Information technology — Cloud computing — Interacting with cloud service partners (CSNs)

This document provides an overview of and guidance on interactions between cloud service partners (CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud service roles. In addition, this document describes how cloud service agreements (CSAs) and cloud service level agreements (cloud SLAs) can be used to address those interactions, including the following: — definition of terms and concepts, and provision of an overview for interactions between CSNs and CSCs and CSPs; — description of types of CSN interactions; — description of interactions between CSNs and CSCs; — description of interactions between CSNs and CSPs; — description of elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs.

Titre manque

General Information

Status
Published
Publication Date
02-Jun-2020
Current Stage
6060 - International Standard published
Start Date
29-Apr-2020
Completion Date
03-Jun-2020
Ref Project

Buy Standard

Technical report
ISO/IEC TR 23187:2020 - Information technology -- Cloud computing -- Interacting with cloud service partners (CSNs)
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview
Technical report
ISO/IEC TR 23187:2020 - Information technology -- Cloud computing -- Interacting with cloud service partners (CSNs)
English language
34 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

TECHNICAL ISO/IEC TR
REPORT 23187
First edition
2020-06
Information technology — Cloud
computing — Interacting with cloud
service partners (CSNs)
Reference number
ISO/IEC TR 23187:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC TR 23187:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TR 23187:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 2

5 Structure of this document ........................................................................................................................................................................ 2

6 Relationship of roles and activities, and managing risks in cloud services ............................................3

6.1 Overview ...................................................................................................................................................................................................... 3

6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)................... 4

7 Overview of roles, sub-roles, and responsibilities of cloud service partners (CSNs) ...................4

7.1 Relationship between roles, activities and responsibilities ............................................................................. 4

7.2 Roles and sub-roles ............................................................................................................................................................................. 5

7.3 Cloud service provider (CSP) ...................................................................................................................................................... 6

7.4 Cloud service customer (CSC) and Cloud service user (CSU) ......................................................................... 6

7.4.1 Cloud service customer (CSC) .............................................................................................................................. 6

7.4.2 Cloud service user (CSU) .......................................................................................................................................... 6

7.5 Cloud service partner (CSN) ........................................................................................................................................................ 6

7.5.1 Overview ................................................................................................................................................................................. 6

7.5.2 Cloud auditor ...................................................................................................................................................................... 7

7.5.3 Cloud service broker..................................................................................................................................................... 8

7.5.4 Cloud service developer ............................................................................................................................................ 9

7.6 Relationships between CSNs, and other roles and sub-roles .......................................................................11

7.6.1 Differences between CSNs, CSCs and CSPs .............................................................................................11

7.6.2 CSNs and inter-cloud providers .......................................................................................................................11

8 Overview and description of types and interactions between cloud service partners

(CSNs) with CSPs, CSCs, and CSNs .....................................................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.2 Interaction between CSNs and CSCs ..................................................................................................................................12

8.2.1 Overview ..............................................................................................................................................................................12

8.2.2 CSN managing CSC’s cloud adoption ...........................................................................................................13

8.3 Interaction between CSNs and CSPs ..................................................................................................................................13

8.4 Interaction between CSNs and other CSNs ..................................................................................................................14

8.4.1 Description of types of CSNs interactions ...............................................................................................14

8.4.2 CSN – interaction and responsibilities .......................................................................................................14

9 Elements of cloud service agreements (CSAs) relating to CSN interactions ........................................14

9.1 General principles .............................................................................................................................................................................14

9.2 Role, relationship and agreement ........................................................................................................................................15

9.2.1 Overview ..............................................................................................................................................................................15

9.2.2 Cloud migrations and cloud deployment models .............................................................................17

9.3 Cloud service level agreement (Cloud SLA) ................................................................................................................18

9.3.1 Overview ..............................................................................................................................................................................18

9.3.2 SLA terminology ............................................................................................................................................................18

9.3.3 Roles and responsibilities .....................................................................................................................................19

10 Examples of scenarios illustrating CSN activities ............................................................................................................19

