ISO/IEC TR 22678:2019

TECHNICAL ISO/IEC TR
REPORT 22678
First edition
2019-01
Information technology — Cloud
computing — Guidance for policy
development
Reference number
©
ISO/IEC 2019
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Summary of this document . 3
5.1 Purpose of this document . 3
5.2 Intended audience . 3
5.3 How to use this document . 4
6 Understanding cloud computing aspects for policy development . 4
6.1 Introduction . 4
6.2 Cloud computing essential characteristics . 4
6.2.1 Standard definition of cloud computing . 4
6.2.2 Essential characteristics of cloud computing (from ISO/IEC 17788) . 4
6.3 Major benefits of cloud computing . 5
6.3.1 Benefits for cloud service customers (CSCs) . 5
6.3.2 Benefits for society . 7
6.4 Implications for policy makers . 7
6.4.1 Shared responsibilities . 7
6.4.2 Cloud services which are deployed and managed across multiple jurisdictions . 8
6.4.3 Economics of managing a global cloud service . 8
6.4.4 What global, scalable public cloud computing makes possible . 9
6.4.5 Implications of service scale and velocity . 9
6.4.6 Implications of continuous development .10
6.4.7 Implications of multi-tenant cloud services .10
6.4.8 Implications of geographical restrictions .10
6.4.9 The need for cloud service data categorisation and classification .11
6.4.10 Interoperability and portability .12
6.4.11 Trust and transparency .13
6.4.12 Exceptional circumstances .14
6.4.13 Compliance, certification, audit .15
6.4.14 Challenges for small and medium sized enterprise (SME) adoption .15
7 Using international standards to assist in developing policies that cover cloud
computing .16
7.1 International standards relevant to cloud computing policy development .16
7.1.1 ISO/IEC 19086 series of standards as applicable to trust and transparency .19
7.1.2 ISO/IEC 19944 as applicable to clarify data concepts .20
7.1.3 ISO/IEC 27552, Privacy information management systems .21
7.2 Other significant standards, specifications, and documents .22
8 Considerations when developing policy .22
8.1 Considerations for regulatory policy .22
8.1.1 General.22
8.1.2 Multi-tenant issues .23
8.1.3 Avoiding unnecessary barriers to cloud adoption .23
8.1.4 Trust and transparency .24
8.1.5 Interoperability and portability .24
8.1.6 Security and privacy .25
8.2 Considerations for advisory policy .25
8.2.1 General.25
8.2.2 Promotion of cloud technology adoption .26
© ISO/IEC 2019 – All rights reserved iii

8.2.3 Terminology and taxonomy .26
8.2.4 Adoption by small and medium enterprises.26
8.2.5 Supplier certifications .26
8.2.6 Network connectivity .26
8.2.7 Interoperability and portability .27
8.3 Considerations for procurement policy .27
8.3.1 General.27
8.3.2 Terminology and taxonomy .27
8.3.3 Cloud service deployment models .28
8.3.4 Supplier certifications .28
8.3.5 Interoperability and portability .28
9 Conclusions .28
Annex A (informative) Relationship between key characteristics and implications .29
Annex B (informative) Other relevant standards, specifications, and documents .30
Bibliography .32
iv © ISO/IEC 2019 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/JTC 1, Information technology,
Subcommittee SC 38, Cloud Computing and Distributed Platforms.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2019 – All rights reserved v

Introduction
Cloud computing has become a major industry throughout the world in recent years, and today
comprises a global network of large and small datacentres and telecommunications networks, operated
by many different cloud service providers, offering vast numbers of different cloud services to their
customers. These cloud services range from simple email and productivity applications, through
replacements for traditional on-premises software, up to advanced services that cannot be constructed
in any other way, such as social networks, big data processing, machine learning, and cognitive services.
Cloud computing offers many benefits to cloud service customers, to governments, and to society.
As with all commercial services, governments and enterprises are adopting policies to ensure that
customer and governmental interests are protected.
This document provides information to assist with the development of such policies concerning the
deployment and use of cloud computing systems and services.
vi © ISO/IEC 2019 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 22678:2019(E)
Information technology — Cloud computing — Guidance
for policy development
1 Scope
This document provides guidance on the use of international standards as a tool in the development
of those policies that govern or regulate cloud service providers (CSPs) and cloud services, and those
policies and practices that govern the use of cloud services in organisations.
This includes material that explains cloud computing concepts and the role of cloud computing
international standards in formulating policies and practices.
The document makes references to various international standards. Where possible, these standards
are ISO/IEC standards. Where a suitable ISO/IEC standard is not available, references are made to
documents published by other WTO-registered standards bodies.
As explained in the WTO Agreement on Technical Barriers to Trade (TBT), standards play a vital role
in supporting technical regulations and conformity assessment, however this document does not cover
matters of trade.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788, Information technology — Cloud computing — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17788 and the
following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at https: //www .electropedia .org/
3.1
cloud computing
paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual
resources with self-service provisioning and administration on-demand
Note 1 to entry: Examples of resources include servers, operating systems, networks, software, applications, and
storage equipment.
[SOURCE: ISO/IEC 17788:2014, 3.25]
© ISO/IEC 2019 – All rights reserved 1

