Rather than classifying clouds I think the information needs to go into the workloads descriptions or metadata, such as an service level.wllm said; As well as a comment on twitter by @grey_area;
Your example of the disk storage relates. Does it matter if the storage is local or FC? Its cloud and should be abstracted. What does matter is the performance or service level of the storage, which the workload should dictate a minimum performance.
What we will need then is some interfaces, standards and auditing for confirming those SLAs.
Something like a Standard & Poor's rating system for Cloud Providers? If so, that's not a half bad idea - assuming proper diligence"I particularly like the S&P concept. Standard and Poor's, which began rating insurance companies in the mid 1980s, assesses a company's Claims-Paying Ability–that is, its financial capacity to meet its insurance obligations. Similarly a Cloud provider may have a Cloud Performance Ability (CPA) that estimates it's ability to meet certain service levels.
S&P forms its opinion by examining industry-specific risk, management factors, operating performance and capitalization. Industry-specific risk addresses the inherent risk in and diversity of the insurance business being underwritten. Management factors include how management defines its corporate strategy and the effectiveness of its operations and financial controls. For a Cloud Provider, an independent auditor may look at various aspects of the infrastructure including operational history, physical security, networking, storage, platform maturity, peering relationships, customer support & satisfaction, up time and financial structure to determine a cloud providers overall rating or CPA. In turn this rating could form a competitive differentiation among various commodity service providers.
@rogerjenn also brings up a very good point;
You might want to reconsider any Wall Street rating firm based on their performance rating subprime mortgage-backed securities.@Beaker suggests;
Audit, Assertion, Assessment, and Assurance API (A6) initiative could provide this;In a recent post on his blog, @beaker aka Hoff said;
This way you win two ways: automated audit and security management capability for the customer/consumer and a a streamlined, cost effective, and responsive way of automating the validation of said controls in relation to compliance, SLA and legal requirements for service providers.Regardless of the approach, an interesting idea none the less.