-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat/add certification process2 #253
Open
garloff
wants to merge
26
commits into
main
Choose a base branch
from
feat/add-certification-process2
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+183
−11
Open
Changes from all commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
d511c31
Explain SCS DigiSov and Certs. How to get into compliance.
garloff ace55a1
Link to OSHM docs page guide.
garloff 00da606
Fix link.
garloff 52552b2
Next attempt to fix link.
garloff 0ec8232
trial and error for the link. What a waste!
garloff 429e01c
Avoid colon in title.
garloff 5e67c6d
Can we get this d*mn thing to build finally
garloff ba40690
Merge branch 'main' into feat/add-certification-process2
garloff e3cbb4e
Try to link the page again ...
garloff 04cbbd9
Drop /de/ from blog article links.
garloff 9241655
Merge branch 'main' into feat/add-certification-process2
garloff 211bd2f
Merge branch 'main' into feat/add-certification-process2
maxwolfs 0eb3926
Avoid term "real" open source, just reference OSI.
garloff 9668bb8
Fix grammar, thanks @fkr
garloff e23e99c
Move explanation of DigiSov into a separate page.
garloff 589556d
Avoid convers style around level 0, def. by SCS project.
garloff 9154dba
Use italics for *SCS-compatible* and the other levels.
garloff 3cfa439
Merge branch 'main' into feat/add-certification-process2
garloff 1d05ffa
Shorten titles. Avoid fwd-looking statements. Wording.
garloff b4d9d42
Remove extra paren.
garloff 034de5c
Merge branch 'main' into feat/add-certification-process2
maxwolfs a92e2b0
Merge branch 'main' into feat/add-certification-process2
garloff a51f28e
Move Getting Certified into scs-0004-w1. Move example into Blog.
garloff 7143202
Fix link to (upcoming) blog article.
garloff 286ed1f
Merge branch 'main' into feat/add-certification-process2
garloff 59870d1
Apply wording improvements from @mbuechse
garloff File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# SCS certification overview | ||
|
||
## Digital sovereignty drives SCS certification | ||
|
||
The SCS project takes a comprehensive perspective on digital sovereignty. | ||
Please read [Digital Sovereignty and SCS certification](digisov-and-cert) | ||
for more details. | ||
|
||
The basic level, control over data that at least allows to comply with the | ||
European GDPR regulation, is *not* certified by SCS; while the SCS software | ||
makes it easy to build (local) clouds that fulfill these, it depends on the | ||
operators of the infrastructure what compliance rules they fulfill. | ||
|
||
The SCS project however has defined certification levels for levels two, | ||
three and four in the sovereignty taxonomy. | ||
|
||
| Digital Sovereignty level | SCS certification | | ||
|-----------------------------------|---------------------------| | ||
| 1: Data Sov'ty / Legal compliance | (Refer to ENISA/Gaia-X) | | ||
| 2: Provider switching / Tech Compatiiblity | *SCS-compatible* | | ||
| 3: Ability to shape technology | *SCS-open* | | ||
| 4: Transparency & SKills for Operations | *SCS-sovereign* | | ||
|
||
As of September 2024, the *SCS-compatible* certification level is defined | ||
and used; the details for the higher levels are still being worked on. | ||
|
||
## Certification process | ||
|
||
To get certified, the infrastructure needs to fulfill certain criteria. | ||
As far as possible, these are implemented as automated tests that run | ||
continuously (daily) to assure continuous compliance. The results are | ||
made transparent via the the [Certified Clouds overview](overview) page. | ||
|
||
To get officially certified with the right to use the SCS brand and getting | ||
listed on this page requires to work with the Forum SCS-Standards at the | ||
[OSB Alliance](https://osb-alliance.com/) which takes over this aspect | ||
from the [SCS project](https://scs.community/). It requires membership | ||
or certification fees to cover the efforts of standardization and | ||
certification. | ||
|
||
The process is described in more details on the | ||
[Getting SCS-compatible certification (for Operators)](getting-scs-compatible-certified) | ||
page. An example with technical testing and adjustments is on the | ||
[Testing and Adjustment example](test-and-adapt-example) page. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
@@ -0,0 +1,120 @@ | ||||||||||||||||||
# Digital Sovereignty and SCS certification | ||||||||||||||||||
|
||||||||||||||||||
## The taxonomy of digital sovereignty | ||||||||||||||||||
|
||||||||||||||||||
As published in [DuD](https://rdcu.be/cWdBJ) (German, English version in | ||||||||||||||||||
[the cloud report](https://the-report.cloud/why-digital-sovereignty-is-more-than-mere-legal-compliance/)) | ||||||||||||||||||
and being summarized nicely in a [cloudahead article](https://www.cloudahead.de/der-freiheitskampf-des-sovereign-cloud-stacks), | ||||||||||||||||||
