Cloud Computing

Building firm foundations for standard development

By Morand Fachot

Cloud computing and the use of data, software and services that are kept on the Internet rather than on individual devices to provide on-demand access, represent a huge market expected to achieve a 30% CAGR (compound annual growth rate) between 2015 and 2020 when they will reach USD 270 billion.

ISO (International Organization for Standardization)/IEC JTC (Joint Technical Committee) 1: Information technology, works on international standardization in the field of Information Technology. JTC 1 has 19 SCs (Subcommittees) and created JTC 1/SC 38: Distributed application platforms and services (DAPS) in 2010. Fields encompassed include Web Services, SOA (Service Oriented Architecture) and Cloud Computing. 
Donald R. Deutsch, Chairman of JTC 1/SC 38 and Oracle’s Vice-President, Standards Strategy and Architecture, details the work of this SC in support of the new technology*.

Interoperability, portability and security are the three areas that SC 38 SGCC has identified for standards development in cloud computing Interoperability, portability and security are the three areas that SC 38 SGCC has identified for standards development in cloud computing

Cloud computing is a hot topic in ICT (information and communications technology), and is being closely watched by many. Organizations and individuals alike are keen to store and process their data in the cloud, access applications from anywhere and important information maintained in the cloud – and do this faster and at lower cost than through conventional means.

Commercial enterprises and public-sector organizations are eager to gain promised efficiency and agility, while individuals desire the cloud’s ubiquity and flexibility. Of course, everyone wants to reduce cost. Organizations, especially governments, seeking to benefit quickly from cloud computing have recognized the need for standards to support the adoption of this emerging technology. In response, ISO/IEC JTC 1, Information technology, SC 38, Distributed application platforms and services (DAPS), was formed in 2010 to work in cloud computing and two of its facilitating technologies: Web services and SOA (service-oriented architecture). Together with other SSOs (standards-setting organizations), government laboratories and private-sector organizations, SC 38 is addressing the desire for standards supporting the rapid adoption of cloud computing.

Hot topic

The subject of much hype and interest, cloud computing is being swiftly and widely embraced. SC 38 is opening the way for the standards needed to support this new technology’s rapid adoption.

Frequent announcements of new technology “breakthroughs” include claims that they will change how we do things. Some are never embraced by the market, and fade away. Others catch on and become part of the technological infrastructure that supports modern life. A few actually do change our day-to-day lives. Few technological innovations have generated as much hype, offered so much promise or been as widely and rapidly embraced as cloud computing.

But what is cloud computing? It represents the convergence of technology developed over recent years and the result of advances in areas such as Web services, SOA, grid computing and virtualization. While these and other technologies provide valued ICT capabilities in their own rights by facilitating and providing the foundation for cloud computing, their use together offers even greater promise.

Multiple benefits

Cloud computing means different things to different people. Depending on one’s focus, the benefits of cloud computing are to:

  • Reduce ICT expenditure by deploying and using resources in a more cost-effective way
  • Offer greater speed, computing power, and capacity to individual users through the sharing of resources
  • Make computing more accessible to individuals, and to organizations of all sizes
  • Increase security (although some see security risks in a cloud environment).

Techno jargon

A consensus among the many groups seeking to characterize cloud computing is reflected in the following definition from on-going work at the US NIST (National Institute of Standards & Technology), which has been adopted by SC 38’s SGCC (study group on cloud computing): “... a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable resources (e.g. networks, servers and storage systems), applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

For those not conversant with techno-jargon – who may be wondering what cloud computing means to us – NIST specifies characteristics of cloud computing implementations and the SGCC report describes service models and deployment models.

Implementation characteristics

While cloud computing has many variants, its implementations can be characterized in terms of whether and how they incorporate multiple capabilities. On-demand self-service: computing services such as processor and storage can be automatically provided (provisioned), monitored and managed by individual users when needed without human intervention or interaction with each service’s provider. Broad network access: computing services are delivered to heterogeneous devices over standard networks.

Resource pooling: ICT resources are shared across multiple applications and users in a non-dedicated manner. Rapid elasticity: ICT resources can be expanded and reduced quickly and on an as-needed basis. Capabilities provided may appear unlimited to users who can obtain any quantity of any ICT resource at any time. Measured service: the use of ICT resources is tracked for each application and user.

