Portability and Interoperability

In the event of service disruption, data portability and application or service interoperability can enable organizations to take advantage of the technical solutions and contingency arrangements that are necessary for returning to normal operations. These features foster resilience by allowing customers to operate across different services and contract with multiple cloud providers. As a result, although they serve different functions, portability and interoperability are often spoken of together.

Key Considerations

  • Deficient standards and adaptation tools. Existing standards and adaptation tools (for example, protocol converters, translators, and software environment emulators1) for portability and interoperability are insufficient to enable the amount of flexibility enterprise customers desire and to fully offset the threat of service disruption. This prevents the creation of adequate approaches to enabling the exchange and migration of cloud-hosted data and/or applications. Moreover, a prolonged transition period will ensue before adequate standards and adaptation tools gain significant market presence, further delaying efforts to mitigate service disruption challenges.
  • Portability is difficult to operationalize. Even if cloud providers enable and support greater portability, customers must make significant time, training, and financial investments (for example, purchasing duplicate software licenses) to successfully move workloads between cloud environments. Moreover, even if they can make these investments, they may need to convert the data to other formats (to be compatible with the new environment) and ensure that the same identity, security, and privacy management policies apply in this new environment.2 These factors prevent organizations from rapidly moving data in response to an incident.
  • Barriers to interoperability. Interoperability requires much deeper technical integration and data and IP sharing among cloud providers, which they may resist. Moreover, there might be relatively less customer demand for interoperability, as portability seems to provide much of the flexibility and agility that customers seek.
  • Interoperability can expose customers to security risks. Although, on balance, relying on multiple cloud providers seems to reduce the risk of service disruption and data loss, this also increases the surface area of a customer’s system and the probability of exposure to individual security vulnerabilities. Moreover, their dependence on additional cloud providers and other third parties complicates efforts to understand, model, and bound their risk profiles, as customers will be concerned about end-to-end security while each provider might only seek to secure its offering.
  • Emergence of specialized providers. Greater portability and interoperability may diminish an individual provider’s revenue.3 As a result, at least some providers might not support efforts to increase and expand these capabilities. However, as customer demand for portability and interoperability increases, a range of specialized providers are emerging to fill this gap, enhancing growth in the overall cloud services market.
  • Shared responsibilities when transferring data. There are multiple parties involved in the transfer of data, and as a result, they share many responsibilities for maintaining the security and privacy of the data as it migrates from one environment to another.4 These parties, especially customers, may not always be aware of or understand their responsibilities.

Stakeholder Perspectives

  • Seek assurance that government functions and the broader economy can expect continuous and reliable service across providers by creating or encouraging the development of standards for interoperability and portability.

Tensions With Other Cloud Governance Issues

  • Incident Handling Procedures and Data Retrievability and Backup Arrangements: The inability to port or interoperate workloads between different cloud providers’ services may slow or prevent efforts to restore service in the event of cloud outage. It may also make data retrievability arrangements less useful, if backup data and workloads cannot be transferred to functioning cloud environments.
  • Effects of Cloud Market Concentration: Portability and interoperability could increase competition between cloud providers, potentially helping consumers and enterprise customers access higher-quality cloud services in a more cost-effective manner. Yet many cloud providers’ business practices increase customer dependence on a single provider, exacerbating the consequences of business disruptions and other failures.5 This lack of portability and interoperability could worsen the consequences of large-scale disruptions, especially if they affect multiple hyperscale providers.

Potential Ways Ahead

  • Encourage the use of hybrid and multi-cloud strategies to decrease disruption risks.6
  • Encourage agreement on common terminology and principles for portability and interoperability in consultation with providers and customers. Definitions for these terms have been formalized in standards, including SWIPO’s Codes of Conduct,7 IEEE’s P2301/P2302,8 and ISO/IEC’s 19941.9

Recent Examples

Notes

1 Mark Jeffrey, “Interoperability and Portability in Cloud Computing,” Microsoft, December 15, 2017, https://blogs.microsoft.com/eupolicy/2017/12/15/interoperability-portability-cloud-computing/.

2 Lydia Leong, “Multicloud failover is almost always a terrible idea,” Gartner (blog), October 14, 2021, https://blogs.gartner.com/lydia_leong/2021/10/14/multicloud-failover-is-almost-always-a-terrible-idea/.

3 Calls to increase interoperability across providers may challenge providers’ business strategies, which often involve building customer dependence on their offerings.

4 Data Transfer Project, “Data Transfer Project Overview and Fundamentals,” Data Transfer Project, July 20, 2018, https://datatransferproject.dev/dtp-overview.pdf.

5 OVH fire destroys one of its four data centers, rendering some services as “unrecoverable.” See: Simon Sharwood, “OVH says some customer data and configs can’t be recovered after fire, some seems to be OK, plenty is safe,” The Register, March 15, 2021, https://www.theregister.com/2021/03/15/ovh_restoration_roadmap/.

