October 12, 2012 | Written by: Andras Szakal
I’ve been privy to several very heated public (you could say almost religious) cloud discussions of late. In fact I was a panelist at the recent OASIS International Cloud Symposium in Washington, D.C. where the new economy cloud vendors evangelized their offerings over focusing on the purpose of the discussion – cloud standards and interoperability for government customers. It was abundantly clear to most of the symposium attendees that standardization was a taboo talking point. The born in the cloud providers wanted nothing to do with standardization nor were most willing to engage in a discussion of how to integrate with existing customer IT solutions. From my perspective this is a non-starter if the government is serious about cloud computing or shared services. The success of any cloud solution PaaS, laaS, or SaaS will be predicated on its ability to integrate into the organizations business processes and existing technology base.
In order to move beyond the platform as a service mantra the industry must recognize that cloud represents an instance of service based computing that will require integration with and between different cloud providers. This will require standardization, especially at the service boundary, to ensure proper integration that supports the customer’s utilization model. Although it’s true that standardization only occurs on the back side of the innovation curve – and yes, we have a long way to go on the innovation front. Although, the majority of the OASIS attendees agreed that there are opportunities to pick the low hanging standards fruit. On the flip side, the new economy cloud providers need to recognize and facilitate the adoption of cloud standards. That includes sincere participation in the standards development process. This includes the realization that cloud-only is not a realistic Enterprise Architecture approach.
Another outstanding challenge with cloud in the federal government will come with the FedRamp evaluation of the cloud application layer / services. To date only infrastructure services have truly been assessed against FISMA requirements. I’m still not convinced that the current list of cloud providers with an Authority to Operate (ATO) have been held to the same standards that would normally be required as part of an agency C&A. I’ll give one specific example – normally FIPS-140 mode is required end to end. That includes the network / SSL layer as well as the application layer – i.e. implementation behind the firewall. From what I can tell, all the assessments that have been done to date only validated FIPS-140 mode up to the firewall / SSL layer but not beyond. Time will tell how the new FedRamp 3PA process unfolds and to what level of formality cloud providers will be truly held. One thing is for sure, the future of cloud interoperability standards face a murky future at best.