Feature

Cloud standards on the horizon: CDMI, PEAT, security best practices

It's often said the cloud resembles the Wild West, with innovators and entrepreneurs operating at, or just beyond, the limit of familiar practice. For organizations anxious to leverage storage in the cloud, this has left a host of unknowns and a hunger for more law and order.

For instance, Tom Gelson, business development director at Imation, said the need for data security will drive the development of cloud storage standards for cloud-based data storage. “Standards must be established to ensure secure protocols are in place for data transfer to the cloud. Data should be encrypted prior to leaving a corporate environment, ‘in-flight’ and ‘at-rest’ in the cloud,” he said. Standards should also outline security best practices related to interfaces and APIs, and identify management, data management and data separation, he added.

Other people see implementing cloud standards as just muddying the waters. “It's too early in the game for cloud storage standards to be useful," said John Bates, chief technology officer (CTO) and co-founder of TwinStrata Inc., a provider of cloud-based data storage solutions. "We're just seeing the beginnings of the broader adoption of cloud storage into the general business audience, and there's a lot of innovation still available in the data center software stack. Pushing standards out now constrains those possibilities.”

We're just seeing the beginnings of the broader adoption of cloud storage into the general business audience, and there's a lot of innovation still available in the data center software stack.

John Bates, CTO and co-founder, TwinStrata

Regardless, it seems like the sheriff is coming to town, and cloud standards are coming along sooner rather than later. From different perspectives, with various end goals, groups and organizations are coalescing to make cloud storage easier, safer, more reliable and, in short order, more acceptable.

A case in point is the Cloud Data Management Interface (CDMI). According to Mark Carlson, co-chair of the Storage Network Industry Association (SNIA), the organization’s Cloud Storage Technical Work Group has been helping with the development of CDMI, which is designed to let users tag their data with special data system metadata that tells the cloud provider what specific data services to provide for that data. These data services could include backup, archive and encryption, for example. By implementing a standard interface, users are better able to move data between cloud vendors cloud vendors without having to recode to match different interfaces, he explained.

“We had our first commercial implementation announced back in April 2011 by Mezeo Software and since then we've had a number of plugfests, where people are coming together to test implementation before they release products to the world,” he explained. Indeed, another plugfest was recently conducted in Dusseldorf, Germany, and attracted dozens of on-site and remote participants. “We have quite a bit of traction with CDMI in Europe, especially with the academic and scientific community,” he noted.

Carlson said CDMI is aimed at dealing with several issues at once. For one thing, it's a “data path to the cloud,” and an object storage interface that uses RESTful principles. Thus, instead of using just HTTP and your browser on the web, using CDMI allows a customer to store and retrieve data objects in the cloud, Carlson explained. You can further organize the objects into a 'container,' which Amazon refers to as a 'bucket,'” he said. Finally, CDMI is a control and management path for managing that data and ordering data services for data once it's in the cloud.

“Amazon just announced they have an object expiration service that will delete data after a certain period; CDMI has had that since 2010, so, Amazon is validating those features,” Carlson explained.

To implement this system, a customer tags their container or objects with specific kinds of metadata that tells the cloud what data services to apply to that data.

Carlson said it's the customers rather than the vendors that are demanding this feature and putting it in their request for proposals (RFPs). “What has happened to date is all the vendors have developed their own RESTful approaches. That’s fine if you only want to work with that vendor. But if you want to change to a different vendor, it's hard,” he said. Crucially, CDMI also standardizes a portability format for moving data between clouds and all the metadata goes within that. When the metadata lands on a new cloud, all the same data services can get applied in the same ways so there isn’t a lot of additional setup, he explained.

The next step, Carlson said, is a proposal SNIA has made to have CDMI made into an International Organization for Standardization (ISO) standard. “This is still in process. We expect it to complete sometime this summer,” he said.

For PEAT’s sake

Allyson Klein, director of leadership marketing at the Intel Data Center Group and marketing lead for the Open Data Center Alliance (ODCA), said the ODCA's focus is on its customers and working with a range of organizations to define cloud standards. One of ODCA’s initiatives has been the development of standard RFP language destined to make the procurement of cloud storage simpler and less confusing. The Proposal Engine Assistant Tool (PEAT) is designed to help integrate the Alliance's Usage Models into the RFP process.

“This provides specific language to bake into cloud procurement that we think will start to affect how things are purchased over the next 12 to 24 months,” Klein said.

Klein said the alliance plans to make a tool available on the web that will allow any company to input its storage requirements and quickly generate standard RFP language. “As part of the commitment to membership, participating companies have agreed to a usage model to guide planning and purchase decisions -- the tool is a next step,” she said.

Leveraging best practices

A similar consortium, the TM Forum, is a non-profit industry association of some 850 companies focused on the needs of service providers. The TM Forum has identified a range of issues it sees as critical problems to address before cloud storage becomes fully viable. Aileen Smith, TM Forum's senior vice president of collaboration and research & development, said the organization has worked to produce a series of best practices and standards under the Frameworx rubric.

“We work with buyers, in this case, enterprise cloud buyers, to identify their critical requirements and where they see gaps from a standards point of view, so that everyone is taking the same approach to coming up with solutions,” she said. In particular, she said, members have asked for leadership relating to standards for virtual private clouds, for storage and other purposes -- a need the forum is working to fulfill. The forum is also working on a number of security standards and threat models.

A focus on security

And it's security, similar to the concerns expressed by Imation’s Gelson, that's on the mind of the folks at the Cloud Security Alliance (CSA). Within the data storage area, there are issues around trust -- whether it's interactions between cloud-based services or between companies and divisions through the cloud. According to Said Tabet, who works with CSA and also leads the Governance Risk and Compliance (GRC) Strategy within the Office of the CTO at EMC Corp., "we need to deliver the proper set of controls to mitigate known risks so we can achieve a trusted environment."

Specifically, Tabet said, CSA has a group focused on looking at data in the cloud “to define all the risks and concerns from the perspective of the user, the service provider, and overall governance and compliance.”

Rather than reinventing the wheel, Tabet said CSA is looking to collaborate with other groups such as ISO and the International Telecommunication Union (ITU). CSA is also looking at the role of service-level agreements (SLAs) as a key factor in making the cloud work. “When you look at service-level agreements, they're often ambiguous and hard to enforce. We want to provide examples and classifications of SLA, and perhaps even make the process of using and enforcing SLAs more automated,” he said. “That will be a big step forward."

This story was previously published on SearchCloudStorage.com.


This was first published in April 2012