The following has been reproduced from NIST's common set of definitions around cloud computing and its use cases. Experts at NIST developed this draft definition in collaboration with industry and government. It was developed as the foundation for a NIST special publication that will cover cloud architectures, security, and deployment strategies for the federal government.
Definition of Cloud Computing
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Service Model Architectures
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
Security Advantages with Cloud Computing
- Data Fragmentation and Dispersal
- Dedicated Security Team
- Greater Investment in Security Infrastructure
- Fault Tolerance and Reliability
- Greater Resiliency
- Hypervisor Protection Against Network Attacks
- Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
- Simplification of Compliance Analysis
- Data Held by Unbiased Party (cloud vendor assertion)
- Low-Cost Disaster Recovery and Data Storage Solutions
- On-Demand Security Controls
- Real-Time Detection of System Tampering
- Rapid Re-Constitution of Services
- Advanced Honeynet Capabilities
Security Challenges with Cloud Computing
- Data dispersal and international privacy laws
- EU Data Protection Directive and U.S. Safe Harbor program
- Exposure of data to foreign government and data subpoenas
- Data retention issues
- Need for isolation management
- Logging challenges
- Data ownership issues
- Quality of service guarantees
- Dependence on secure hypervisors
- Attraction to hackers (high value target)
- Security of virtual OSs in the cloud
- Possibility for massive outages
- Encryption needs for cloud computing
- Encrypting access to the cloud resource control interface
- Encrypting administrative access to OS instances
- Encrypting access to applications
- Encrypting application data at rest
- Public cloud vs internal cloud security
- Lack of public SaaS version control
Cloud Computing is a IP enabled, scalable, virtualized, multi-tenant, subscription based (or “pay as you”), B2B, service delivery method for business software applications, platform development, and adaptive infrastructure. i.e. SaaS based applications, PaaS based development, IaaS based infrastructure. (DePena, 2009)
Addendum: Cloud Vendor Strategies
VMware: I already have the most popular virtualization software and I will integrate Spring Source and create the best PaaS offering.
Amazon EC2: I am extending my cloud facility to a virtual private environment so that you security concerns are taken care.
Microsoft: I am giving you a platform which is very similar to what you use so that you can seamlessly extend your application to the cloud and even the developers can continue to use the same set of tools.
SalesForce.com: I am giving you a Force.com with which you can build what you need over and above what I provide out of the box.
Google App Engine: I am creating a platform with which you get access to my complete infrastructure – practically unlimited processing power & storage and all my existing services.
Banerjee, U. (2009, August 16). Cloud Strategy. Retrieved September 05, 2009, from Udayan Banerjee’s Blog – From The Other Side: http://setandbma.wordpress.com/2009/09/03/cloud-strategy/
DePena, R. (2009, August 16). The Beauty Of The Cloud. Retrieved September 05, 2009, from Competitive Business Innovations: http://raydepena.wordpress.com/2009/08/16/the-beauty-of-the-cloud/
Mell, P., & Grance, T. (2009, August 8). National Institute of Standards and Technology - Cloud Computing. Retrieved September 4, 2009, from National Institute of Standards and Technology: http://csrc.nist.gov/groups/SNS/cloud-computing/index.html
In response to: Amazingly Creative 404 (File Not Found) Page
So since we are on the topic of error messages, I would like to mention twitter's fail whale, an error msg that appears during an outage on Twitter. The fail whale has become an pop-culture icon, with a fan club, and even a fail whale clothing store.
This is amazing. How can failure of a website become so popular? It is an epic example of Social Media Branding using the Power of the Community.
Why can't we do something similar for Lotus Connections? The market is ripe. Lotus Connections is a unique product in the e2.0 collaboration space. It just need some pop-culture style marketing. What do you guys think? Any one wants to sign up for this? I am willing to help out in any way I can.
Post your ideas as comments below:
Use the following ATOM URL to talk to your blog on IBM developerWorks
This URL can be used in any application that supports ATOM for e.g. Windows Live Writer.
An excellent advice from Anthony Bradley of Gartner on Piloting Social Media:
“The most successful implementations I’ve seen don’t “pilot,” they execute on a planned increment. When you go to the community with a social media solution, go for real. So how do you mitigate risk? Mitigate risk with a carefully scoped purpose. Minimize the initial business purpose pursued but pursue that purpose with all the execution discipline it requires.”
