There's a growing demand for standards to bring some sanity to the cloud computing market. Both buyers and sellers have their reasons to want common ways to do things such as transfer data from one cloud-based app or infrastructure to another. But the competition to be in control is fierce. "The Internet had the IETF, which wrangled people and protocols," says Mathew Lodge, VP of cloud services at VMware. "But in the cloud, the standardization landscape is so fragmented. There isn't a central body or forum or place, although lots of people and organizations are trying to be that."
Two main factors drive demand for standards. Cloud vendors want to show they can meet companies' security requirements, since that's the biggest roadblock to adoption. IT pros also see value in formalized standards for cloud services, according to the 400 respondents to our InformationWeek Standardization Survey: 89% rate standards for cloud infrastructure vendors such as Amazon, Microsoft Azure or Rackspace as extremely (53%) or somewhat (36%) helpful to their organizations; 85% say the same about software-as-a-service. Why? Would-be cloud customers want to avoid getting locked in to one vendor, so investments in cloud services now don't end up limiting future flexibility.
CIOs are right to be wary. When a cloud vendor raises its rates or lets its service quality decline -- or worse, shuts its doors -- IT may be left scrambling. These aren't just theoretical concerns. Amazon Web Services, the dominant provider of infrastructure-as-a-service (IaaS), had three major outages in 2012, and Gmail, the most widely used cloud email provider, had two major outages last year. In late 2011, Google raised prices for its platform-as-a-service (PaaS) offering, App Engine, by more than 100% for many customers. On the flip side, keeping open the option to switch spurs competition and lets companies jump on better deals; Amazon, for example, cut storage-as-a-service prices 20% last year, prompting Google to match. And it's not just private enterprises worried about being tied down. The U.S. Department of Defense recently hired cloud computing strategy firm Fusion PPT to identify cloud standards and best practices to avoid lock-in.
Though demand for cloud service standards is growing, the conventional top-down model no longer holds. Standards today are more likely to spring organically from wide adoption of the approaches of one vendor or a small cadre, and we expect to see more de facto than formal standards in the cloud era. Simply promulgating a standard -- even if done by a widely respected standards-developing nonprofit -- isn't enough to make it stick. The pace of innovation with cloud services is just too rapid. Vendors are updating their offerings on a monthly basis, whereas standards organizations usually take years to finalize new specs.
So why do we need cloud standards? For starters, to compare services. Even for something as straightforward as CPUs, cloud providers have created their own measurement units: Amazon Web Services has the Elastic Compute Unit, Google has the Google Compute Engine Unit and Microsoft Azure provides the clock speed of its processors.
One relatively bright spot is security, thanks to the Cloud Security Alliance. CSA member organizations, including most large cloud providers, work together to define best practices in security, and the CSA offers a number of useful resources, many of which are becoming de facto standards. For example, the CSA Cloud Controls Matrix (CCM) is a framework for implementing good cloud data center security practices. It provides detailed security concepts and principles in 13 domains and coordinates with security standards such as ISO 27001, COBIT, PCI, HIPAA and FedRAMP. The CSA's Security, Trust and Assurance Registry is another useful resource. It contains responses from cloud service providers to questions raised by the CCM. The registry has responses from major IaaS vendors including Amazon, Hewlett-Packard, Microsoft, SoftLayer and Verizon Terremark, as well as SaaS vendors, such as Box.com and Microsoft Office 365. One caveat: The CSA doesn't independently verify answers.
Sadly, the work done by the CSA hasn't been replicated outside the security realm. So here's a look at the state of standards in the three key areas IT needs to evaluate: portability, interoperability, and provisioning and orchestration.