1、 ETSI SR 003 381 V2.1.1 (2016-02) Cloud Standards Coordination Phase 2; Identification of Cloud user needs SPECIAL REPORT ETSI ETSI SR 003 381 V2.1.1 (2016-02) 2 Reference DSR/NTECH-00030 Keywords cloud, requirements, user ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33
2、 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available
3、in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only preva
4、iling document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI
5、 documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any for
6、m or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in
7、all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organ
8、izational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI SR 003 381 V2.1.1 (2016-02) 3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g3Introduction 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2
9、 Informative references 7g33 Abbreviations . 8g34 The rationale for the survey 9g34.1 Survey goals and objectives . 9g34.2 Content of the report. 9g35 Survey presentation 10g35.1 Survey goal and structure . 10g35.2 Survey methodology Essential, or potentially Essential, IPRs notified to ETSI in resp
10、ect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of
11、other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Special Report (SR) has been produced by ETSI Technical Committee Network Technologies (NTECH). The present document is approved
12、by the NTECH Technical Committee and for publication on the Cloud Standards Coordination website (http:/csc.etsi.org). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as desc
13、ribed in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Cloud Computing is increasingly used as the platform for ICT infrastructure provisioning, appli
14、cation/systems development and end user support of a wide range of core services and applications for businesses and organizations. Cloud Computing is drastically changing the way ICT is delivered and used. However, many challenges remain to be tackled. Concerns such as security, vendor lock-in, int
15、eroperability and accessibility, service level agreements more oriented towards users are examples of issues that need to be addressed. The survey discussed in the present report aims at collecting information on the respondents awareness of those concerns. Standards and certification programs play
16、an important role in terms of increasing the market confidence in Cloud Computing. The promotion of Cloud Computing standards and certification schemes that address current concerns is necessary in order to ensure that both customers/users as well as providers will regard Cloud Computing with the sa
17、me level of reliability, trust and maturity as traditional ICT. In February 2015, the Cloud Standards Coordination Phase 2 (CSC-2) was launched by ETSI to address issues left open after the initial Cloud Standards Coordination work was completed at the end of 2013. Cloud Standards Coordination Phase
18、 2 is investigating some specific aspects of the Cloud Computing standardization landscape, in particular from the point of view of the Cloud Computing users (e.g. SMEs, Administrations). It will also generate a new snapshot regarding the state of standards and investigate the interaction and relati
19、on between standardization and open source based software and solutions. The present document presents the results of the web survey conducted in April - September 2015. ETSI ETSI SR 003 381 V2.1.1 (2016-02) 7 1 Scope The present document presents the results of the web survey conducted in April - S
20、eptember 2015. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference d
21、ocument (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee th
22、eir long term validity. The following referenced documents are necessary for the application of the present document. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific re
23、ferences, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The follo
24、wing referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Recommendation ITU-T Y.3500: “Information technology - Cloud computing - Overview and vocabulary“. NOTE: Same as i.5. i.2 Gartner, G00271282:
25、 “Budgeting for the SaaS Security Gap“, January 28, 2015. i.3 Skyhigh: “Cloud Adoption the organization making the leap to the Cloud need to be prepared. Nearly half of respondents claim that efforts related to data categorization (43 %) and data classification (35 %) are on-going in their organizat
26、ions. Data security awareness and level control is seen as a highly important aspect that needs to be tackled by a majority of the respondents. Regarding software licenses, 37 % of the respondents indicate that negotiations are on-going with the software vendors providing Cloud Computing software it
27、 is not entirely clear if answers in this category indicate that actions are not needed or if necessary measures have already been taken). Cloud Deployment Models and Cloud Service Categories: Private Cloud deployment models clearly dominate followed by Hybrid Cloud and Public Cloud deployments. Con
28、cerning Cloud Service Categories, high-availability is seen as the top usage area for IaaS while software development is also seen as the top capability for PaaS. Concerning SaaS, the general data storage type of application is ranked high while specialized applications supporting for example supply
29、 chain services, HR, ERP or CRM are less frequently mentioned. Notably, 54 % of the respondents indicate an interest in emerging Cloud Service Categories such as CaaS, NaaS, DsaaS and CompaaS. Cloud computing and standards: Security, privacy and integrity, performance and portability across vendor s
30、olutions are ranked high regarding the impact that standards have on the concerns of organizations. In terms of how standards are considered in the organizations of the respondents, 38 % indicate that standards are used while 27 % that they are considered. This shows a promising insight into the val