David Navetta, Esq. CIPP, has published an interesting blog post on the topic of Legal Implications of Cloud Computing.
Mr. Navetta emphasize the need to understand the increasingly complex and interlocking relationships in the Cloud:
The party with whom a company is dealing will often not be the party actually processing data or providing computing services. This poses compliance challenges (e.g. how to perform/show due diligence) and contracting challenges (e.g. how to obtain/enforce contractual rights / remedies when one or two layers removed from the company actually doing the processing).
The blog post also highlights the need for proper data retention and destruction policies.
What if the SaaS provider is working on a Cloud Platform that creates residual copies of data that the Cloud User has a legal obligation to delete? What if the SaaS provider works with a Cloud Platform that does not have the technology or capability to properly wipe data? Even if the Cloud Platform has these capabilities, what if the SaaS provider has not negotiated for the right to obtain these services?
My thoughts on Legal Obligation to Delete:
Internet has created a world where "absolute destruction" of data is not easy to achieve. Even when the services are hosted in-house, this type of data destruction is not possible. There could be replicas, backups, off-site backups, DR backups, user created offline replicas, user archives and even printed copies.
I think what is a more achievable is delete in context. Data that loses its context, loses its meaning and is not of much use. So going back to Cloud Services, when I delete an email from my SaaS powered Inbox, the SaaS provider may still have some residual "Sharded" copies of the data. But these residual copies have completely lost their context. And as you traverse down the layers of Cloud Service aggregators (Saas –> PaaS –> IaaS), this residual data becomes more and more meaningless. Re-animating an email from this sharded residual data would be like trying to re-construct a needle by searching for its pieces in a haystack! :-)
… well at least about the proper translation of the term "Cloud Computing" to French:
A group of French experts had spent 18 months coming up with "informatique en nuage," which literally means "computing in cloud."
"What? This means nothing to me. I put a 'cloud' of milk in my tea!" exclaimed Jean Saint-Geours, a French writer and member of the Terminology Commission.
"Send it back and start again," ordered Etienne Guyon, a physics professor on the commission.
The problem was the word "cloud." In French, to be "dans les nuages" – or in the clouds – is a common expression meaning to be distracted.
"I think we can survive without the term 'cloud computing,'" said physics expert Mr. Guyon, slamming his hand on the table.
John Gruber writes:
It’s not that Steve Jobs is fearless, but rather that he’s afraid of not changing. Where other CEOs can’t bring themselves to do something different, Jobs can’t bring himself to keep doing the same thing.
Read More .. ..
The professional life of the independent knowledge worker occurs in four different modes: insanity, give-back, work, and fun.
- If you are serving people you don't like to be with and are not getting paid, that is insanity.
- If you are serving people you enjoy being with but are not getting paid, that is give-back.
- If you are serving people you don't like to be with but are getting paid, that is work.
- If you are serving people you enjoy being with and are getting paid, that is fun.
First, find people you enjoy serving. Read more
Next, find problems you enjoy solving. Read more
In response to: Twittering teens add hundreds of words to dictionary
I think it is a combination of both txt msg and twittering. But tweets have much more visibility ( and findability??) than one-to-one txt msg. The words prolly started with text messaging, and then the twitter gave them visibility.
The editors of this year's Collins English Dictionary have made 267 additions, including words which have previously been considered nothing more than sounds.
'words' such as 'hmm' and 'heh' have been included in the dictionary, as have the likes of 'meh' (a sound denoting disapproval) and 'mwah' (sounding like an exaggerated kiss).
Some words are contractions of expressions that have themselves only just become established online, most notably 'noob', for those who cannot be bothered to say – or more probably to write – 'newbie'.
Read more .. ..
The following is one of those pestiferous and nettlesome Facebook quizzes. But this one is designed by the A.C.L.U. to show you how much private information you reveal by taking them:
What Do Quizzes Really Know About You? on Facebook
Ever take one of those Facebook quizzes to find out which superhero most resembles your dog, or have a friend who seems to spend most of their life doing so? Then you might be in for a surprise when you take this quiz and learn just how much of your personal information these quizzes can access.
Even if your Facebook profile is "private," when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends' profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.
But don't take our word for it - take this quiz and see for yourself!