10.1 Introduction ...........................................................................................................................................................................................19

10.2 Reselling of cloud service............................................................................................................................................................20

10.3 Cloud service exchange .................................................................................................................................................................22

10.4 Management of cloud service ..................................................................................................................................................23

10.4.1 CSN – CSC: Managing the CSC use of cloud service .........................................................................23

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC TR 23187:2020(E)

10.4.2 CSN – CSP: partnership with a CSP to deliver cloud service ...................................................24

10.5 Cloud data management service ...........................................................................................................................................26

10.6 Shared services management .................................................................................................................................................27

11 Issues on roles and sub-roles (as illustrated in examples) ...................................................................................28

11.1 General ........................................................................................................................................................................................................28

11.2 Cloud computing environment ..............................................................................................................................................29

11.3 CSN roles and sub-roles................................................................................................................................................................30

11.3.1 Overview ..............................................................................................................................................................................30

11.3.2 Responsibilities and risks .....................................................................................................................................30

11.4 Cloud service activity and functional components ...............................................................................................31

11.5 Supplier relationship in cloud services ..........................................................................................................................31

12 Available standards ........................................................................................................................................................................................32

Bibliography .............................................................................................................................................................................................................................34

iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TR 23187:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud computing and distributed platforms.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC TR 23187:2020(E)
Introduction

The purpose of this document is to expand on the understanding of the interactions between cloud

service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service

providers (CSPs).

Cloud computing offers solutions to many emerging technologies and it offers many benefits to all cloud

service users (CSUs) and CSCs. The broader requirement for cloud computing solutions is to ensure

organizations have the best capabilities to fulfil their business missions. This has helped to drive the

adoption of cloud services and the marketplace is adjusting to the increasing demands.

In finding and applying appropriate solutions and leveraging the many benefits of using cloud services,

many CSCs use multiple CSPs and various deployment models. In using, sharing, and assessing data,

an understanding and clarification of roles, activities and responsibilities will help to maintain the

security, privacy, confidentiality and integrity of cloud services.

Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion

in the cloud service marketplace. In some cases, causing harm to CSCs through inappropriate security

controls and the lack of proper cloud service agreements relating to the cloud services being used.

This is in part caused by an inadequate understanding of the relationships involved and by the lack of

standards which might apply to those relationships.

Interactions between CSCs and CSPs have been described in detail in standards documents –

ISO/IEC 17789, ISO 19011, ISO/IEC 19941, ISO/IEC 27017, ISO/IEC 27018 and the ISO/IEC 19086 series.

Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been

described in similar detail. This document provides further clarity about those interactions.

This document provides clarification of the concepts provided in ISO/IEC 17788, ISO/IEC 17789, the

ISO/IEC 19086 series, and ISO/IEC 19941 regarding CSNs, and CSN interactions with CSCs and CSPs

with the help of a few exemplary market scenarios. Building on an expanded description of sub-roles

and activities, this document provides guidance on using cloud service agreements (CSAs) and cloud

service level agreements (cloud SLAs) to provide more clarity for CSN interactions.

vi © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 23187:2020(E)
Information technology — Cloud computing — Interacting
with cloud service partners (CSNs)
1 Scope

This document provides an overview of and guidance on interactions between cloud service partners

(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud

service roles. In addition, this document describes how cloud service agreements (CSAs) and cloud

service level agreements (cloud SLAs) can be used to address those interactions, including the following:

— definition of terms and concepts, and provision of an overview for interactions between CSNs and

CSCs and CSPs;
— description of types of CSN interactions;
— description of interactions between CSNs and CSCs;
— description of interactions between CSNs and CSPs;

— description of elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 17789, Information technology — Cloud computing — Reference architecture

ISO/IEC 19086-1, Information technology — Cloud computing — Service level agreement (SLA)

framework — Part 1: Overview and concepts
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 17789,

ISO/IEC 19086-1, and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
audit

systematic, independent and documented process for obtaining objective evidence and evaluating it

objectively to determine the extent to which the audit criteria (3.2) are fulfilled

Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the

organization itself.
© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC TR 23187:2020(E)

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits

are conducted by parties with an interest in the organization, such as customers, or by other individuals on

their behalf. Third party audits are conducted by independent auditing organizations, such as those providing

certification/registration of conformity or governmental agencies.
[SOURCE: ISO 19011:2018, 3.1]
3.2
audit criteria

set of requirements used as a reference against which objective evidence is compared

Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words

“compliance” or “non-compliance” are often used in an audit finding.

Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements,

contractual obligations, etc.
[SOURCE: ISO 19011:2018, 3.7]
4 Symbols and abbreviated terms
CCRA cloud computing reference architecture
Cloud SLA cloud service level agreement
CSA cloud service agreement
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
IaaS infrastructure as a service
PaaS platform as a service
PII personally identifiable information
SaaS software as a service
SLA service level agreement
SLO service level objective
SQO service qualitative objective
5 Structure of this document

In supporting the scope presented in Clause 1, this document is faithful to the existing descriptions

of roles and sub-roles as presented in ISO/IEC 17789:2014, 7.2.2 and cloud computing activities in

ISO/IEC 17789:2014, 7.2.1. This document explains the relationship between cloud service partners

(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud

service roles:

Clause 6 – presents the challenges of managing risks relating to roles and activities in cloud services.

Clause 7 – provides an overview of the roles, sub-roles, and responsibilities of cloud service partners

and provide the essential connection to the reference material in ISO/IEC 17789.
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC TR 23187:2020(E)

Clause 8 – building on Clause 7 and the exemplary scenarios in Clause 10, this clause discusses an

overview and description of the types of interactions between cloud service partners (CSNs) and CSPs,

CSCs and other CSNs.

Clause 9 – provides guidance on the use and tailoring of cloud service level agreements (cloud SLAs)

and other agreements with the understanding of the roles, sub-roles and activities of CSNs in relation to

the use of cloud services.

Clause 10 – presents examples that involve CSCs, CSPs, CSNs and demonstrates how different

sub-roles can share the cloud computing activities associated with a given role as described in

ISO/IEC 17789:2014, 7.2.2.
Clause 11 – presents issues relating the roles, activities and responsibilities.
Clause 12 – identifies existing relevant standards.
6 Relationship of roles and activities, and managing risks in cloud services
6.1 Overview

Cloud computing embraces different cloud service categories, cloud deployment models, cloud

capabilities types, and cloud computing cross cutting aspects. To this end, roles and activities are

critical contributors, and it is often necessary to differentiate requirements and issues for certain

parties (see ISO/IEC 17021-1).

The cloud computing roles and their associated activities and components are defined in ISO/IEC 17788

and ISO/IEC 17789 (CCRA). One of the goals of ISO/IEC 17789, as specified in Clause 6, is “to specify

basic cloud computing activities and functional components, and describe their relationships to each other

and to the environment.” For example, a cloud service broker is a sub-role of a cloud service partner

(CSN) as defined in ISO/IEC 17788 and ISO/IEC 17789. These standards make it clear that a CSN does

not provide cloud services. On the other hand, an inter-cloud provider is a sub-role of a CSP that can and

does provide cloud services.

Note that ISO/IEC 17788 and ISO/IEC 17789 do not claim to describe all possible sub-roles of CSN,

and initially identified the three sub-roles a cloud service broker, cloud service developer and cloud

auditor. This document extends the ISO/IEC 17789 description of CSNs based on a survey of recent

developments in cloud computing.

The CSP’s role and all its sub-roles when providing cloud services to a CSC are not only just delivering

cloud services but are also carrying out all activities necessary to safeguard its delivery and

maintenance of those cloud services. ISO/IEC 27017 provides guidelines for the provision and use of

cloud services specifically for CSPs and CSCs. ISO/IEC 27036-4 addresses relationships of CSPs and

CSCs with suppliers of cloud service products .

In a cloud computing environment, CSC data is stored, transmitted and processed by one or more cloud

services. A CSC's business processes depend upon the information security of those cloud services.

