The following has been reproduced from NIST's common set of definitions around cloud computing and its use cases. Experts at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government.
Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Service Model Architectures
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
Security Advantages with Cloud Computing
- Data Fragmentation and Dispersal
- Dedicated Security Team
- Greater Investment in Security Infrastructure
- Fault Tolerance and Reliability
- Greater Resiliency
- Hypervisor Protection Against Network Attacks
- Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
- Simplification of Compliance Analysis
- Data Held by Unbiased Party (cloud vendor assertion)
- Low-Cost Disaster Recovery and Data Storage Solutions
- On-Demand Security Controls
- Real-Time Detection of System Tampering
- Rapid Re-Constitution of Services
- Advanced Honeynet Capabilities
Security Challenges with Cloud Computing
- Data dispersal and international privacy laws
- EU Data Protection Directive and U.S. Safe Harbor program
- Exposure of data to foreign government and data subpoenas
- Data retention issues
- Need for isolation management
- Logging challenges
- Data ownership issues
- Quality of service guarantees
- Dependence on secure hypervisors
- Attraction to hackers (high value target)
- Security of virtual OSs in the cloud
- Possibility for massive outages
- Encryption needs for cloud computing
- Encrypting access to the cloud resource control interface
- Encrypting administrative access to OS instances
- Encrypting access to applications
- Encrypting application data at rest
- Public cloud vs internal cloud security
- Lack of public SaaS version control
Cloud Computing is a IP enabled, scalable, virtualized, multi-tenant, subscription based (or “pay as you”), B2B, service delivery method for business software applications, platform development, and adaptive infrastructure. i.e. SaaS based applications, PaaS based development, IaaS based infrastructure. (DePena, 2009)
Addendum: Cloud Vendor Strategies
VMware: I already have the most popular virtualization software and I will integrate Spring Source and create the best PaaS offering.
Amazon EC2: I am extending my cloud facility to a virtual private environment so that you security concerns are taken care.
Microsoft: I am giving you a platform which is very similar to what you use so that you can seamlessly extend your application to the cloud and even the developers can continue to use the same set of tools.
SalesForce.com: I am giving you a Force.com with which you can build what you need over and above what I provide out of the box.
Google App Engine: I am creating a platform with which you get access to my complete infrastructure – practically unlimited processing power & storage and all my existing services.
Banerjee, U. (2009, August 16). Cloud Strategy. Retrieved September 05, 2009, from Udayan Banerjee’s Blog – From The Other Side: http://setandbma.wordpress.com/2009/09/03/cloud-strategy/
DePena, R. (2009, August 16). The Beauty Of The Cloud. Retrieved September 05, 2009, from Competitive Business Innovations: http://raydepena.wordpress.com/2009/08/16/the-beauty-of-the-cloud/
Mell, P., & Grance, T. (2009, August 8). National Institute of Standards and Technology - Cloud Computing. Retrieved September 4, 2009, from National Institute of Standards and Technology: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
In an interview with NYTimes, David Vladeck, the Director of the FTC Bureau of Consumer Protection, said that he hopes to address the “notice and consent” framework that he considers “no longer sufficient”, as it has resulted in privacy disclosures that are rarely read or understood:
"The first and the more dominant one was what I’ll call the notice and consent framework. The theory was that data collection was OK and uses of that data was OK provided that consumers were on notice that collection activities were taking place, and that consent for the collection and use was secured in some way.
Now, that may have been a sensible framework back then, when it was easier to give notice and consent could be provided or contained in a way where it was clear that the consumer actually knew what she was consenting to, and where there would be a single use of the data or a clear use of the data. Disclosures are now written by lawyers, they’re 17 pages long. I don’t think they’re written principally to communicate information; they’re written defensively. I’m a lawyer, I’ve been practicing law for 33 years. I can’t figure out what the hell these consents mean anymore. And I don’t believe that most consumers either read them, or, if they read them, really understand it. Second of all, consent in the face of these kinds of quote disclosures, I’m not sure that consent really reflects a volitional, knowing act." (Vladeck, 2009)
Mr. Vladeck said the FTC wants to establish new "principles, not prescriptive regulation," which might not be relevant as technology changes (Schatz, 2009):
"Well, we’re not committing ourselves to imposing regulation. Please understand, we don’t view that at the end of this process we’re necessarily going to set down hard and fast markers for industry that must be obeyed. What we would like is to figure out useful tools and a more comprehensive way of looking at privacy protections that may obviate the need for rules." (Vladeck, 2009)
Mr. Vladeck also plans to consider not only economic harm, but also the “dignity interest” that arises in online information collection. (Jacobs, 2009)
Jacobs, A. (2009, August 8). FTC Takes New View of Online Privacy. Retrieved August 8, 2009, from Harvard Journal of Law & Technology Digest: http://jolt.law.harvard.edu/digest/copyright/flash-digest-news-in-brief-18
Schatz, A. (2009, August 5). Regulators Rethink Approach to Online Privacy. Retrieved August 8, 2009, from The Wall Street Journal: http://online.wsj.com/article/SB124949972905908593.html
Vladeck, D. (2009, August 3). An Interview With David Vladeck of the F.T.C. (S. Clifford, Interviewer) NYTimes.com.