European Commission Public Consultation on Cloud ComputingResponse of OASIS (www.oasis-open.org)30 August 2011

1. Are you responding for a Company?

Yes.

2. Size in number of employees?

18. See question 6. 3. Sector?

Computing & Internet. See question 7.

4. Country where legally established?

United States.

5. Are you a Public Administration?

No.

6. Size in number of employees?

OASIS is a global standards consortium, with 18 employees and about 5000 participants representing over 600 companies & individuals. We have advised our own members about this inquiry, in case they wish to respond. Of course, their opinions are their own, and this response does not represent the views of any of our member companies, governments or individuals, but only the observations of OASIS professional staff.

7. Sector?

OASIS produces data standards for Computing & Internet activity in industry and governments.

8. Country where legally established?

OASIS is a not-for-profit corporation established in the United States, with representatives also in (among other places) China, France, Japan, the Netherlands and Switzerland.

9. If you are not a company or a public administration, are you …

(Not applicable.)

10. If other, please explain.

(Not applicable.)

11. If you are a user of cloud services, please describe your current use of cloud computing. What kind of problems do you encounter when using cloud computing solutions in the EU? Elsewhere?

OASIS' operates as a global venue for collaborative voluntary standards development, across many time zones, borders and languages, depend heavily on remote access and participation capabilities. These include database-driven administration and archiving of our technical committees' work, collaborative workspaces, and enterprise e-mail, the majority of which are provided by third party services providers on a cloud or similar remote platform.

12. If you are a potential user but not active yet: What are the main reasons for not (or not yet) using cloud computing?

In some cases, we have elected to purchase self-installed and self-hosted software for mission-critical functions, and declined the alternative of purchasing cloud-based software-as-a-service”. Sometimes this business decision was made in order to retain greater control over the installation. In other cases, when we chose against a cloud service, our main reason was greater certainty about the survivability of our access to our data if the software provider failed.

13. If you are a provider of cloud services: Please describe your offer. What kind of barriersdo you face in providing your cloud computing services within the EU? Elsewhere?

We are not a traditional provider of computing services. However, as a widely-used open standards consortium that hosts market-driven standards projects, our principal “products” are forums and publications about data structure rules and consensus.

Many of our projects affect or provide guidance to cloud computing practices, generally including our cybersecurity, electronic identity, SOA and web services, and content management and semantic projects. (See the question below on “existing or emerging standards” for a longer list.)

Among other things, OASIS also participates in and has provided experts to the Standards and Interoperability for eInfrastructure implemeNtation InitiAtive (SIENA) project (http://www.sienainitiative.eu/), and hosts the International Cloud Symposium (ICS) near London in October, 2011 (http://events.oasis-open.org/home/cloud/2011), at which many of these issues will be addressed.

Clouds for users

1. Do you feel that in the cloud services you are currently using or have been evaluating (or are providing), the rights and responsibilities of both user and provider are clear?

Yes.

2. Please comment.

As a group of computing experts, OASIS may not be a typical corporate consumer of cloud-based services: our degree of understanding of cloud-related contractual duties may be unusual.

However, clarity is the not same thing as balance. Cloud service offerings often are mass market offerings, made under terms wholly defined by the seller. While we may understand the terms of cloud service contracts clearly, they may not always be attractive, marketable or feasible.

3. Are you aware of the applicable jurisdiction in different types of disputes that could arise during your provision or use (or potential future use) of specific cloud offerings?

Yes.

4. Is there an alternative approach to the determination of jurisdiction that may work better for both users and providers?

Yes.

5. If yes, please comment.

As the differences among legal and regulatory requirements in different jurisdictions become more clear, user preferences may respond to them, creating a “market” for the more favorable legal frameworks. We already are aware of some instances where cloud services users attempt to choose their governing law by preferring hosts venued in some locations rather than others.

The demands of some states that a global Internet service establish local servers also point to the significance, in some minds, of physical location and jurisdiction.

Governments may wish to consider how to better cooperate, in applying laws to multi-national entities who serve global customer bases from a given set of locations. Is it possible to work towards a multi-national reciprocity model, where the exact location of a service's server becomes less significant?

6. Please comment.

[No answer.]

7. Do you feel that the question of liability in cross-border situations is clear for cloud users and cloud providers?

No.

8. Why?

There often is a definitive answer. In order to learn it, though, a buyer or user must navigate and analyze long textual conditions which may not be clear to average readers: the terms may not be obvious, conspicuous or easy to comprehend. It seems likely that many consumers of many cloud computing services do not know anything about the legal conditions under which they consume the service.

However, exclusive jurisdiction clauses are not a new development. Service contracts where providers specify that they may only be sued in their home jurisdiction long predate cloud computing. Many transactions in the commercial (“B2B”) sector address the application of cross-border law to multi-party situations without difficulty. The economics of cloud computing services may not always adapt well to traditional legal resolution. In a tangible commercial shipping contract -- goods and services exchanged in high-denomination transactions -- the amount at stake may support significant costs to resolve disputes. In contrast, cloud computing services often are offered in small, componentized units, and often on an inexpensive or even free basis. Traditional high-cost litigation & contract enforcement methods may not be efficient for resolving disputes about a large volume of small-value data transactions.