Without sufficient control over the cloud services, the CSC might need to take extra precautions with its

information security practices.

It is necessary for a CSC or any potential user to be concerned about protecting their data and to have an

appreciation of both the benefits and risks of cloud computing. It would be prudent to have requirements

for higher assurance for data security and privacy regardless of whether they are accessing cloud

services from a CSP or are working with a CSN. The roles and related activities in handling CSC’s data

when delivering cloud services should be understood by all parties to ensure appropriate precautions

and safeguards are in place. When using the service of a CSN, it is pertinent to have some form of

1) ISO/IEC 17789:2014, 3.2.2 cloud service product: A cloud service, allied to the set of business terms under

which the cloud service is offered. NOTE – Business terms can include pricing, rating and service levels.

© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC TR 23187:2020(E)

agreement or understanding, to clarify data ownership, who has access to the data, and how data is

being accessed and handled.

The role and responsibilities of PII processors for protection of personally identifiable information (PII)

in public clouds are specified in ISO/IEC 27018. ISO/IEC 27018 also emphasizes the responsibilities of

the CSP, especially for a public CSP who is processing PII for a CSC, and the contractual relationship

between CSC and CSP. To articulate consistently how data is to be collected and used, the taxonomy and

structured data use statements defined in ISO/IEC 19944 are recommended.

When a potential user or CSC uses direct or indirect contact to search for cloud service products to

meet its mission, the CSC will find offerings from businesses of various sizes with different cloud

deployment models, cloud services, and different cloud capabilities types, such as IaaS, PaaS and SaaS.

The quandary is in determining the providers of the services and their roles in delivering the services,

and the roles and activities of those involved in delivering and using the cloud services.

Following this thought, interactions between CSNs specifically cloud service brokers, cloud service

developers and cloud auditors are the focus of the discussion in this document. Interactions in the

delivery and use of cloud services are related activities initiated by one party that influence responsive

activities from another party or parties. The fluidity of the cloud marketplace embraces the flexibility

of all parties and different sub-roles to play multiple and interchanging roles in delivering and using

cloud services.

6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)

The focus of this document is on roles and related activities, and specifically interactions between cloud

service partners (CSNs) such as cloud service brokers, cloud service developers and cloud auditors,

with other cloud service roles and their related activities. ISO/IEC 17789 (cloud computing reference

architectural /CCRA) covers roles and activities through the lens of the reference architecture user

and functional views. The functional view includes a layering framework that makes up the user layer,

access layer, service layer and resource layer as described in ISO/IEC 17789:2014, 9.1.1. The CCRA also

includes cross cutting aspects, layering framework and operational support systems components and

components relating to the user and functional views. The approach of this document is not to redefine

roles, sub-roles and activities as laid out in ISO/IEC 17789, but it is important to emphasize that roles

can change through interaction of stakeholders during the use of cloud services, and that it may be

possible to expand on these roles and sub-roles in the future. While this document will align closely

to the roles and activities described ISO/IEC 17789, it is not necessary to include all components from

ISO/IEC 17789 to support the scope of this document.
7 Overview of roles, sub-roles, and responsibilities of cloud service partners
(CSNs)
7.1 Relationship between roles, activities and responsibilities

As the use of cloud computing increases, the cloud service products evolve and adapt to meet the

demand. Technological development is evolving, and cloud computing is becoming part of the solutions

for the Internet of Things (IoT), edge computing, and artificial intelligence (see ISO/IEC 23167 and

ISO/IEC 23188). To meet the changing environment and increasing demands, the roles, responsibilities

and activities in providing cloud services need to be re-examined in relation to the technological

development and growing adoption of cloud computing.

The diversity of different cloud service offerings is accelerating the need for additional standards. Some

roles and the associated responsibilities described in existing standards need to be further expanded

for the spectrum of offerings as discussed in Clause 12. A party is not defined by a set of activities,

and at any time, can assume more than one role and can take on a specific subset of activities of that

role. Understanding the roles and associated activities for the use of cloud comput

...

