Cloud

How cloudy is your cloud? The NIST offers a cloud standard

John Joyner warns fellow IT pros that either you eat the cloud or the cloud eats you! A new NIST cloud definition may help you evaluate and compare the cloud solutions that are likely to figure in to your IT future.

Undoubtedly the most used marketing phrases in the last year have involved cloud computing as a valuable feature of various software and services for sale. Some see this trend as "evolutionary" for IT, a natural next-step following the widespread adoption of virtualization and the profusion of high-speed bandwidth. Others view cloud computing as another word for host-based computing, in effect, a return full-circle to the fifty-year old model of input/output (I/O) devices connected to a shared mainframe. But this time, we have a wide variety of useful, even fun I/O devices like smartphones and tablets, and the connection to the shared cloud is wireless and fast!

Both schools of thought (evolution and full-circle) are true, as well as recognizing that the paradigms shifting (because of cloud computing) are natural and unstoppable phenomena -- to be embraced or be sacrificed to. Start eating cloud or be eaten by it! This message in many forms is finding its way to all corners of the IT ecosystem. IT careers that don't involve the cloud are expected to have shorter lifetimes, much as the demand for on-site electric generator operators declined when central electrical utility service became available to manufacturing plants in the mid-19th century.

Whether you are framing an IT career, or more likely, contemplating building your own cloud(s), or comparing the cloud offering of one vendor to the competition, it's imperative that your decisions are based on reason and research. We don't want to invest based on fear, uncertainty, or the latest marketing pitch we heard on how well a particular vendor's cloud solution matches their definition of ‘the cloud'. What would help is a definition-based standard, to which you can compare a particular cloud-based opportunity or offering.

There is an independent scientific authority that has published a draft definition of cloud computing: the National Institute of Standards and Technology (NIST). By comparing the characteristics of a solution under evaluation to the vendor-neutral NIST cloud computing model, you can validate both (1) that the solution meets the minimum standards of architecture and workflow to be called a cloud solution and (2) just how "cloudy" the solution really is!

Taking the fog out of the cloud

The essence of the NIST cloud definition can be condensed to one sentence:

Private, Public or Hybrid clouds -- featuring On Demand Self-Service, Broad Network Access, Rapid Elasticity, Resource Pooling, and Measured Service -- deploy Infrastructure, Platform, or Software services.

If you apply this simple proof test against any particular system, you can more confidently assess its cloud-worthiness. Solutions that have all the essential characteristics, and are deployed with the appropriate cloud and service delivery models, will have the highest chance of success in the marketplace and in your business.

The NIST cloud definition shown in Figure A recognizes several types of cloud deployment models such as public and private clouds. This is the simplest part of the definition and logically refers to who owns and operates the components of the cloud, such as the datacenter. Note that a private cloud can be on-premise or off-site, and be managed by either your IT staff or outsourced to a service provider -- what makes it a private cloud is that it exists to serve only one organization.

Figure A

Clouds have five (5) essential characteristics, regardless of deployment or service model.

Essential characteristics of cloud service models

Regardless of the type of cloud deployment model used, a cloud solution needs to deliver value based on one of three recognized service models: Infrastructure, Platform, or Software as a Service (IaaS, PaaS, or SaaS). These models make clear the demarcation line of responsibility for various components between the cloud provider and the user. The user has the most involvement in the IaaS model, and the least in the SaaS model.

  • In the SaaS model, the user just consumes software, just as running a web-mail client. Anyone using Google's Gmail or Microsoft's Hotmail can understand SaaS.
  • In the IaaS model, the user needs to assemble and maintain the cloud-hosted infrastructure components such as virtual machines, storage pools, and firewalls, sometimes called the cloud fabric. Amazon Web Service (AWS) and Rackspace are leading providers of this model today.
  • The intermediate model, PaaS, lets users deploy their application on a cloud provider platform without managing the infrastructure. Microsoft's Windows Azure is an attractive PaaS platform for someone looking for a globally accessible, highly-available delivery infrastructure to run their application on.

Once you are clear on the cloud deployment and service models employed by a given solution, the acid test is whether the cloud exhibits all the essential characteristics defined by the NIST:

  • On-Demand Self Service: Users provision capabilities as needed and/or automatically, without human interaction by a service provider.
  • Broad Network Access: Standard network/Internet access mechanisms promote location-independent use by diverse platforms such as smartphones.
  • Resource Pooling: The service provider hosts compute, network, and storage resources in a model that supports multi-tenancy, with dynamic assignment and reassignment of resources according to demand.
  • Rapid Elasticity: Rapid scale out and scale back of resources; from the user's point of view, there are unlimited resources that are paid for based on the quantities actually consumed.
  • Measured Service: Resources are optimized and controlled with a metering capability, with transparent reports on consumption shared with the user.

Using the NIST cloud definition

As I mentioned in the beginning of the article, there are known to be many different visions of what cloud computing is or can become. Often these visions are influenced by individuals and organizations that have a lot of investment in a particular component of the cloud ecosystem, such as virtualization or networking. Someone trying to sell a cloud solution should be able to confidently and simply describe the deployment and service model for it, as well as match up the solution's features to the essential characteristics of the NIST cloud definition.

You might consider avoiding proposed cloud solutions with murky or unclear deployment or service models, as well as those missing one or more essential characteristics. Cloud solutions that pass the definition test can be evaluated fairly on their price-performance value. Figure A lists in the lower section "Common Characteristics" (not part of the NIST essential definition) additional qualities that can help you prioritize what cloud features are important to your organization.