Service models

Cloud computing is offered at different layers in the hardware/software stack that makes up a modern ICT environment, with different service models for each layer: SaaS (Software as a Service): applications are delivered as a service to end-users, typically through a Web browser.

PaaS (Platform as a Service): an application development and deployment platform is delivered as a service to developers who use the platform to build, deploy and manage applications.

IaaS (Infrastructure as a Service): computer servers, storage, networking hardware and other key computing resources are delivered as a service so the consumer can provide the capabilities needed to deploy and run arbitrary software.

Standardization opportunities and requirements

What standards are needed to support the wide and rapid adoption of cloud computing? SC 38 SGCC has analysed existing standards and on-going standardization efforts, and surveyed the interfaces offered by current cloud computing providers. It has identified commonalities that suggest three likely categories of future cloud computing standards development: interoperability, portability and security.


Cloud computing interfaces that could be candidates for interoperability standards are of two types: self-service interfaces offered to cloud users and administrators for managing cloud services, and functional interfaces provided by, and reflecting the level of, cloud services offered.

Work is underway to define standards for IaaS self-service management interfaces. The PaaS management interface is concerned with the lifecycle of applications and the platform resources they depend on, just as IaaS interfaces provide metrics for compute, storage and network services. PaaS clouds typically expose usage metrics for platform services. Most important for SaaS interoperability are canonical data formats. Many SSOs are focusing on specifying standard data formats using XML (extensible mark-up language) that are useful regardless of where the application resides.

For IaaS clouds, the functional interface depends on the specifics of the hardware configuration and is therefore an unlikely candidate for standardization. The functional interface of a PaaS offering is a runtime environment for developing and deploying applications. The SaaS functional interface is the same as the application interface of the software itself.


SC 38 SGCC has identified two types of cloud portability standards, workload and data. Workload standards can facilitate porting and distributing application and operating environment packages across IaaS and PaaS clouds. ISO/IEC JTC 1 Distributed Management Task Force’s recent approval of the open virtualization format is a step in this direction.

Data portability is fundamental to the true notion of portability, giving control to the owner of that data rather than to Web applications that use it or service providers that host the applications. Standards are needed so that users can easily and completely move data from one cloud to another, which means not just changing the location of where the data are processed, but also reliably eliminating it from the previous cloud provider.


The single biggest concern for many potential cloud computing users is security: ensuring the confidentiality, integrity, and availability of information and application systems. Some cloud computing implementation approaches increase the importance and complexity of security assurance. The development of security standards for cloud computing will use the excellent work and specialized skills in groups such as ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.

Foundation-building and future requirements

When SGCC completed the work specified in its charter, SC 38 established a new WG 3 (working group) to pursue standardization opportunities identified in the SGCC final report. To facilitate the development of cloud computing standards, the subcommittee proposed that WG 3 initially develop standards for terminology and reference architecture. To identify new work items, SC 38 will document cloud computing usage scenarios, refine scenarios into detailed use cases and evaluate existing and on-going standards development efforts for any gaps. Finally, the subcommittee will document those gaps as requirements for future standards development initiatives.

SC 38 has charted a course to provide a sound foundation for developing future cloud computing standards. Also, by defining usage scenarios and use cases, it will identify requirements for future cloud computing standards efforts – whether within SC 38, in other forums or in cooperative efforts across SSOs.

Donald R. Deutsch is Oracle’s Vice-President, Standards Strategy and Architecture, responsible for coordinating participation in technical standards and consortia forums across all business units and geographic areas. He is also Chair of ISO/IEC JTC 1, Information technology, subcommittee SC 38, Distributed application platforms and services (DAPS).


* Article first published in ISO Focus+ November/December 2011 - Reprinted with permission of the Editor

Interoperability, portability and security are the three areas that SC 38 SGCC has identified for standards development in cloud computing Interoperability, portability and security are the three areas that SC 38 SGCC has identified for standards development in cloud computing
Many consider cloud computing as the future in interacting with and storing data Many consider cloud computing as the future in interacting with and storing data
Cloud computing provides "on-demand network access to a shared pool of configurable resources, applications and services" Cloud computing provides "on-demand network access to a shared pool of configurable resources, applications and services"