TECHNICAL ISO/IEC TR
REPORT 23187
First edition
Information technology — Cloud
computing — Interacting with cloud
service partners (CSNs)
PROOF/ÉPREUVE
Reference number
ISO/IEC TR 23187:2020(E)
ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC TR 23187:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TR 23187:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Symbols and abbreviated terms ........................................................................................................................................................... 2

5 Structure of this document ........................................................................................................................................................................ 2

6 Relationship of roles and activities, and managing risks in cloud services ............................................3

6.1 Overview ...................................................................................................................................................................................................... 3

6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)................... 4

7 Overview of roles, sub-roles, and responsibilities of cloud service partners (CSNs) ...................4

7.1 Relationship between roles, activities and responsibilities ............................................................................. 4

7.2 Roles and sub-roles ............................................................................................................................................................................. 5

7.3 Cloud service provider (CSP) ...................................................................................................................................................... 6

7.4 Cloud service customer (CSC) and Cloud service user (CSU) ......................................................................... 6

7.4.1 Cloud service customer (CSC) .............................................................................................................................. 6

7.4.2 Cloud service user (CSU) .......................................................................................................................................... 6

7.5 Cloud service partner (CSN) ........................................................................................................................................................ 6

7.5.1 Overview ................................................................................................................................................................................. 6

7.5.2 Cloud auditor ...................................................................................................................................................................... 7

7.5.3 Cloud service broker..................................................................................................................................................... 8

7.5.4 Cloud service developer ............................................................................................................................................ 9

7.6 Relationships between CSNs, and other roles and sub-roles .......................................................................11

7.6.1 Differences between CSNs, CSCs and CSPs .............................................................................................11

7.6.2 CSNs and inter-cloud providers .......................................................................................................................11

8 Overview and description of types and interactions between cloud service partners

(CSNs) with CSPs, CSCs, and CSNs .....................................................................................................................................................11

8.1 General ........................................................................................................................................................................................................11

8.2 Interaction between CSNs and CSCs ..................................................................................................................................12

8.2.1 Overview ..............................................................................................................................................................................12

8.2.2 CSN managing CSC’s cloud adoption ...........................................................................................................13

8.3 Interaction between CSNs and CSPs ..................................................................................................................................13

8.4 Interaction between CSNs and other CSNs ..................................................................................................................14

8.4.1 Description of types of CSNs interactions ...............................................................................................14

8.4.2 CSN – interaction and responsibilities .......................................................................................................14

9 Elements of cloud service agreements (CSAs) relating to CSN interactions ........................................14

9.1 General principles .............................................................................................................................................................................14

9.2 Role, relationship and agreement ........................................................................................................................................15

9.2.1 Overview ..............................................................................................................................................................................15

9.2.2 Cloud migrations and cloud deployment models .............................................................................17

9.3 Cloud service level agreement (Cloud SLA) ................................................................................................................18

9.3.1 Overview ..............................................................................................................................................................................18

9.3.2 SLA terminology ............................................................................................................................................................18

9.3.3 Roles and responsibilities .....................................................................................................................................19

10 Examples of scenarios illustrating CSN activities ............................................................................................................19

10.1 Introduction ...........................................................................................................................................................................................19

10.2 Reselling of cloud service............................................................................................................................................................20

10.3 Cloud service exchange .................................................................................................................................................................21

10.4 Management of cloud service ..................................................................................................................................................23

10.4.1 CSN – CSC: Managing the CSC use of cloud service .........................................................................23

© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/IEC TR 23187:2020(E)

10.4.2 CSN – CSP: partnership with a CSP to deliver cloud service ...................................................24

10.5 Cloud data management service ...........................................................................................................................................26

10.6 Shared services management .................................................................................................................................................27

11 Issues on roles and sub-roles (as illustrated in examples) ...................................................................................28

11.1 General ........................................................................................................................................................................................................28

11.2 Cloud computing environment ..............................................................................................................................................29

11.3 CSN roles and sub-roles................................................................................................................................................................30