About

John Joyner, MCSE, CMSP, MVP Cloud and Datacenter Management, is senior architect at ClearPointe, a cloud provider of systems management services. He is co-author of the "System Center Operations Manager: Unleashed" book series from Sams Publishing, ...

12 comments
pgit
pgit

It always seems to me the trendy technology just happens to have risk factors that could have a negative impact privacy and security. HIPAA, this new "consumer protection bureau," (of minions sent hither to eat out our substance) now all this 'cloud' stuff going boldly at warp 9 into the nebula... Even when it is obviously a bad deal, if it augments the ability of theft, it ends up where the industry goes. Push the agenda out a few decades and we have a pure communist worker's paradise, one airline, one TV manufacturer, one automaker etc... all competition done in because everyone had access to everyone else's trade secrets, designs and strategies.

Horizon_In_Flux
Horizon_In_Flux

I understand companies wanting to reduce costs, commitment to hardware, and staff. Are internet and external network connections that reliable? What of major cyber attacks and the possibility of government internet shutdowns? How about when that apatite for huge bandwidth is built up the ISP's lower the boom on pricing not to mention the government looking for the ever increasing need to add a tax? (Is it hard to imagine a bandwidth tax on business ? (You know you favorite legislator is dreaming of it. It has been brought up for consumers enough.) I see the cloud as a brilliant solution for portable devices and small companies but I am concerned for the larger companies and even government agencies making the jump too early. Surly visualization in house is the best solution and cloud just for temporary measures. I am still new to much of this, but I have not seen these questions addressed and answered with real conviction.

Sensor Guy
Sensor Guy

The cloud is still a very fluid, new environment. One area with very little research is to map business solution characteristics against the multitude of permutations of cloud implementations. We don't really have a handle on good standards and practices for inter-cloud relationships yet as well. Why doesn't the NIST focus on that and let commercial entities deal with in what types of clouds should the standards be implemented? We don't even know yet how to define resilience, much less measure it and then applying criminal and commercial contractual law against it. In the SaaS model, we have some major decisions not even covered in the NIST work that I would expect standards that they could come out with. Where does the data reside, why it resides where it does, new cloud data encryption standards for data on the move and static data, process encryption and business analytics privacy, as well as content protection. While this a noble gesture from NIST, I am a fan of their standards services, not their architecture development work relabeled as standards . They are definitely no different than any other consulting organization when it comes to architecture discussions. They can and should be viewed as not independent, maybe even viewed with some trepidation among those who espouse high standards of privacy.

count_zero_interuptus
count_zero_interuptus

NIST needs to gather an even larger committee of government employees to grow this model out to encompass the entire IT world.

Wunderbarb
Wunderbarb

I often use this set of NIST definitions of the cloud document as a reference document. For those who are concerned by security (and security is a serious issue with the cloud) I would recommend to read another NIST document "Guidelines on Security and Privacy in Public Cloud Computing" It is excellent although only focused on public cloud (many advises can be extrapolated to private or hybrid cloud). Funnily, I commented about it yesterday at http://wunderbarb.byethost7.com/blog/?p=436 The reference of the document is W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

iloveict
iloveict

I think NIST definition should be considered as a work in progress. This "cloud" technology is metarmorphosizing everyday. And there are yet many areas that we see it's application. Additionally, there are other organizations that have published "justifiably" definitions, such as ENISA. I would rather look at NIST view as one-among-many, and selectively pick other definitions that fit with specific area of application. I think we will see a rapid revision of this definition as the technology evolves. However, NIST's definition outlines key factors.

HAL 9000
HAL 9000

[i]and the connection to the shared cloud is wireless and fast![/i] That's a big maybe and it's quite true now [b]Maybe[/b] but as more and more people embrace WiFi Technology the service has to get slower. There is Limited Bandwidth available for these things and no matter what happens it can not be exceeded so when more people start relying on WiFi to access the net things will have to get slower. You can not beat the [b]Laws of Physics[/b] no matter how inconvenient they are. ;) Col

pgit
pgit

I trust NIST as far as I can chuck an I-beam laterally out of a collapsing World Trade Center building...

Michael Kassner
Michael Kassner

Forgive me, this is off-topic. I am a huge fan of NIST and their work. And I would consider them a scientific authority, but not independent..

hawngoombas1
hawngoombas1

I agree that the NIST espouses a reasonable model, but as stated severl times in thes ereplies, the cloud is still being defined. The only things folks somewhat agree on is the private versus public titles and the three types of service deliveries, IaaS, PaaS, and SaaS. A model is always a good place to begin, just as the OSI is a model, the nuances associated with how each layer of that model is defined may be the correct way to define what the difference between PaaS and IaaS is. I think the point that may be taken from this article is that a standards organization is trying to establish a model to build from, not that it is the all inclusive place to start, just a possible way to begin thinking about the differences and the service model associated with Cloud Computing. Who knows maybe this will be the begining of defining a real set of standards for the Cloud, if that in fact is what IT professionals are looking for.

Sensor Guy
Sensor Guy

Your comment is right on. Where the standard should be used becomes a bias factor for NIST. They should focus on the standard yet let others decide as to where the standard should be used. I suspect that NIST is searching for funding sources and they see cloud consulting as a potential market, using their standards position for leverage. I hope that's not the case. They are very good and respectable in setting standards and standards fixed based services (like time, etc.), but should stay out of the consulting business.

michael_carr
michael_carr

Article refers to NIST as independent. Poster disagrees. How in the world is it off topic? Author brought it up?

Editor's Picks