Making sense of standards for IT infrastructure and operations

We can't live without standards but there are so many of them it's hard to keep up. Here are some expert tips from a new Forrester guide.

Cloud computing concept

Image: Maciej Frolow/Stone/Getty Images

If you are confused by all of the standards that apply to IT infrastructure and operations have no fear, you are far from alone. There are hundreds of standards development organizations managing thousands of individual technology standards that apply to every aspect of the technology stacks IT manages and businesses depend on.

"We have a lot of different standards because tech is a multi-trillion-dollar global industry with amazing amounts of complexity within it," said Charles Betz, Forrester's lead DevOps analyst and co-author of the report, "The Forrester Guide to Cloud Standards, 2021." Betz also is a member of The Open Group, a standards development organization.

There are many different categories of standards that fall on a spectrum from de facto standards (such as AWS APIs or Citrix for desktop virtualization) that are not formalized but widely adopted and used, and de jure standards (such as those published by the ISO), which are actively managed and codified.

SEE: Digital transformation: A CXO's guide (free PDF) (TechRepublic)

Then there are open standards. An open standard "is available to anyone interested in complying with it or participating in its development," the report said. This is so similar to open source, where software is free to use and change so long as the users agree to publish any changes to the code, that people often get these two areas mixed up.

An open standard can be de facto or de jure, such as POSIX, which is an UNIX interoperability standard for cloud providers managed by the IEEE, said Tracy Woo, an infrastructure and operations analyst at Forrester and a report co-author.

"What we recommend is for groups to look at the different [standards bodies] in terms of what you're looking to implement," she said. "If you're thinking about cloud security and data protection … there's ISO or IEC. If there are different sorts of [cloud] best practices that you're looking for instead, then we recommend things like the CSA [Cloud Security Alliance] or the CSCC [Cloud Standards Customer Council]."

Then there are frameworks, such as ITIL for IT service management, and best practices guidelines, like the National Institute of Standards and Technology's cybersecurity framework. These frameworks are also considered "standards" because they are so widely adopted (i.e., de facto) but they are really just recommendations, said Woo. That is, of course, unless you want to stay compliant with an industry standard such as the payment card industry's PCI/DSS standard for credit card data handling, then you will have to adopt and follow whatever best practices the standard dictates.

The good news is most IT operations folks do not have to pay much attention to standards beyond which ones to use in a given situation or which best practices frameworks they should adopt. It's on the vendor side, where standards really come into play.

"It's more about, there's a consortium of companies that come together …so that consumers can come to [them] as a collective and it's a one stop shop," said Woo. "They don't have to worry about compatibility issues, they don't have to worry about various different variations between the environments, they can count on a few things being standard across all of them."

SEE: AWS Lambda, a serverless computing framework: A cheat sheet (free PDF) (TechRepublic)

Of course, decisions made by vendors and the SDOs they work with (and in many cases support financially) about what becomes a standard and what does not, has a direct impact on the consumers of those technologies. This is why understanding the standards landscape is so important to long-term technology decision making, particularly for large organizations who have to deploy infrastructure and applications at scale.

"Organizations that should care about standards are those operating at scale, dealing with concerned vendors on security, launching workloads with a long future, or selecting providers in a mature industry," the report said.

To get a handle on standards, first start by designating someone in the organization to take on the task of learning about, even at a high-level, the standards that will apply to whatever endeavor IT is undertaking, said Betz. The move to cloud is a great example of where having a good understanding of interoperability standards (so data and applications can be moved easily from one public cloud provider to another one or to a private cloud) would be particularly beneficial to the long-term viability of a corporate cloud strategy. Of even greater importance are cybersecurity standards, which have the "clearest evidence of broad adoption," the report said.

When it comes to cloud in particular, the standards landscape is still coming into focus because AWS has such a dominant position in the industry and because cloud is still relatively new.

"Ongoing innovation among the primary players continues to defer standardization, which usually takes hold when markets start to commoditize," the report said. "AWS, in particular, has little incentive to standardize, as it's the dominant pacesetter and can define its own terms."

To understand how to best leverage standards for your organization, the report recommends:

Watch the EU and GAIA-X. The European Union (EU) is keen to develop cloud standards. In 2017, they formed the Cloud Select Industry Group. The combined French-German GAIA-X initiative is working to align data, cloud, and infrastructure services to European standards and regulations. No current standard has been formalized, but conversations are ongoing, the report said.

Refine your portability strategy. Come up with a plan to future-proof your cloud implementations so you can move them between public and/or private clouds by determining whether speed or flexibility is of higher value for a particular workload.

Track cloud standards and open source efforts. Because open source projects often lead to tomorrow's cloud API standards, keep an eye on the projects that have a lot of support and interest.

Also see

By Allen Bernard

Now a freelance business writer and journalist, Allen Bernard is the former managing editor of CIOUpdate.com, eSecurityPlanet.com, ITSMWatch.com, and EnterpriseNetworkingPlanet.com. Throughout his 20-year career, Bernard has focused on explaining the...