11.3.1 Overview ..............................................................................................................................................................................30

11.3.2 Responsibilities and risks .....................................................................................................................................30

11.4 Cloud service activity and functional components ...............................................................................................31

11.5 Supplier relationship in cloud services ..........................................................................................................................31

12 Available standards ........................................................................................................................................................................................32

Bibliography .............................................................................................................................................................................................................................34

iv PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC TR 23187:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see http:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 38, Cloud computing and distributed platforms.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 5 ----------------------
ISO/IEC TR 23187:2020(E)
Introduction

The purpose of this document is to expand on the understanding of the interactions between cloud

service partners (CSNs) and cloud service customers (CSCs), and between CSNs and cloud service

providers (CSPs).

Cloud computing offers solutions to many emerging technologies and it offers many benefits to all cloud

service users (CSUs) and CSCs. The broader requirement for cloud computing solutions is to ensure

organizations have the best capabilities to fulfil their business missions. This has helped to drive the

adoption of cloud services and the marketplace is adjusting to the increasing demands.

In finding and applying appropriate solutions and leveraging the many benefits of using cloud services,

many CSCs use multiple CSPs and various deployment models. In using, sharing, and assessing data,

an understanding and clarification of roles, activities and responsibilities will help to maintain the

security, privacy, confidentiality and integrity of cloud services.

Interactions of CSCs and CSPs with the various CSNs have caused a degree of concern and confusion

in the cloud service marketplace. In some cases, causing harm to CSCs through inappropriate security

controls and the lack of proper cloud service agreements relating to the cloud services being used.

This is in part caused by an inadequate understanding of the relationships involved and by the lack of

standards which might apply to those relationships.

Interactions between CSCs and CSPs have been described in detail in standards documents –

ISO/IEC 17789, ISO 19011, ISO/IEC 19941, ISO/IEC 27017, ISO/IEC 27018 and the ISO/IEC 19086 series.

Interactions of CSNs, a key role in the cloud service environment, with CSCs and CSPs have not been

described in similar detail. This document provides further clarity about those interactions.

This document provides clarification of the concepts provided in ISO/IEC 17788, ISO/IEC 17789, the

ISO/IEC 19086 series, and ISO/IEC 19941 regarding CSNs, and CSN interactions with CSCs and CSPs

with the help of a few exemplary market scenarios. Building on an expanded description of sub-roles

and activities, this document provides guidance on using cloud service agreements (CSAs) and cloud

service level agreements (cloud SLAs) to provide more clarity for CSN interactions.

vi PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 23187:2020(E)
Information technology — Cloud computing — Interacting
with cloud service partners (CSNs)
1 Scope

This document provides an overview of and guidance on interactions between cloud service partners

(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud

service roles. In addition, this document describes how cloud service agreements (CSAs) and cloud

service level agreements (cloud SLAs) should be used to address those interactions, including the

following:

— definition of terms and concepts, and provision of an overview for interactions between CSNs and

CSCs and CSPs;
— description of types of CSN interactions;
— description of interactions between CSNs and CSCs;
— description of interactions between CSNs and CSPs;

— description of elements of CSAs and Cloud SLAs for CSN interactions, both with CSPs and with CSCs.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary

ISO/IEC 17789, Information technology — Cloud computing — Reference architecture

ISO/IEC 19086-1, Information technology — Cloud computing — Service level agreement (SLA)

framework — Part 1: Overview and concepts
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17788, ISO/IEC 17789,

ISO/IEC 19086-1, and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
audit

systematic, independent and documented process for obtaining objective evidence and evaluating it

objectively to determine the extent to which the audit criteria (3.2) are fulfilled

Note 1 to entry: Internal audits, sometimes called first party audits, are conducted by, or on behalf of, the

organization itself.
© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 7 ----------------------
ISO/IEC TR 23187:2020(E)

Note 2 to entry: External audits include those generally called second and third party audits. Second party audits

are conducted by parties with an interest in the organization, such as customers, or by other individuals on

their behalf. Third party audits are conducted by independent auditing organizations, such as those providing

certification/registration of conformity or governmental agencies.
[SOURCE: ISO 19011:2018, 3.1]
3.2
audit criteria

set of requirements used as a reference against which objective evidence is compared

Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words

“compliance” or “non-compliance” are often used in an audit finding (3.3).

Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements,

contractual obligations, etc.
[SOURCE: ISO 19011:2018, 3.7]
4 Symbols and abbreviated terms
CCRA cloud computing reference architecture
Cloud SLA cloud service level agreement
CSA cloud service agreement
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
IaaS infrastructure as a service
PaaS platform as a service
PII personally identifiable information
SaaS software as a service
SLA service level agreement
SLO service level objective
SQO service qualitative objective
5 Structure of this document

In supporting the scope presented in Clause 1, this document is faithful to the existing descriptions

of roles and sub-roles as presented in ISO/IEC 17789:2014, 7.2.2 and cloud computing activities in

ISO/IEC 17789:2014, 7.2.1. This document explains the relationship between cloud service partners

(CSNs), specifically cloud service brokers, cloud service developers and cloud auditors, and other cloud

service roles:

Clause 6 – presents the challenges of managing risks relating to roles and activities in cloud services.

Clause 7 – provides an overview of the roles, sub-roles, and responsibilities of cloud service partners

and provide the essential connection to the reference material in ISO/IEC 17789.
2 PROOF/ÉPREUVE © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC TR 23187:2020(E)

Clause 8 – building on Clause 7 and the exemplary scenarios in Clause 10, this clause discusses an

overview and description of the types of interactions between cloud service partners (CSNs) and CSPs,

CSCs and other CSNs.

Clause 9 – provides guidance on the use and tailoring of cloud service level agreements (cloud SLAs)

and other agreements with the understanding of the roles, sub-roles and activities of CSNs in relation to

the use of cloud services.

Clause 10 – presents examples that involve CSCs, CSPs, CSNs and demonstrates how different

sub-roles can share the cloud computing activities associated with a given role as described in

ISO/IEC 17789:2014, 7.2.2.
Clause 11 – presents issues relating the roles, activities and responsibilities.
Clause 12 – identifies existing relevant standards.
6 Relationship of roles and activities, and managing risks in cloud services
6.1 Overview

Cloud computing embraces different cloud service categories, cloud deployment models, cloud

capabilities types, and cloud computing cross cutting aspects. To this end, roles and activities are

critical contributors, and it is often necessary to differentiate requirements and issues for certain

parties (see ISO/IEC 17021-1).

The cloud computing roles and their associated activities and components are defined in ISO/IEC 17788

and ISO/IEC 17789 (CCRA). One of the goals of ISO/IEC 17789, as specified in Clause 6, is “to specify

basic cloud computing activities and functional components, and describe their relationships to each other

and to the environment.” For example, a cloud service broker is a sub-role of a cloud service partner

(CSN) as defined in ISO/IEC 17788 and ISO/IEC 17789. These standards make it clear that a CSN does

not provide cloud services. On the other hand, an inter-cloud provider is a sub-role of a CSP that can and

does provide cloud services.

Note that ISO/IEC 17788 and ISO/IEC 17789 do not claim to describe all possible sub-roles of CSN,

and initially identified the three sub-roles a cloud service broker, cloud service developer and cloud

auditor. This document extends the ISO/IEC 17789 description of CSNs based on a survey of recent

developments in cloud computing.

The CSP’s role and all its sub-roles when providing cloud services to a CSC are not only just delivering

cloud services but are also carrying out all activities necessary to safeguard its delivery and

maintenance of those cloud services. ISO/IEC 27017 provides guidelines for the provision and use of

cloud services specifically for CSPs and CSCs. ISO/IEC 27036-4 addresses relationships of CSPs and

CSCs with suppliers of cloud service products .

In a cloud computing environment, CSC data is stored, transmitted and processed by one or more cloud

services. A CSC's business processes depend upon the information security of those cloud services.