3.2
jurisdiction
geographical or corporate area over which a cloud computing policy extends
Note 1 to entry: In a government policy context this will generally be the geographical area over which the body
enacting the policy has legal authority either as government or as authorised regulator. However, in an enterprise
or government agency environment, the jurisdiction of a policy might cover a business function, department,
agency, or other organisational area of responsibility not tied to geography.
4 Abbreviated terms
CSC Cloud Service Customer
CSN Cloud Service Partner
CSP Cloud Service Provider
CSU Cloud Service User
DDoS Distributed Denial of Service (attack)
DPA Data Protection Authority
EN European Norm
EU European Union
IaaS Infrastructure as a Service
ICT Information and Communications Technology
IEC International Electro-technical Commission
ISO International Organisation for Standardisation
IT Information Technology
ITU International Telecommunication Union
ITU-T ITU Telecom sector (responsible for standardisation)
JTC1 Joint Technical Committee 1 (a joint project between the ISO and IEC on standards for ICT)
MLAT Mutual Legal Assistance Treaty
PaaS Platform as a Service
PII Personally Identifiable Information
SaaS Software as a Service
SC 27 Sub-committee 27 of JTC1, responsible for information security standards
SC 38 Sub-committee 38 of JTC1, responsible for cloud computing standards
SLA Service Level Agreement
SLO Service Level Objective
2 © ISO/IEC 2019 – All rights reserved

SME Small or Medium sized Enterprise
SQO Service Qualitative Objective
WTO World Trade Organisation
5 Summary of this document
5.1 Purpose of this document
The purpose of this document is to ease the formulation of government and enterprise policies that
facilitate the adoption and use of standards-based cloud computing services.
By following the guidance in this document, developers of policy can:
— leverage international standards in an appropriate fashion when developing policy;
— achieve greater global consistency in applicable laws, regulations and policies;
— reduce costs for CSPs and CSCs;
— increase choice and competition;
— simplify the challenges of deploying and adopting cost effective local, multi-national, or global cloud
services.
5.2 Intended audience
— Lawmakers (in both developed and developing countries) at every level;
— Regulators, including Data Protection Authorities (DPAs);
— Those developing enterprise policies including:
— Cloud service customers (large and small) and prospective customers,
— Cloud service providers,
— Cloud service partners;
— Those developing non-governmental rules and policies about trust and transparency for cloud
computing, such as trade bodies and engineering institutions;
— Organisations that provide advice to governments and enterprises on the economic and political
implications of technology policies, e.g. the Organisation for Economic Co-operation and
Development (OECD).
In particular, this document is intended to assist those in smaller administrations such as local
government, developing countries and those lacking in specialist knowledge on these topics.
© ISO/IEC 2019 – All rights reserved 3

