May 31, 2012

NIST Guide Helps Dispel Cloud Mysteries

Robert Gelber

Cloud services have increased accessibility to high power resources that were typically available only to large enterprises and government facilities. While the financial and technological advantages may be obvious, underlying structures that form cloud services can be mystifying to the end user. The confusion has prompted the National Institute of Standards and Technology (NIST) to release Special Publication 800-146, “Cloud Computing Synopsis and Recommendations.” The document, a follow up to the official NIST cloud definition published last October, provides additional insight and guidance for the community. To follow is an overview of the NIST report, including charts sourced from that publication.

Definition and Terms of Service

According to NIST:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The definition is rather wide, but there are certain traits encompassed by all cloud services, which include:

  • On-demand, self-serving access
  • Network accessibility
  • Resource Pooling
  • Rapid Elasticity
  • Measured Service

Most providers assure minimum levels of availability and agree in advance to repercussions if those levels are not met. They also discuss data preservation and privacy practices, usually promising not to sell or disclose private information.

Cloud services may experience a number of events, which affect overall user experience. Some examples include security breaches, scheduled outages, changes to service agreements, network failures or natural disasters.

Users are often subject to a use policy, guaranteeing third-party software conforms to license terms and timely payment for services rendered.

Deployment Models

Cloud environments are defined based on hardware location and owner. Private clouds are accessible only to a respective customer residing either on-site or be outsourced by a third party.

The same scenarios apply to community clouds as well, where on-site implementations are spread across the user base.

Public clouds are hosted off-site and owned by a third party.



Finally, hybrid clouds consist of multiple cloud models residing both on-site and off the premises.



Environments – IaaS, PaaS, SaaS

Infrastructure-as-a-Service (IaaS) providers give users access to virtual machines, network storage and services such as firewalls. Billing is usually based on hourly usage of CPU cycles, data storage and bandwidth consumption. Other options may be added to this model, including monitoring and scaling services.

Cloud providers retain control over hardware and the hypervisor while users control the application layer.

The Platform-as-a-Service (PaaS) model allows the provider to retain further control of the environment. Users no longer have operating system control, but they can utilize an interface in the middleware layer to access compute power and storage. Application developers are common users of this type of service.


At the highest level, Software-as-a-Service (SaaS) providers usually deliver Web-based services. Users have limited access at the application layer, giving the service provider almost all control of the environment. Examples include Dropbox and SoundHound.

Potential Issues

While cloud services can provide unique benefits to the user, they are susceptible to a number of issues. Some of these challenges are not exclusive to cloud technology.

Performance can be hindered by high latency, loss of network connectivity and unexpected downtime. The technology relies on networks, thus its capabilities can be augmented or diminished depending on bandwidth to the end user. Even if the network is functioning, service providers may experience an outage due to a number of reasons listed earlier. Cloud users may benefit from implementing an alternative course of action if such an outage were to occur.

Another point of concern regards the physical location of data. Providers typically choose where to locate data based on a number of factors. These include local infrastructure, labor costs, energy costs, as well as legal requirements.

NIST pointed to Web browsers as a major security concern. Most cloud providers require users to register or access their services through a Web browser. While the process if fairly common, browsers have become susceptible to a number of security flaws. If a user’s browser has been compromised, data passed between their workstation and a cloud service, could be captured by an outside party.


The authors of the report supplied a number of general recommendations ranging from cloud management to software and applications.

Users were encouraged to identify services that would benefit from cloud migration. Common examples include email, shared documents and virtualized systems. NIST suggested that any mission critical applications and services remain local to the user unless a provider is willing to pay for pre-defined damages.

To avoid “lock-in” the report prompted users to verify data portability prior to adopting a cloud provider. Suggestions were also made to ensure data integrity, including separation of sensitive information.

Security and reliability was another area the report focused on. Users could hold providers accountable by providing necessary benchmarks prior to migration. If these benchmarks are acceptable and a decision is made to adopt a cloud provider, browser security and strong encryption are necessary to reduce vulnerabilities.

The specifics of cloud services typically mystify most users, as providers and infrastructures exist in a number of forms and combinations. The NIST report has made a concentrated effort to deliver more awareness to the range of services, benefits and barriers surrounding the technology as a whole.

Share This