Without sufficient control over the cloud services, the CSC might need to take extra precautions with its

information security practices.

It is necessary for a CSC or any potential user to be concerned about protecting their data and to have an

appreciation of both the benefits and risks of cloud computing. It would be prudent to have requirements

for higher assurance for data security and privacy regardless of whether they are accessing cloud

services from a CSP or are working with a CSN. The roles and related activities in handling CSC’s data

when delivering cloud services should be understood by all parties to ensure appropriate precautions

and safeguards are in place. When using the service of a CSN, it is pertinent to have some form of

1) ISO/IEC 17789:2014, 3.2.2 cloud service product: A cloud service, allied to the set of business terms under

which the cloud service is offered. NOTE – Business terms can include pricing, rating and service levels.

© ISO/IEC 2020 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 9 ----------------------
ISO/IEC TR 23187:2020(E)

agreement or understanding, to clarify data ownership, who has access to the data, and how data is

being accessed and handled.

The role and responsibilities of PII processors for protection of personally identifiable information (PII)

in public clouds are specified in ISO/IEC 27018. ISO/IEC 27018 also emphasizes the responsibilities of

the CSP, especially for a public CSP who is processing PII for a CSC, and the contractual relationship

between CSC and CSP. To articulate consistently how data is to be collected and used, the taxonomy and

structured data use statements defined in ISO/IEC 19944 are recommended.

When a potential user or CSC uses direct or indirect contact to search for cloud service products to

meet its mission, the CSC will find offerings from businesses of various sizes with different cloud

deployment models, cloud services, and different cloud capabilities types, such as IaaS, PaaS and SaaS.

The quandary is in determining the providers of the services and their roles in delivering the services,

and the roles and activities of those involved in delivering and using the cloud services.

Following this thought, interactions between CSNs specifically cloud service brokers, cloud service

developers and cloud auditors are the focus of the discussion in this document. Interactions in the

delivery and use of cloud services are related activities initiated by one party that influence responsive

activities from another party or parties. The fluidity of the cloud marketplace embraces the flexibility

of all parties and different sub-roles to play multiple and interchanging roles in delivering and using

cloud services.

6.2 Scope in relation to the cloud computing reference architecture (ISO/IEC 17789)

The focus of this document is on roles and related activities, and specifically interactions between cloud

service partners (CSNs) such as cloud service brokers, cloud service developers and cloud auditors,

with other cloud service roles and their related activities. ISO/IEC 17789 (cloud computing reference

architectural /CCRA) covers roles and activities through the lens of the reference architecture user

and functional views. The functional view includes a layering framework that makes up the user layer,

access layer, service layer and resource layer as described in ISO/IEC 17789:2014, 9.1.1. The CCRA also

includes cross cutting aspects, layering framework and operational support systems components and

components relating to the user and functional views. The approach of this document is not to redefine

roles, sub-roles and activities as laid out in ISO/IEC 17789, but it is important to emphasize that roles

can change through interaction of stakeholders during the use of cloud services, and that it may be

possible to expand on these roles and sub-roles in the future. While this document will align closely

to the roles and activities described ISO/IEC 17789, it is not necessary to include all components from

ISO/IEC 17789 to support the scope of this document.
7 Overview of roles, sub-roles, and responsibilities of cloud service partners
(CSNs)
7.1 Relationship between roles, activities and responsibilities

As the use of cloud computing increases, the cloud service products evolve and adapt to meet the

demand. Technological development is evolving, and cloud computing is becoming part of the solutions

for the Internet of Things (IoT), edge computing, and artificial intelligence (see ISO/IEC 23167 and

ISO/IEC 23188). To meet the changing environment and increasing demands, the roles, responsibilities

and activities in providing cloud services need to be re-examined in relation to the technological

development and growing adoption of cloud computing.

The diversity of different cloud service offerings is accelerating the need for additional standards. Some

roles and the associated responsibilities described in existing standards need to be further expanded

for the spectrum of offerings as discussed in Clause 12. A party is not defined by a set of activities,

and at any time, can assume more than one rol
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.