ISO/IEC 17789 Cloud Computing Reference Architecture (CCRA)

ISO/IEC describes cloud computing systems from four distinct viewpoints:

• User view: The system context, the parties, the roles, the sub-roles, and the cloud computing activities
• Functional view: The functions necessary for the support of cloud computing activities
• Implementation view: The functions necessary for the implementation of a cloud service within service parts and/or infrastructure parts
• Deployment view: How the functions of a cloud service are technically implemented within already existing infrastructure elements or within new elements to be introduced in this infrastructure

The ISO/IEC 17789 implementation and deployment views are specific to technology and vendor-specific implementations. Because of this, they are considered out of the scope for the international standard. For CCRA purposes, only user and functional views are defined as “within scope.”

ISO/IEC 17789 Functional Layers

The four distinct functional layers defined in the ISO/IEC 17789 CCRA are:

User layer: Functional components that support the cloud computing activities of cloud service customers and cloud service partners

Access layer: Includes functional components that facilitate function distribution and interconnection

Service layer: Includes functional components that provide the cloud services themselves plus related administration and business capabilities, and the orchestration capabilities necessary to realize them

Resource layer: Includes the functional components that represent the resources needed to implement the cloud computing system

Not all layers or functional components are necessarily instantiated in a specific cloud computing system. The multilayer functions include functional components that provide capabilities that are used across multiple functional layers. These include:

• development support
• integration
• security systems
• operational support systems
• business support systems

ISO/IEC Roles and Sub-Roles

ISO/IEC 17789 cloud computing reference architecture defines three roles:

• Cloud service customer (CSC): A party that is in a business relationship for the purpose of using cloud services.

• Cloud service provider (CSP): A party that makes cloud services available.

• Cloud service partner (CSN): A party that is engaged in support of, or auxiliary to, activities of either the cloud service provider or the cloud service customer, or both. Cloud service broker and cloud auditor both fall under this ISO/IEC 17789 role.

These “roles” loosely align with the NIST reference architecture “actors.” The ISO/IEC 17789 standard also defines sub-roles that are used to categorize the activities managed under a given role.

Cloud Computing Activities

There are a number of activities that are essential for creating, designing, implementing, testing, auditing, and maintaining the relevant assets in traditional computing and technology environments. ISO/IEC 17789 links cloud computing activities to traditional technology environment activities through the use of sub-role activities to the relevant cloud based assets.

A cloud service customer’s activities include:

• Use cloud service activity: Use the services of a cloud service provider to accomplish critical security tasks
• Perform service trial activity: Use the services of a cloud service provider to ensure that the cloud service is fit for the cloud service customer’s business needs
• Monitor service activity: Monitor the delivered service quality with respect to service levels as defined in the service-level agreement (SLA) between cloud service customer and cloud service provider
• The administer service security activity: Ensure appropriate security for cloud service customer data, data backup, and recovery, administering security policies, defining encryption and integrity technologies, and defining the handling of any personally identifiable information (PII)
• Provide billing and usage reports activity: Prepare reports of the customer organization’s cloud services usage and associated reports of the billing/invoice data relating to that usage
• Handle problem reports activity: Perform customer-side handling of any reported problems associated with the usage of cloud services
• Administer tenancies activity: Administer the tenancies of the cloud service customer with the cloud service provider
• Perform business administration activity: Manage the business aspects of the use of cloud services, including accounting and financial management
• Select and purchase service activity: Examine the cloud service offerings to determine if the service meets cloud service customer business and technical requirements
• Request audit report activity: Request the report of an audit of the cloud service, typically conforming to a particular audit standard or scheme
• Connect ICT systems to cloud services activity: Integrate existing ICT systems and cloud services, connect existing ICT component(s) and applications with the target cloud service(s), and connect the customer monitoring and management systems with the cloud service provider’s monitoring and control of cloud services

A cloud service provider’s activities include:

• Prepare systems activity: Prepare the systems of the provider’s environment for new cloud service deployments
• Monitor and administer services activity: Monitor and administer services and their associated infrastructure, which includes user and system privileges
• Manage assets and inventory activity: Track all compute, storage, network, and software assets and the relationship between them, also “on-board” new assets and dispose of old assets
• Provide audit data activity: Collect and provide data relevant to an audit request, such as that relating to security controls or to service performance
• Define environment and process activity: Define the required technical environment and operational processes used when a service is running
• Define and gather metrics activity: Define service-level metrics and management
• Define deployment steps activity: Define the steps for the deployment of services
• Provide services activity: Perform all steps required to deliver a cloud service to its cloud service customers
• Deploy and provision services activity: Get a service implementation running and make it available at a network end point accessible to the cloud service users, and make it able to handle service requests from users
• Perform service-level management activity: Manage compliance with SLA targets
• Manage business plan activity: Define a service offering, create a business plan that covers the offering of one or more cloud services to customers, track the sales and service usage against the plan, and prepare and adjust a business plan to provide cloud services
• Manage financial processing activity: Handle billing updates, generate billing information, and handle the receipt of payments from the cloud service customer
• Handle customer requests activity: Handle support requests, reports, and incidents from cloud service customers
• Manage peer cloud services activity: Manage the usage of cloud services of a peer cloud service provider
• Perform peering, federation, intermediation, aggregation and arbitrage activity: Use peer cloud service provider’s cloud services, which includes service federation, intermediation, aggregation, and arbitrage
• Manage security and risks activity: Manage security and risks associated with the development, delivery, use, and support of cloud services
• Design and implement service continuity activity: Consider potential modes of failure of a cloud service and the supporting infrastructure and put in place recovery processes that will enable the cloud service to be available within the terms of the SLA
• Ensure compliance activity: Implement regulatory and standards compliance
• Provide network connectivity activity: Set up requested network connections and related capabilities, including (amongst others) connections between the cloud service customer and the cloud service provider’s system and between one cloud service provider’s system and another cloud service provider’s system
• Deliver network services activity: Provide network-related services such as firewalls or load balancing
• Provide network management services activity: Manage the network infrastructure used to carry cloud services

A cloud service partner’s activities include:

• Design, create, and maintain service components activity: Design and create software components that are part of the implementation of a service, process problem reports, provide fixes, and provide enhancements to service implementations
• Compose services activity: Compose new cloud services by combining or modifying existing services
• Test services activity: Test the components and services created by the cloud service developer
• Perform audit activity: Request or obtain audit evidence, conduct any required tests on the system being audited, and obtain evidence programmatically
• Report audit results activity: Provide a documented report of the results of performing an audit
• Acquire and assess customer activity: Market and sell cloud services to the point where a cloud service customer agrees to a contract to use one or more services
• Assess marketplace activity: Assess the current cloud computing marketplace to identify and recommend cloud service(s) that allow the customer to meet desired goals
• Set up legal agreement activity: Establish the service agreement between the cloud service customer and the chosen cloud service provider(s)

Cloud Service Capabilities

ISO/IEC 17788 defines cloud capabilities types as a classification of the functionality provided by a cloud service provider to the cloud service customer, based on the resources used. There are three different cloud capabilities types:

• Software capabilities
• Platform capabilities
• Infrastructure capabilities

Software Capabilities

Cloud computing provides significant and potentially limitless possibilities for organizations to run programs and applications that previously may not have been practical or feasible given the limitations of their own systems, infrastructure, or resources. When utilizing and deploying the right middleware and associated components, the ability to run and execute programs with flexibility, scalability, and on-demand self-service capabilities can present massive incentives and benefits. Clients can access their applications and data from anywhere, at any time. They can access the cloud computing system using any computer linked to the internet. Data isn’t confined to a hard drive on one user’s computer or even a corporation’s internal network. Other capabilities and benefits include:

• Overall reduction of costs: Cloud deployments reduce the need for advanced hardware on the client side. Essentially, the requirement to purchase high specification systems, redundancy, storage, etc. to support the applications is no longer necessary. From a customer perspective, a device to connect to the relevant application with the appropriate middleware is all that should be required.
• Application and software licensing: Customers no longer need to purchase licenses, support, and associated costs, as licensing is “leased” and is relevant only when in use (covered by the provider). Additionally, purchasing of bulk licensing and the associated CapEx is removed and replaced by a pay-per-use licensing model.
• Reduced support costs: Customers save money on support issues, as these are handled by the relevant cloud provider. Appropriately managed, owned, and operated streamlined hardware would, in theory, have fewer problems than a network of heterogeneous machines and operating systems.
• Back-end systems and capabilities: A cloud provider supplies access to back-end systems and other capabilities and takes on the responsibility for those resource-intensive tasks.

Platform Capabilities

PaaS and the cloud platform components have revolutionized the manner in which development and software has been delivered to customers and users over the past few years. The barrier to entry in terms of costs, resources, capabilities, and ease of use have dramatically reduced time to market, promoting and harvesting the innovative culture within many organizations. Outside of the key benefits, platform should have the following key capabilities and characteristics:

• Support multiple languages and frameworks: Platform should support multiple programming languages and frameworks, thus enabling the developers to code in whichever language they prefer or the design requirements specify. In recent times, significant strides have been made and efforts have been taken to ensure that open-source stacks are both supported and utilized, thus reducing “lock in” or issues with interoperability when changing cloud providers.
• Multiple hosted environments: The ability to support a wide variety of underlying hosting environments for the platform is key to meeting customer requirements and demands. Whether public cloud, private cloud, local hypervisor, or bare metal, supporting multiple hosting environments allows the application developer or administrator to migrate their application when and as required. This can also be used as a form of contingency and continuity, and to ensure ongoing availability.
• Flexibility: Traditionally, platform providers offered features and requirements that they felt suited the client requirements, suited their service offering, and positioned them as the provider of choice, with limited options for the customers to move easily. This has changed drastically, with extensibility and flexibility now afforded to meeting the developer requirements. This has been heavily influenced by open source, which allows relevant plugins to the available for the platform.
• Allow choice and reduce “lock-in”: “Proprietary” usually means red tape, barriers, and restrictions on what developers can do when it comes to migration or adding features and components to the platform. With the requirement to code to specific APIs made available by the provider, you can now run your apps in various environments, based on commonality and standard API structures, ensuring a level of consistency and quality for customers and users.
• Ability to “auto-scale”: Probably one of the biggest drivers, this enables the application to seamlessly scale and accommodate the demand of users. The platform will allocate resources and assign them to the application as required. This serves as a key driver for organizations that experience spikes and drops in usage (e.g., seasonal sales).

Infrastructure Capabilities

Infrastructure has been the focal component to ensuring which capabilities and organizational requirements could be met, versus those that were restricted. It also represented possibly the most significant investments in terms of CapEx and skilled resources. Because infrastructure served as a key and core component for IT teams and technology professionals around the world, it became a significant cost base and expense when delivering and providing the relevant services to the organization. Within the cloud, this has changed significantly. However, the following key components and characteristics remain to meet and achieve the relevant requirements:

• Scale: Automation and tools to support the potentially significant workloads of either internal users or those across multiple cloud deployments (dependent on the cloud service offering) are key components of infrastructure. Users and customers require optimal levels of visibility, control, and assurances related to the infrastructure and its ability to satisfy their requirements.
• Converged network and IT capacity pool: Building on the scale component, this looks to drill into the virtualization and service management components required to cover and provide appropriate levels of service across network boundaries. From a customer or user perspective, the pool appears seamless and endless (no visible barriers or restrictions, along with minimal requirements to initiate additional resources) for both servers and networks. These should always be focused on supporting and meeting relevant platforms, applications, and SLAs.
• Self-service and on-demand capacity: Requires an online resource or customer portal that allows customers to have complete visibility and awareness of the virtual IaaS environment that they currently utilize. Additionally, this should also allow customers to acquire, remove, manage, and report on resources, without the need to engage or speak with internal resources or with the provider. Think online banking—the same ease of use, without having to go to the branch.
• High reliability and resilience: In order to be effective, there must be automated distribution across the virtualized infrastructure (LAN and WAN), increasing and affording resilience, while enforcing and meeting SLA requirements.

ISO/IEC Cloud Service Categories and Cloud Capabilities

ISO/IEC 17788 includes these three basic services in an extended list referred to as cloud service categories. In that standard, a cloud service category is a group of cloud services that possess some common set of qualities. A cloud service category can include capabilities from one or more cloud capability types. Representative cloud service categories are:

• Communications as a service (CaaS): Real-time interaction and collaboration
• Compute as a service (CompaaS): Provision and use of processing resources needed to deploy and run software
• Data storage as a service (DSaaS): Provision and use of data storage and related capabilities
• Network as a service (NaaS): Transport connectivity and related network capabilities

These extended services are also referred to as “XaaS.” The service provider takes responsibility for installing, maintaining, and operating the “XaaS,” with the users and customers paying according to their usage. The cloud computing market is very dynamic and new cloud services will continue to materialize into new cloud service categories. Some examples of such emerging cloud service categories include:

• Database as a service: Database functionalities on demand where the installation and maintenance of the databases are performed by the cloud service provider
• Desktop as a service: The ability to build, configure, manage, store, execute, and deliver users’ desktop functions remotely
• Email as a service: Complete email service including related support services such as storage, receipt, transmission, backup, and recovery of email
• Identity as a service: Identity and access management (IAM) that can be extended and centralized into existing operating environments, including provisioning, directory management, and the operation of a single sign-on service
• Management as a service: Application management, asset and change management, capacity management, problem management (service desk), project portfolio management, service catalog, and service-level management
• Security as a service: Integration of a suite of security services with the existing operating environment by the cloud service provider, including some or all of the following: authentication, antivirus, anti-malware/-spyware, intrusion detection, and security event management, among others

Cloud computing will continue to evolve, with a number of recently coined services and phrases becoming widely used as variations of the SaaS, PaaS, and IaaS service models. While these terms are often very confusing, it is very important to note that all other “as a service” offerings are basically an aggregation or a subset of SaaS, PaaS, or IaaS models.