5.3 How to use this document
This document provides guidance on which specific international standards
might be applicable for policies on cloud computing and provides guidance
on how they can best be employed. As such this document should be used in
accordance with the overall ISO/IEC advice in this area as follows:
“The International Standards developed by the IEC and ISO are voluntary. And
while they do not seek to establish, drive or motivate public policy, regulations,
or social or political agendas, they can certainly provide valuable support to the
implementation of public policy.”
This statement comes from the publication “ISO/IEC: Using and referencing
ISO and IEC standards to support public policy”, which is publicly available
and can be found at: https: //www .iso .org/iso/PUB100358 .pdf
Please refer to this ISO/IEC publication for general advice on how internation-
al standards can be incorporated in the public policy process and, by exten-
sion, in the development of cloud computing procurement policies for both
public and private organisations.
6 Understanding cloud computing aspects for policy development
6.1 Introduction
This clause provides an explanation of some key characteristics and implications of cloud computing
where an understanding is desirable by those developing public or corporate policy for cloud services.
The intent is to present this material in a readable and approachable manner for those who are not full-
time cloud computing engineers, while providing references to more technical material which can be
considered when appropriate.
6.2 Cloud computing essential characteristics
6.2.1 Standard definition of cloud computing
The definition for cloud computing (3.1) captures several essential characteristics that differ from
traditional, local, or hosted computing. These characteristics are further explained in ISO/IEC 17788
1)
and will be described in even greater detail in the forthcoming ISO/IEC 22123 .
Effectively, this definition says that cloud computing involves the provision of almost any ICT resource
as a service (a cloud service) over the network, and that this provision can be done dynamically on-
demand at the CSC’s request, much like the way utilities, such as telecommunications, are provided.
Customers use what they need when they need it, and consumption is billed accordingly. ICT resources
can be accessed almost as simply as pressing a switch to turn on a light, and can be released almost as
simply as pressing the switch again to turn the light off. The need for the CSC to perform the lengthy
processes to acquire, install, configure, secure and operate hardware, software and applications is
greatly reduced, if not entirely eliminated.
6.2.2 Essential characteristics of cloud computing (from ISO/IEC 17788)
Cloud computing has a series of essential characteristics, which are summarized in Table 1.
1) Under development. Current stage: 30.60.
4 © ISO/IEC 2019 – All rights reserved

Table 1 — Cloud computing essential characteristics
Characteristic As seen in cloud computing
Broad network The cloud service can be accessed from an arbitrary location by a wide variety of device
access types including PCs and mobile devices of all kinds, connected in many ways, usually by the
Internet but sometimes by private networks, such as a corporate internal network.
Measured service Customers’ use of the cloud service is measured, and they might be charged based on what
they really use, much as electricity supply is often billed based on measured energy con-
sumption. Reduced usage can therefore mean reduced cost.
Multi-tenancy Multi-tenancy means the resources supplied by a cloud service are shared by multiple CSCs.
Each tenant's use of the resources is isolated and inaccessible from all other tenants — so
that CSCs are assured that their data and their use of applications cannot be seen by any
other CSCs. This is comparable to the expectation that details in a bank account are not
visible to other customers of the bank.
Note that a single customer can sometimes have multiple, different tenancies with a given
cloud service, e.g. where the activities of different departments in an organisation need to
be kept isolated from each other.
Note also that while a private cloud by definition has only a single CSC, that single customer
might still choose to employ multiple tenants of their own for isolation purposes.
On-demand Generally, cloud services allow the customer to sign up, pay for, and make use of the service
self-service without needing to interact with a human customer service representative. Customers are
generally also able to manage their service, or cancel it, again without requiring human
intervention. There might be exceptional circumstances where interaction with a human
operator is required, but these will be abnormal cases, not regular business practice.
Rapid elasticity Cloud services are able to allocate resources dynamically to a particular workload as
and scalability needed. This is sometimes described as scaling up (increasing the size of a single resource),
or scaling out (allocating additional similar resources). The intent is that customers can
expand and contract their use of the cloud service as dynamically as possible, often to cope
with planned or unexpected increases or decreases in workload. For example, if a website
hosted on a cloud service suddenly attracts a huge amount of interest, the website owner
can order (and pay for) more computing power and bandwidth so their site isn’t overload-
ed. Once the peak is past, the resources can be released and the cost reduced.
Another important aspect of cloud service scalability is that the resources available can ap-
pear effectively unlimited to the customer. This is in contrast with traditional datacentres,
where the number of servers, the amount of data storage capacity, the network bandwidth
all typically have limits that can only be changed by installing more equipment.
Resource pooling Cloud computing gains efficiency by sharing various resources between multiple tenants
and workloads. As an example, in traditional computing, ten customers might be hosted on
ten separate servers, even if each of them was only using half of each server’s capacity. In
a cloud computing environment, those ten customers could be automatically provisioned
onto just five servers
To explore the inter-relationship between these six essential characteristics and the various
implications of cloud computing identified in this document, see Annex A.
6.3 Major benefits of cloud computing
6.3.1 Benefits for cloud service customers (CSCs)
The benefits enjoyed by CSCs are summarized in Table 2.
© ISO/IEC 2019 – All rights reserved 5

