into account, confirmed,
or stated in sufficient detail in the contract:
Information on existing certifications of the
contracting party. Detailed description of
the existing, valid certifications of the data
centre.
CLOUD Contracts
Rules on all companies involved in
delivering the service
The following items should be taken into account, confirmed,
or stated in sufficient detail in the contract:
Information on businesses involved in
providing the service. Also subcontractors,
data center providers or cloud services of
third party companies integrated into
providing the service. In particular,
statements about which subcontractors
are used in the local country or in
countries with comparable data protection
laws.
EuroCloud Whitepapers
CLOUD Migration
3 editions
4 languages
13 countries
70 specialists.
Four (4) Questions
What
are
the
main
challenges
for
European
SMEs
on
both
provider
and
consumer
side?
1
2
3
4
What
kind
of
ac;vi;es
around
Cloud-‐Standards,
Cloud-‐
cer;fica;on,
and
legal
framework
can
be
expected
from
ISO,
the
European
Community
and
EuroCloud
Europe?
What
are
the
main
EuroCloud
ac;vi;es?
What
are
the
possible
solu;ons
to
support
the
challenges
of
Cloud
adop;on?
Page § 51
Thank you