6 These strategies can include arrangements for failover across regions, load balancers, application gateways, and more, and should as well include a complementary data backup strategy (for example, how frequent should the backup process be, how extensive, should they be simultaneous across all applications, and so on) and a strategy on how to address lost data. A disaster recovery plan should also account for the people, processes, and applications needed to restore functionality, and should be fully and regularly tested through disaster simulations.

7 “SWIPO (Switching Cloud Providers and Porting Data), is a multi-stakeholder group facilitated by the European Commission, in order to develop voluntary Codes of Conduct for the proper application of the EU Free Flow of Non-Personal Data Regulation / Article 6 ‘Porting of Data.’” See: SWIPO, “Switching & Porting,” SWIPO, n.d., https://swipo.eu/.

8 Beyond Standards, “IEEE Addresses Standards for the Cloud,” Beyond Standards (blog), IEEE Standards Association, April 18, 2011, https://beyondstandards.ieee.org/ieee-addresses-standards-for-the-cloud/.

9 “ISO/IEC 19941:2017 specifies cloud computing interoperability and portability types, the relationship and interactions between these two cross-cutting aspects of cloud computing and common terminology and concepts used to discuss interoperability and portability, particularly relating to cloud services. See: ISO, “ISO/IEC 19941:2017: Information technology – cloud computing – interoperability and portability,” ISO, December 2017, https://www.iso.org/standard/66639.html.

10 As advanced in the “Code of Conduct for Data Portability and Cloud Service Switching for Infrastructure as a Service (IaaS) Cloud services – CSP Transparency Statement,” SWIPO, May 27, 2020, https://swipo.eu/wp-content/uploads/2020/10/SWIPO-IaaS-CSP-Transprency-Statement-version-2020-27-May-2020-v1.0.pdf.

11 “SWIPO (Switching Cloud Providers and Porting Data), is a multi-stakeholder group facilitated by the European Commission, in order to develop voluntary Codes of Conduct for the proper application of the EU Free Flow of Non-Personal Data Regulation / Article 6 “Porting of Data.” See: SWIPO, “Switching & Porting,” SWIPO, n.d., https://swipo.eu/.

12 Beyond Standards, “IEEE Addresses Standards for the Cloud,” Beyond Standards (blog), IEEE Standards Association, April 18, 2011, https://beyondstandards.ieee.org/ieee-addresses-standards-for-the-cloud/.

13 “ISO/IEC 19941:2017 specifies cloud computing interoperability and portability types, the relationship and interactions between these two cross-cutting aspects of cloud computing and common terminology and concepts used to discuss interoperability and portability, particularly relating to cloud services. See: ISO, “ISO/IEC 19941:2017: Information technology – cloud computing – interoperability and portability,” ISO, December 2017, https://www.iso.org/standard/66639.html.

14 As advanced in the “Code of Conduct for Data Portability and Cloud Service Switching for Infrastructure as a Service (IaaS) Cloud services – CSP Transparency Statement,” SWIPO, May 27, 2020, https://swipo.eu/wp-content/uploads/2020/10/SWIPO-IaaS-CSP-Transprency-Statement-version-2020-27-May-2020-v1.0.pdf.

15 According to a 2021 report backed by Google, “Only 17% of the financial institutions surveyed . . . have already adopted multi-cloud as an architecture of choice, while 28% rely on single cloud.” Though, 88 percent of respondents without a multi-cloud strategy “reported they are considering adopting [one] in the next 12 months.” See: Zac Maufe, “Google Cloud study: cloud adoption increasing in financial services, but regulatory hurdles remain,” Google Cloud, August 12, 2021, https://cloud.google.com/blog/topics/inside-google-cloud/new-study-shows-cloud-adoption-increasing-in-financial-services and Daphne Leprince-Ringuet, “Banks are moving their core operations into the cloud at a rapid rate. But new tech brings new challenges,” ZDNet, August 13, 2021, https://www.zdnet.com/article/banks-are-moving-their-core-operations-into-the-cloud-at-a-rapid-rate-but-new-tech-brings-new-challenges/.

16 “SWIPO (Switching Cloud Providers and Porting Data), is a multi-stakeholder group facilitated by the European Commission, in order to develop voluntary Codes of Conduct for the proper application of the EU Free Flow of Non-Personal Data Regulation / Article 6 “Porting of Data.” See: SWIPO, “Switching & Porting,” SWIPO, n.d., https://swipo.eu/.

17 Beyond Standards, “IEEE Addresses Standards for the Cloud,” Beyond Standards (blog), IEEE Standards Association, April 18, 2011, https://beyondstandards.ieee.org/ieee-addresses-standards-for-the-cloud/.

18 “ISO/IEC 19941:2017 specifies cloud computing interoperability and portability types, the relationship and interactions between these two cross-cutting aspects of cloud computing and common terminology and concepts used to discuss interoperability and portability, particularly relating to cloud services. See: ISO, “ISO/IEC 19941:2017: Information technology – cloud computing – interoperability and portability,” ISO, December 2017, https://www.iso.org/standard/66639.html.