Table 2 — Customer benefits of cloud computing
Benefit to customer As seen in cloud computing
Low capital investment A customer wishing to develop or run a new application no longer needs to provision
their own IT equipment, nor the buildings and infrastructure needed to house and
support it, and potentially does not need to acquire, install and operate much or all of
the software stack for the application. The customer is able to pay a relatively small
amount (i.e. no need to buy server equipment) while developing and/or deploying the
new application, then gradually build up the amount of cloud server resources they
use as the usage of the application and revenue stream increases.
Cost-effectiveness of CSPs are able to purchase at scale, meaning that servers and other resources are much
cloud scale cheaper when bought in huge quantities. These cost savings can be passed on to the
individual customers. Also, the cost per server of running very large datacentres, in
terms of manpower, energy and other costs, is much lower than in hundreds of small
installations.
Use as needed Cloud services allow customers to start small, then ramp up and down very quickly as
needed. The customer can reduce their bills during “quiet” periods for their business,
and increase capacity in readiness (or in response to) peak loads such as for seasonal
shopping or unexpected popularity.
Competition Cloud service prices are very competitive due to the dynamics of the market. Each
new project has a choice of which CSP to use, and new start-ups continue to challenge
the big operators with special features and innovations.
Security At one time, security was seen as a concern with moving to use cloud services, but
today it is seen as a significant strength. Security is no longer considered as a signifi-
cant hurdle in adoption of cloud computing. There are several reasons for this. Firstly,
reputable CSPs often have security teams working around the clock and around the
world to keep their systems secure, up to date with security patches, and ahead of any
emerging threats that can be identified. They are very quick to respond to incidents.
Even large commercial enterprises and smaller governments will struggle to recruit
and pay for an equivalent level of 24×7 security expertise on their own staffs. Sec-
ondly, one of the biggest threats to computer security is the “insider” attack, where
someone with administrative or physical access is involved in the breach, perhaps a
corrupt or disgruntled employee, but who would not have the same kind of access to
an external cloud service. (See ITU-T X.1601).
Availability and Many CSPs operate multiple datacentres in separate locations and this offers custom-
Reliability ers the opportunity for improved availability of their applications and data. Applica-
tions can be run in multiple datacentres, and data can be replicated between those
datacentres, avoiding any single point of failure. If one datacentre is taken offline by
some natural disaster or major failure, CSC access to applications and data can be
switched instantly to another datacentre.
Advanced capabilities It is increasingly the case that CSPs are making advanced capabilities available as
off-the-shelf cloud services. Examples include AI systems, advanced Analytics, and
Big Data services. Some of these services are pre-trained on vast datasets. CSCs might
struggle to implement these advanced capabilities in-house, due to limited access to
the skilled people and resources.
It is often far more cost-effective to integrate these advanced cloud services into new
applications built by the CSC.
Choice of cloud service Cloud computing allows a CSC to choose the most appropriate deployment model to
deployment models meet their requirements, including public, private, community and hybrid cloud ser-
vice deployment models (see ISO/IEC 17788).
For a private cloud deployment model, the CSP will be part of the CSC’s own organ-
isation.
Easier Most public cloud CSPs obtain a variety of certifications for their cloud services.
compliance By taking advantage of these cloud services, a large part of the burden of obtaining
certifications and ensuring compliance can be lifted from the CSCs. Also, CSPs often
provide advice, guidance and support for their CSCs who are seeking to have their use
of the cloud service comply with such things as privacy and data protection regula-
tions in their jurisdiction.
6 © ISO/IEC 2019 – All rights reserved