we differentiate between several levels of digital sovereignty. | ||||||||||||||||||
Level 0 (introduced by Gregor Schuhmacher in the cloudahead article) | ||||||||||||||||||
which describes having real clouds (see | ||||||||||||||||||
[NIST definition of cloud](https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-145.pdf)) | ||||||||||||||||||
with self-service on-demand API driven service shall be taken for granted. | ||||||||||||||||||
|
||||||||||||||||||
The levels as seen by the SCS project are: | ||||||||||||||||||
|
||||||||||||||||||
1. Control over data and data sharing and ability to fulfill regulatory requirements | ||||||||||||||||||
(e.g. GDPR) around data control. | ||||||||||||||||||
2. Capability to chose between *highly compatible* operators, this way enabling a provider | ||||||||||||||||||
switch or using several providers in a federated fashion. This also includes the | ||||||||||||||||||
possibility to run your own infrastructure in a *highly compatible* manner. | ||||||||||||||||||
3. Capability to influence and shape the infrastructure, enabling innovation at the | ||||||||||||||||||
infrastructure layer. | ||||||||||||||||||
4. Transparency over operational aspects of running infrastructure, this way supporting | ||||||||||||||||||
to overcome a skill gap to being able to operate infrastructure in a highly reliable | ||||||||||||||||||
manner. | ||||||||||||||||||
|
||||||||||||||||||
These aspects of sovereignty drive the work from the SCS team. | ||||||||||||||||||
|
||||||||||||||||||
Level number 1 is sometimes referred to as "data sovereignty". Achieving it does require | ||||||||||||||||||
cloud infrastructure and cloud operations that can not be interfered with by actors that | ||||||||||||||||||
in ways incompatible with the respective jurisdiction. For Europeans that need to observe GDPR, | ||||||||||||||||||
this excludes using US clouds for personally identifiable information, expecting that the | ||||||||||||||||||
adequacy decisions for the US do not fully address the risks. The SCS project does not | ||||||||||||||||||
have deep legal expertise and refers to the work from [noyb](https://noyb.eu/) | ||||||||||||||||||
and [ENISA](https://www.enisa.europa.eu/) here. | ||||||||||||||||||
|
||||||||||||||||||
In order to achieve level 2, | ||||||||||||||||||
the SCS community has worked on standards that define the APIs and the infrastructure | ||||||||||||||||||
behavior, so application developers and application operators can deploy the same application | ||||||||||||||||||
using the same automation and rely on the same infrastructure behavior to operate the | ||||||||||||||||||
application in a resilient way. The standards allow for switching providers or to use | ||||||||||||||||||
several providers in a federated way. Operating own infrastructure according to the same | ||||||||||||||||||
standards is also possible, allowing for hybrid cloud setups without technical barriers. | ||||||||||||||||||
|
||||||||||||||||||
Level 3 drives the work on a comprehensive openly developed open source software stack, | ||||||||||||||||||
allowing operators to use, study, change and redistribute the software according to the | ||||||||||||||||||
[Four Freedoms](https://en.wikipedia.org/wiki/The_Free_Software_Definition) of free software. We are requiring | ||||||||||||||||||
a complete stack that uses [OSI](https://opensource.org/)-approved open source licenses | ||||||||||||||||||
as to ensure that users have the four freedoms, the right to use, study, modify, (re)distribute | ||||||||||||||||||
the software that drives the cloud stack. To ensure that this does not require extensive | ||||||||||||||||||
and expensive forking, we further require the [Four Opens](https://openinfra.dev/four-opens/) | ||||||||||||||||||
of the Open Infra Foundation here. The software can be used to provide cloud services | ||||||||||||||||||
for others (public cloud) or just for your own community (community cloud) or | ||||||||||||||||||
internal (private cloud) needs. | ||||||||||||||||||
|
||||||||||||||||||
Level 4 addresses the skills and transparency aspects. Operating highly dynamic distributed | ||||||||||||||||||
systems in a reliable manner requires knowledge and experience — engineers with these skills | ||||||||||||||||||
are scarce. To address this, the SCS team networks operations staff from providers and helps | ||||||||||||||||||
to share and distill common knowledge that help everyone to be more successful. SCS has | ||||||||||||||||||
thus been driving the [Open Operations](https://openoperations.org) initiative. | ||||||||||||||||||
|
||||||||||||||||||
Levels 2 and 3 are sometimes related to the term "technological sovereignty", | ||||||||||||||||||
indicating the ability to control and shape the technology. | ||||||||||||||||||
|
||||||||||||||||||
## The SCS certification levels | ||||||||||||||||||
|
||||||||||||||||||