31、ue and importance of standards. In line with the responses regarding impact of standards, interoperability, security, service level agreements, portability and APIs are mentioned as top priorities. The feedback also indicates that recently published standards are now becoming known by a small number
32、 of respondents. Examples of standards used or considered are ISO/IEC 17788 i.5 - Recommendation ITU-T Y.3500 i.1 - ISO/IEC 17789 i.6 and Recommendation ITU-T Y.3502 i.7. However, the number of answers is too insignificant to claim that the Cloud Computing specific standards are now part of the Clou
33、d strategy for most organizations. Cloud computing certifications: Almost 75 % of the respondents see certification schemes as a positive way of increasing confidence in Cloud Service Providers. Amongst the cross-cutting aspects, the two (security, privacy and integrity) seen as both most critical f
34、or the maturity of cloud computing Q11 and as aspects where standards are expected to have highest impact Q34, certifications for these aspects are actually ranked as close to the least important Q48. The most important issues for certification are: data storage location (one aspect of privacy), clo
35、ud datacentre infrastructure, cloud provisioning process and interoperability/reversibility. A more detailed analysis is found in clause A.11 of the present document. A majority of the respondents are unaware of the Cloud Certification Schemes List (CCSL) defined by ENISA while in this list, the wel
36、l-known ISO/IEC 27001 i.8 comes first as a scheme for Cloud certification. A majority of the Cloud Service Customers indicate that they plan to include one of these certification schemes in their Cloud Computing procuring processes. A majority of Cloud Service Providers also plans to certify their C
37、loud Service offerings. 6.2 Trends and patterns Based on the responses received, it is possible to make some tentative and high-level analysis. From this analysis, some patterns emerge that will have to be clarified and confirmed by a final analysis made at the conclusion of the survey. The trends t
38、hat are assessed as the most significant are presented below. Security, Integrity and Data Privacy: These topics are seen as major concerns for cloud maturity and for standards impact, although not for certification. This is not a new finding, but the fact that it is still very much present is a cle
39、ar indication on the perceived challenge ahead for security standards and Cloud certification in particular. Interoperability and Portability: These areas are ranked high. Concern in this area is most likely linked to the issue of vendor lock-in, the unclear capabilities of individual cloud service
40、offerings ability to move data from one service to another and the lack of portability standards for cross-Cloud scenarios in general. ETSI ETSI SR 003 381 V2.1.1 (2016-02) 13 Moving to the Cloud: There is a high perception from the respondents that the transition to Cloud Computing should be carefu
41、lly planned and organized, in particular in areas pertinent to data (classification, storage, etc.), processes and security. Standards: In general, the role of standards is seen as important and there is a growing level of awareness, even in terms of knowledge of the existing set of standards. It is
42、 to be noted that, in this perspective, the benefit from standards related to Cloud Computing is seen as more critical than Open Source: this finding is however subject to further analysis. This topic is further explored in ETSI SR 003 382 i.12. Certification: A very large majority (over 80 %) of th
43、e respondents confirm the role of certification as a very useful way to improve confidence in Cloud Computing. However the selection of Cloud Certification schemes is complex: the Cloud Certification Scheme List (CCSL) is an attempt to make a selection of such schemes but the survey shows that only
44、31 % of respondents are aware of this list. This is clearly showing a need for increasing the awareness of the Cloud Computing community on CCSL and all the means to have access to a pre-analysed and recommended list of certification schemes. 6.3 Detailed findings 6.3.1 Adoption of Cloud Computing T
45、he web survey clearly indicates which Cloud Computing Service Categories (SaaS, PaaS, IaaS, etc.) and Cloud Computing Deployment Models (Public, Community, Private or Hybrid) are most common in terms of usage; IaaS and provisioning infrastructure as well as general data storage constitute the most p
46、opular Service Categories and usage areas where the Private Cloud Deployment Models come out first as the Deployment Model. The adoption of Cloud Computing and Cloud Computing based services continues to grow across Europe. Studies also show that the use of Cloud Computing services is steadily growi
47、ng worldwide. In a recent study published by Skyhigh “Cloud Adoption the conclusion might be that there is simply not yet sufficient confidence in Cloud Computing for the users to provision and process sensitive data in the cloud computing space. It is recommended to further investigate the reasons
48、(such as security concerns, regulatory, etc.) for the slow adoption of SaaS for sensitive data needs. There are different legal barriers across Europe and no up-to-date European Data Protection Regulation yet. Among the low number of respondents, ISO/IEC 27001 i.8 is the standard most known and used
49、. “Security“ is a complex, slightly ambiguous and imprecise concept. It can be and probably is interpreted in many different ways. Security can for instance map to and concern one or more of the following areas: - Data protection (and information classification, data encryption, etc.) - Data access - Identity management - Authorization - Authentication - Data privacy - Data integrity - Accessibility - Operations and probably some additional domains/areas. It is likely that “Security“ and “Privacy and integrity“ are in fact grouped together