6.3.2 Benefits for society
The benefits for the wider society that can flow from cloud computing are summarized in Table 3.
Table 3 — Benefits to society from cloud computing
Benefit to society As seen in cloud computing
Energy efficiency Large purpose-built datacentres can be far more energy efficient than many smaller
ones. They can also be in places where power is more readily available at a lower cost,
or where the power used is based on renewable energy. Some datacentres are even de-
signed to operate on free-air cooling, which greatly reduces the energy requirement.
In addition, CSPs are able to optimise their customer's workloads and data on to the
a
minimum needed number of servers .
Robustness and Connections to cloud services are robustly protected, and far less vulnerable to virus
Resilience or other malware attacks. They are also often strong enough to withstand determined
distributed denial of service (DDoS) attacks from hackers and botnets. Cloud service
providers often offer geographic diversity, such that cloud services can continue even
in the event of a major natural disaster disabling one of their datacentres. Further, be-
cause these systems generally use software to provide resilience across multiple phys-
ical machines, they do not require every computer to run reliably. For a large cloud
service datacentre, there is no need to carefully tend every server. Rather, workloads
can be moved without impact to the customer. The service remains resilient even if the
individual servers are not. The failed equipment can then be reconditioned and reused
or recycled as appropriate. The resilience of cloud services benefits society, because
CSCs no longer depend on their own resources and skills to keep business processes
running.
Lawful access While customer privacy is important, society also needs to protect itself from bad
actors. When data is stored in cloud services, rather than on local computers, there
are additional measures to obtain properly authorised legal access to it for criminal
investigations, anti-terrorism, and other government purposes.
However, this is not a panacea, and both legal and engineering challenges remain. For
example, a situation where data is stored in (and/or managed from) another jurisdic-
tion might involve legal complications for investigators, such as requiring the use of
a Mutual Legal Assistance Treaty (MLAT) to obtain the cooperation of appropriate
authorities in the other jurisdiction.
A related area is e-discovery during legal proceedings, for which international stand-
ards such as the ISO/IEC 27050 series of standards could be helpful.
a
A small business moving to the cloud could reduce its energy consumption and carbon emissions by more than 90 %,
by running its business applications in the cloud instead of running those same applications on its own infrastructure.
Source: Bibliography [39]
6.4 Implications for policy makers
6.4.1 Shared responsibilities
Due to the nature of cloud computing, where the CSC and the CSU have considerable control over the use
of the cloud service, there are shared responsibilities to maintain the security, privacy, confidentiality,
and integrity of the service. For example, CSCs remain responsible for following best practices in their
use of the cloud service, such as in handling passwords or other credentials, in giving appropriate
permissions to specific users, in the type of data they put into the cloud service, and in labelling content
so that it can be treated correctly by the cloud service. Such practices determine the overall security,
privacy, confidentiality and integrity of the service, but are beyond the control of the CSP alone.
The use of industry-defined codes of practice to guide both the CSP and the CSC in the operation and
use of cloud services is widely held to be a valuable approach.
© ISO/IEC 2019 – All rights reserved 7

6.4.2 Cloud services which are deployed and managed across multiple jurisdictions
Traditionally, IT systems were deployed within an organisation, or within a hosted environment
dedicated to a single country or other jurisdiction. Even international telecommunications
infrastructures were constructed country by country, with clear interconnection points defined at
international boundaries, such that resources and management were normally done by staff and using
facilities in the same jurisdiction as the customers of the service. This is no longer true for many cloud
computing systems and services.
Global and multinational cloud services achieve scale and efficiency by centralising their activities,
management and staff as much as possible. This means that customers in one country might be using
cloud service resources (e.g. servers, data stores and network equipment) that are located in another
country, with those servers being managed from a third country.
This approach provides many benefits to both CSP and their CSCs.
1) Having a single global version of the software suite for the cloud service means that a single
development, testing, and security team can support the CSP’s entire network of datacentres, no
matter how many there are or how many countries they are located in.
2) CSPs and CSCs benefit from continuous, timely improvements to the service, rather than each
country or datacentre having to implement updates individually.
3) Security patches and fixes can be deployed more easily. Vulnerabilities or breaches identified
anywhere can be addressed everywhere simultaneously.
4) It allows for geographic diversity in the deployment of services and data. This can provide
redundancy and protection against major incidents such as flooding, earthquake or network
failure, which can take an entire datacentre out of service. It is rarely cost effective or efficient to
provide multiple datacentres in smaller countries, so out-of-country redundancy might be the only
option for meeting business continuity requirements.
5) For data that is not geographically constrained, the cloud service can dynamically move or copy
data between datacentres to optimise performance and storage utilisation. For example, some data
might be relevant for reading worldwide, perhaps on mobile devices (e.g. maps, news, video), such
that global replication greatly improves the customer experience by reducing data access latency.
Such data movement and replication is usually fully automated based on objective measurements
of data usage behaviours.
6.4.3 Economics of managing a global cloud service
CSPs, especially large organisations, are resilient and flexible to minimising the cost of their capital
investments and operational costs, and possibly enabling lower pricing of their cloud service offerings.
CSPs ordinarily use standard equipment configurations across their datacentres allowing them to
purchase equipment in large quantities. Servers used in cloud datacentres ordinarily are devoid of many
of the “bells and whistles” found in off-the-shelf servers which saves costs and energy. CSPs mostly use
software-based resiliency rather than equipment redundancy to provide business continuity further
reducing capital and operating costs. For a large cloud service datacentre, the problem is therefore not
“keep all the equipment running”, but rather to relocate workloads such that the CSC does not notice
any hardware failures or changes to the service. Such resiliency may require applications to utilize
particular software architecture styles or design patterns relating to e.g. “cloud native” applications in
order to make failures transparent to cloud service users.
Because of the scale of large cloud datacentres, CSPs design for minimum energy use to save costs
and maximize computing density in a way that smaller datacentres cannot. Cloud servers have no
need for interfaces (such as for monitor, mouse and keyboard) which are never used in a bulk rack-
mounted server design. Additionally, CSPs are incentivised to design highly efficient cooling and power
distribution systems that lower environmental impact. CSPs initiate bespoke renewable energy projects
to power their datacentres and they can employ advanced, environmentally friendly power sources
such as bio-mass fed fuel cells. Besides renewable energy, depending on the location, heat recycling can
8 © ISO/IEC 2019 – All rights reserved