Legislative Framework

1. Do you think there are updates to the current EU Data Protection Directive that could further facilitate Cloud Computing while preserving the level of protection?

[No answer.]

2. If yes, please explain.

[No answer]

3. Are you aware of specificities in Member State data protection rules, or other legislation, that prevent you from using/providing cloud services within the EU?

Yes.

4. If yes, please detail.

In some cases, we are interested is in conducting message exchanges that produce legally enforceable transactions or agreements. This sometimes will require that the entities who exchange messages, or their representatives, are able to associate binding assurances of identity and contractual assent – the electronic equivalent of signatures. But the technical standards for acceptable and enforceable electronic signatures vary from state to state, and the requirements of the laws may not apply well to existing technology alternatives. For example, the European Directive on Electronic Signatures (1999/93/EC), and certain member state enactments such as the German “SigG” Law Governing Framework Conditions for Electronic Signatures (Bundesgesetzblatt – BGBl, Teil I S. 876, 21 May 2001), describe and favor some specific anticipated “advanced” technologies that were anticipated as desirable, at

the time, but may or may not have developed into feasible, widely available options, in the decade since then.

5. From your perspective, would it be useful if model Service Level Agreements or End User Agreement existed for cloud services so that certain basic terms and conditions could easily be incorporated into the contractual agreements.

Yes.

6. If no, why not?

[Note our caution about mandated solutions, below.]

7. If yes, further thoughts about how this might work.

Model forms, as such, probably would be very helpful in the still-early commercial and legal development of the industry and its transaction forms.

However, a prescriptive set of forms that is imposed on transactions, rather than one that evolves from market practices, might quell the natural market development of risk allocation options and new service models, as clouds evolve. Government traditionally provides some market stability though fair trade / anti-deceptive-practice laws, regulation of clarity and personal privacy, and mechanisms for cross-border dispute resolution. Those functions, properly carried out, ought to facilitate a robust cloud computing market of services, allowing various economic models and technology offerings to circulate and compete.

Embracing interoperability

1. Please describe interoperability or (data) portability issues you have encountered when using/providing cloud services or are otherwise aware of.

In the case of commercial databases, limited early data export capabilities eventually gave way to widespread shared service interfaces and formats (like ODBC, JDBC and XML). We expect that widespread adoption of cloud computing will be enabled in the same way by open standards. Users will be able to confidently rely on cloud services, when there are widely-known and freely-available methods for data exchange and for service discovery and service invocation. These will reduce the risk of vendor lock-in, and reduce the costs of re-tooling in order to add a new supplier. Realizing those benefits will require the use of stable standards, created in an open process, with well-established licensing terms and disclosure, and housed by reliable, vendor-neutral development environments.

2. Which existing or emerging standards support interoperability across clouds and portability of data (from one cloud to another)? Please list and describe.

Quite a few may apply. Among others,

(a) Interoperable data content & semantic meaning is supported by OASIS' OpenDocument, DITA, CMIS, QUOMOS, UnitsML, XRI/XRD & Search Web Services; W3C's HTML, XML & RDF; and CLIF (ISO/IEC 24707);

(b) Reliable data exchanges, wide-area identity management & access control are supported by OASIS' XACML, ID-Cloud, WS-Trust, XSPA, ebXML Messaging, WS-ReliableMessaging, SOA-RM, S-RAMP and ebXML Registry (some of which have been cloud-optimized); OpenID and the Kantara ID-FF; and

(c) Appropriate security & privacy are supported by OASIS' SAML, WS-Security & PMRM, IETF's OAuth and W3C's P3P.

One caution: browser-session-centric models from the consumer (B2C) sphere may have limited application to complex cloud (B2B and G2B) requirements.

3. What are the most important standards that are currently missing but which you feel are necessary to insure interoperability and portability? Please describe in detail the aspects they should cover.

Many of the needed functionalities for robust interoperable cloud services already exist, in established SOA, virtualization, transaction management and other computing and business process methods. It's important to acknowledge that implementation of capabilities in “the cloud” often does not require a completely new set of technical or business systems.

In a highly-distributed, highly-heterogenous ecosystem of cloud computing services, choosing stable open standards is a necessary part of the solution.

As an additional suitability filter, it may also prove important to employ only standards that are relatively free of obstacles to adoption. Aggregated chains of networked data transactions among strangers and newcomers, triggering the economic benefits of an open networked market, are much more likely to occur if the base standards which participants must embrace are:

(a) clear and easy to deploy; (b) well documented; (c) relatively free of licensing complexity or cost;(d) capable of optionality to support multiple platforms and designs; and (e) readily testable.

As noted above, the lack of existing widely-agreed federatable standards for identity provisioning and management retards the spread of markets of high-value data transactions, by impairing the ability of users to enter into reliable, repeated data exchanges with identifiable counterparties.