In response to: Amazingly Creative 404 (File Not Found) Page
Oh btw, some other creative 404 messages:
- http://fryewiles.com/404 (Funny!!! :))
- http://www.markfennell.com/404.html (The 404 page is a actually a game)
- http://www.orangecoat.com/404 (Flowchart anyone????)
- http://hootsuite.com/404 (Milk Carton Missing person's (page) Ad)
I simply use the following on my webserver:
I lie somewhere over here
-- Werner Heisenberg, as in Uncertainty Principle.
In response to: Confession 33: Tag Tag Tag
I wrote a semi-intelligent app that automatically determines appropriate tags for a blogpost and adds that tags to the post. Currently I use it to add tags to my blogspot blog using Blogger API. But I can easily modify it to use ATOM, if this blog supports updating tags using ATOM.
Traditional (draconian??) e-security departments are having a field day with all the media buzz surrounding the insecurity of the Cloud Computing. They are missing the big picture.
Risk management is important. However what I am seeing right now is that these traditional e-security departments are just concentrating on the the Vulnerability component of the Risk equation:
Total risk = Threat X Vulnerability X Asset value
Residual risk = Total risk – Countermeasures
They are completely leaving out the "likelihood of a event happening" from their analysis. Countermeasures are put in place to reduce the likelihood of an event, which minimizes the overall residual risk.
Countermeasures are put in place to reduce the likelihood of an event, which minimizes the overall residual risk.
There is a common misconception that a move to Cloud Computing is inherently insecure. I don't think that is the case. For example, with Google App you can easily utilize multi-factor authentication, or make to it even more secure you can place the Security Assertion server inside your corporate firewall. This would require the user to be on the corporate network before accessing any of the Google Apps. However, this would also cause inconvenience for the mobile user who doesn't like to login into a VPN connection. It is all about trade-offs. My key point is that there is nothing preventing an organization from securing the Cloud Services.
I really don't think Cloud Computing is to be blamed for the twitter hack. The attack would have been possible even if twitter was using a in-house Exchange Server with some provisions for remote access and weak passwords. It is all about authentication and access control. If twitter had instituted proper access control using multi-factor authentication, this would never have happened.
NIST recently published a working draft of the Cloud Computing Security presentation. Some of the Security Advantages mentioned in the presentation are:
1. Shifting public data to a external cloud reduces the exposure of the internal sensitive data
2. Cloud homogeneity makes security auditing/testing simpler
3. Clouds enable automated security management
4. Redundancy / Disaster Recovery
5. Data Fragmentation and Dispersal
6. Dedicated Security Team
7. Greater Investment in Security Infrastructure
8. Fault Tolerance and Reliability
9. Greater Resiliency
10. Hypervisor Protection Against Network Attacks
11. Possible Reduction of C&A Activities (Access to Pre-Accredited Clouds)
12. Simplification of Compliance Analysis
13. Data Held by Unbiased Party (cloud vendor assertion)
14. Low-Cost Disaster Recovery and Data Storage Solutions
15. On-Demand Security Controls
16. Real-Time Detection of System Tampering
17. Rapid Re-Constitution of Services
18. Advanced Honeynet Capabilities
I understand that these will depend on the actual implementation. It usually does for everything. For e.g. you can create world's most secure cipher, but the poor implementation is usually the weakest link.
But in theory, if cloud services are implemented properly, I think NIST's list of advantages hold true.
Problems are Soluble. Problems are inevitable - Professor David Deutsch
No amount of precautions can avoid problems that we do not yet foresee. Hence we need an attitude of problem fixing, not just problem "avoidance". An ounce of prevention equals a pound of cure, but that’s only if we know what to "prevent". If you’ve been punched on the nose, then the science of medicine does not consist of teaching you how to avoid punches. If medical science stopped seeking cures and concentrated on prevention only, then it would achieve very little of either.
The traditional Enterprise IT world is buzzing at the moment with plans on how to stop Cloud Computing from entering into the workplace. It ought to be buzzing with plans to reduce the security and privacy risks associated with Cloud Computing and improve data-portability and forensic capabilities. And not at all costs, but efficiently and cheaply. And some such plans exist, host-proof hosting, for example.
With problems that we are not aware of yet, the ability to put right - not the sheer good luck of avoiding indefinitely - is our only hope, not just of solving problems, but of making technological progress.
(the above is based on a talk by Professor David Deutsch on problem avoidance)