Corresponding to the levels of digital sovereignty in the SCS taxonomy, SCS defines | ||||||||||||||||||
SCS certification levels | ||||||||||||||||||
|
||||||||||||||||||
1. (Defined outside of the SCS scope) | ||||||||||||||||||
2. *SCS-compatible* | ||||||||||||||||||
3. *SCS-open* | ||||||||||||||||||
4. *SCS-sovereign* | ||||||||||||||||||
|
||||||||||||||||||
### Why no SCS certification for GDPR? | ||||||||||||||||||
|
||||||||||||||||||
SCS significantly lowers the bar to offer real cloud services. These can be used internally | ||||||||||||||||||
(private cloud) or to offer services for your community, your region or country. The vision | ||||||||||||||||||
is to have a network of providers. We expect most if not all of them to be operated in ways | ||||||||||||||||||
that fulfill the European GDPR regulation; it is also possible to operate clouds that fulfill | ||||||||||||||||||
special regulation, e.g. in the banking or insurance sector. | ||||||||||||||||||
|
||||||||||||||||||
SCS is not in a position to judge this and thus defines no own label / certificate to | ||||||||||||||||||
vouch for regulatory compliance. We typically refer to the | ||||||||||||||||||
[ENISA](https://www.enisa.europa.eu/) for GDPR considerations | ||||||||||||||||||
and also recommend to take the [Gaia-X](https://gaia-x.eu/) labels into account here. | ||||||||||||||||||
|
||||||||||||||||||
## Status of SCS certification for cloud operators | ||||||||||||||||||
|
||||||||||||||||||
As of September 2024, the requirements for *SCS-open* and *SCS-sovereign* | ||||||||||||||||||
certification have not been formalized yet. | ||||||||||||||||||
|
||||||||||||||||||
The technical compatibility validation corresponding to the *SCS-compatible* certification does | ||||||||||||||||||
exist since more than a year. There are certificates for two layers of the SCS architecture | ||||||||||||||||||
Comment on lines
+93
to
+94
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
better yet (insert correct date)
Suggested change
|
||||||||||||||||||
stack: | ||||||||||||||||||
|
||||||||||||||||||
* The virtualization layer: *SCS-compatible IaaS* | ||||||||||||||||||
* The container layer: *SCS-compatible KaaS* | ||||||||||||||||||
|
||||||||||||||||||
For each of these, technical tests are being run to test service offerings for compliance. | ||||||||||||||||||
The standards and the corresponding tests are versioned. The *SCS-compatible* certification | ||||||||||||||||||
for a specific layer (currently IaaS or KaaS) and version is called a *certification scope*. | ||||||||||||||||||
Please see [Scopes and Versions](scopes-versions.md) for detailed definitions. | ||||||||||||||||||
|
||||||||||||||||||
As of September 2024, the latest SCS-compatible certification scope on the IaaS layer is | ||||||||||||||||||
SCS-compatible IaaS v4. For November 2024, SCS-compatible IaaS v5 and the first Kaas | ||||||||||||||||||
scope SCS-compatible KaaS v1 are planned. | ||||||||||||||||||
|
||||||||||||||||||
## Certification for non-operators | ||||||||||||||||||
|
||||||||||||||||||
Software can deliver infrastructure components for operators to provide SCS-compatible | ||||||||||||||||||
IaaS or KaaS; it is planned that infrastructure software can also receive SCS certification. | ||||||||||||||||||
|
||||||||||||||||||
Likewise, applications can be developed in a way that they will work without any changes on | ||||||||||||||||||
all SCS-compatible IaaS or on all SCS-compatible KaaS (or may require both). It is planned | ||||||||||||||||||
that such software can also be certified. | ||||||||||||||||||
|
||||||||||||||||||
Implementation partners from the SCS ecosystem may support operators (CSPs) to build | ||||||||||||||||||
and operate SCS-compatible infrastructure. A certification program that certifies the | ||||||||||||||||||
skills and experience of such partners is planned as well. |
13 changes: 13 additions & 0 deletions
13
standards/certification/getting-scs-compatible-certified.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Getting SCS-compatible certification | ||
|
||
The conditions to become *SCS-compatible* certified are defined in the | ||
[SCS standard 0004](/standards/scs-0004-v1-achieving-certification). | ||
|
||
Hints how the process is working in practice for existing certified | ||
clouds can be found in the corresponding | ||
[Implementation Notes](standards/scs-0004-w1-achieving-certification-implementation). | ||
|
||
There is a [blog article with an example](https://scs.community/blog/2024/10/14/cert-adapt-example) | ||
of running the test suite and addressing the failures. Observations on | ||
[making an OpenStack cloud that is not using the SCS reference implementation compliant](https://scs.community/2024/05/13/cost-of-making-an-openstack-cluster-scs-compliant/) | ||
are covered in another blog article. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this page still a thing?