The National Institute of Standards and Technology (NIST) cloud computing standards roadmap (PDF) describes five cloud actors: consumer, provider, auditor, broker, and carrier. Each actor interacts with another actor depending on the role the actor performs in the cloud. Here’s a rundown of each actor category.

Cloud consumer

As a cloud consumer, you request cloud services from a cloud provider or a cloud broker to help you choose multiple providers. How much control you get from the provider depends on the type of cloud services you request. You can be a:

  • Software as a Service (SaaS) end user, and get only one control.
  • Platform as a Service (PaaS) developer, and get some controls.
  • Infrastructure-as-a-Service (IaaS) infrastructure specialist, and get more controls.

SaaS end user

The only control the SaaS end user has is to access the SaaS applications. You can be a private individual, a business, or a government agency. The cloud provider may allow you to set certain application configurations. Application examples include:

  • Business support: Human resources, training, CRM, financial management, forecasting, email and office productivity, document management, workflow management, contract management, and waste management (municipal).
  • Social network support: Live chat and instant messaging.
  • Data analytics support: Facial sentiments and big data analytics.
  • Healthcare support: Medical records and patient appointment schedules.
  • Maritime support: Ship arrival and departure schedules.
  • Warehousing support: RFID tag management and perishable food freezer control.

You are not allowed to control or manage application development, deployment, operating systems, storage, virtual servers, networks, security, backup, and recovery.

PaaS developer

The PaaS developer rolls up his sleeves to plan, develop, test, and deploy new SaaS and enterprise applications and databases on the platform. You choose what programming languages and integration APIs to use. You perform stress testing to determine how well the application can withstand a sudden upsurge in SaaS end user demand.

You control how applications from a company’s internal data center should be migrated to the cloud. You determine what security tools the provider does not have to run on the platform.

The provider does not let you control virtual machines, storage, operating systems, computer resource provisioning, and networks infrastructure.

IaaS infrastructure specialist

The IaaS infrastructure specialist has more controls than the PaaS developer. You control and manage the virtual machines that are used to run the PaaS. You are responsible for controlling operating systems, storage, and the deployed applications at the virtual machine level.

You can scale up and down virtual machines up to the limit permitted by the provider. You may be allowed to have limited control over host firewalls.

The provider does not let you control and manage the underlying cloud infrastructure of physical servers and networks.

Cloud provider

The controls a cloud provider offers depends on the type of cloud services the provider runs.

  • The SaaS provider oversees operating systems, computer resource provisioning, service orchestration, and security tools. The provider updates the SaaS applications and virtual machines.
  • The PaaS provider is responsible for resource provisioning and operating systems. The provider provides PaaS developers with application deployment tools.
  • The IaaS provider works with the cloud infrastructure of traditional computing, networking, and storage resources underlying the virtual machines. The providers control platform hosting services’ management, backup, and recovery.

Cloud broker

The cloud broker sits in the middle between the consumer and the provider. The broker helps a cloud consumer remove the complexity of choosing and managing multiple provider services. The types of services the broker provides include:

  • Intermediation to improve access management, identity management, and performance reporting services from SaaS providers.
  • Aggregation to combine and integrate multiple services from multiple SaaS providers into one or more services.
  • Arbitrage to choose services from multiple SaaS or PaaS service providers. Each provider offers a SaaS application or a PaaS platform that the others do not have.

Cloud auditor

A cloud auditor is primarily concerned with whether security controls are implemented correctly and whether cloud services are performing well. The auditor verifies regulation and security policy compliance.

Federal agencies should include in the contract on the requirements of auditing security controls provided by the cloud providers.

One auditing example is the log data showing who has access to what files at what time and whether the users have been properly authenticated.

Cloud carrier

A cloud carrier transports cloud services between cloud consumers and cloud providers. The cloud provider is responsible for setting up a Service Level Agreement (SLA) with the carrier on service availability guarantees. If the carrier does not meet the guarantees, it will be faced with penalties.


If you have plans to subscribe to a cloud service provider, your best bet is to communicate directly with the provider; otherwise, consider a cloud broker who can take out the complexity of subscribing to multiple service providers. Make sure an auditor is available to verify security controls and policy are in place and a carrier is highly reliable in delivering connectivities between the consumer and the provider.