Public sector clouds

1. What can the public sector do as a cloud user to support the emergence of best practices?

(a) Publish and circulate its own RfPs and bid documents as models. (b) Require the use of vendor-neutral, interoperable methods that support the open

standards ecology.(c) Participate actively (as some government agencies already do) as instigators and

contributors to the development and maintenance of those shared resources (like standards projects and common repositories).

(d) Deploy its own data architectures on a service-based, open-API model that models and encourages virtuous re-use.

(e) Simplify its own copyright & similar licensure terms, where applicable, to remove transactional-complexity barriers to reuse.

2. Please elaborate in particular on public procurement of cloud services.

Government use of cloud services for critical functions raises some additional possible jurisdictional issues. Multiple nations have sought local server co-location from various global data providers in the last few years -- often unsuccessfully, and presumably driven in part by a desire for physical jurisdictional ability to enforce their rights against the services. A preferable solution may be: (a) the development of service models and remediation methods that give a purchasing government some reasonable remedies & assurance of reliability and recovery, regardless of service provider location; and (b) significant demands for more portable and replicable data & services, so that a purchasing government can readily maintain multiply redundant backup capabilities, as protection against the risks of any one provider.

3. In particular, can the deployment of eGovernment and eScience infrastructures by the public sector act as an example for other sectors?

E-government service offerings often serve as early lead instances of data transactions that provide models for other sectors to follow. The strong roles of government agencies in the initial development of the Internet itself, as well as automated supply chain and invoicing transactions and e-health transactions, evidence this. If public administrations insist on, and help measure and define, levels of predictability, reliability and interoperability, those instances may serve as positive models that influence the commercial markets for cloud services as well.

4. Please list Member State initiatives in the area of Cloud Computing that you are aware of.

Many of our standards and experts have been involved at the regional level on large-scale, Commission-promoted projects like PEPPOL (http://www.peppol.eu/), eCODEX (http://www.ecodex.eu/), SIENA (http://www.sienainitiative.eu/) and SPOCS (http://www.eu-spocs.eu/). While these are not technology research projects, they are deployment plans, each of which assume wide-spread data and transaction promulgation that necessarily relies in large part on cloud methodologies and services.

5. Do you think they are [adequate / go too far / not enough]?

[No answer.]

6. Please elaborate.

[No answer.]

7. How can Member States best cooperate to create interoperability solutions and shared best practices?

By participating in, and donating their relevant nonconfidential use cases to, open standardization projects.

Future Research and Innovation programmes

1. Which are the most important technical aspects of cloud computing that researchers are currently working on?

While the list of useful research fields in this general topic area is long, as a data standards organization, we are particularly interested in:

(a) common models for data registries, directories and repositories, in support of complex transaction models and data governance;

(b) federated identity provisioning and management, to enable reliable electronic interchanges with reasonably known parties;

(c) data transformation, modeling, mapping and interface methods that may help bring about greater interoperability and data portability across diverse systems (and better service recovery); and

(d) tools and methods that make conformance and interoperability tests more widely available and useable.

2. Beyond these, do you see technical problems/limitations of current cloud service offerings that will require further research in the coming years?

Yes.

3. Please elaborate.

Interoperability and conformance testing is a sine qua non requirement of growing open markets of transactional capabilities that rely on shared data structures (like open standards). But the prevailing model is one of large, relatively expensive testing, episodically gated by software release schedules. As the desire to participate in data exchanges spreads to a much larger group of new and diverse entrants, we will experience a need for easier, simpler and self-help-oriented testing and validation mechanisms. Research to design and facilitate the evolution of services and tools for "DIY" or "nanotesting" would be helpful to widespread adoption and market growth.

Also, current computing security models, to a large extent, were developed in the context of centralized controls and select trusted systems. The different risks and needs of widely-distributed and loosely-coupled data transactions, in a cloud environment, are still in early stages of definition. So cloud-based services do not yet always have the benefit of widely-known and widely-implemented security guidance.

4. Should public R&I funding be used to establish prototypes of new cloud infrastructures?

Yes.

5. If yes, please describe types of projects/prototypes you would see as useful, and explain why.

Ideally, public authorities would develop cloud capabilities to fulfill their own business and policy functions more effectively. These, if well documented and designed, could serve "double duty" also as prototypes and models for further similar developments in other sectors.

Global solutions for global problems

1. What are the most important Cloud Computing solutions that have to be discussed at the global level? Please list and explain.

(a) Identify pre-existing standards-based solutions already in use, likely in sets with multiple possible combinations, in the areas of security, content representation, access control (identity/privacy), and service deployment & access, to demonstrate the immediate feasibility of reliable, interoperable cloud functions.

(b) Seek collaboration on vocabulary, identifier and data architecture resources for use in wide-scale service discovery and service invocation.

(c) International cooperation (including reciprocity and comity) on practical resolutions to cloud computing jurisdictional issues.

(d) Promote automatable representation of policy and rule constraints on cloud transactions & exchanges.

2. What would be the right fora/approaches to tackle them? Please expand.

Carefully-scoped and government-encouraged cooperative work by established open standards bodies with relevant expertise.

Respectfully submitted,James Bryce Clark, General Counsel, for OASIS