be used to collect and utilize generated heat to, e.g. warm local housing. These and other techniques
are available and measurable in all energy-efficient datacentres as covered in standards such as ISO/
IEC 19395 and ISO/IEC 30134-4, developed in ISO/IEC JTC 1, Subcommittee 39, Sustainability for and by
Information Technology.
Using a single version of software across datacentres is another way CSPs contain costs. Therefore,
a CSP will endeavour to use the exact same software for each service throughout their network of
datacentres. This software can then be monitored, managed and maintained by a single team (including
security analysts). New versions of software will be tested and rolled out gradually, to reduce the risk
of introducing a catastrophic error to the whole network, but the goal will remain to keep a single
deployed software version throughout the CSP as much as possible.
Where multiple software versions exist, any changes will need to be tested against all active versions,
and any security vulnerabilities have to be checked and patched in every version. Also, extensive testing
is required when software of one version interacts with software of another version. As such, the cost
of maintenance rises approximately with the square of the number of versions in use.
Consistency of hardware and software further enables the automated management of cloud services.
CSPs can use multiple ways (e.g. artificial intelligence) to monitor millions of servers and processes to
detect impending failures and anomalies. This increases business continuity and reduces costs for CSPs
and CSCs.
6.4.4 What global, scalable public cloud computing makes possible
Globally deployed, highly scalable public cloud services offer cost effective and scalable services
across geo-political boundaries. Such services offer possibilities that were not available in traditional
on-premises deployments or private clouds. For example, such global services enable collection and
transfer of user data as well as organisational data across geo-political boundaries. The volume and
speed of data collection and transfer are unprecedented.
With the introduction of data analytics and machine learning techniques using the power of public cloud
services and large quantities of collected data, more than ever before the provenance and categories of
data need to be understood. In addition, as data gets aggregated and de-identified (see ISO/IEC 19944),
public and enterprise policy developers need to understand the necessary concepts, terminology and
tools to communicate the desired behaviours and outcomes to protect individuals as well as protect
confidential organisational data.
6.4.5 Implications of service scale and velocity
A key characteristic of cloud computing is that the service is “On-demand self-service” (see ISO/
IEC 17788:2014, 6.2). This means that customers can create an account, pay for the selected service(s),
start using it, post content, make changes, or whatever else the cloud service provides for them, in a
highly automated process. This speed of using the service is highly valued by CSCs, and has been a
major driving force in cloud service adoption. However, it is also challenging for CSPs to filter out “bad
actor” behaviour by CSCs. Examples of such bad behaviour include using the cloud service for malicious
purposes (e.g. spreading malware, sharing illegal or extreme content, copyright viol
...