SpecialPublication500-322
Draft-20170427
DRAFT - Evaluation of
Cloud Computing Services Based on NIST 800-145
National Institute of Standards and Technology (NIST)
Eric Simmon Based on work done by the NIST Cloud Computing Services Public Working Group
EvaluationofCloudComputingServicesBasedonNIST800-145
1
This document provides clarification for qualifying a given computing capability as a cloud service bydeterminingifitalignswiththeNISTdefinitionofcloudcomputing;andforcategorizingacloudserviceaccordingtothemostappropriateservicemodel(SaaS,PaaS,orIaaS).
AcknowledgementsNIST thanks the many experts in industry and government who contributed their thoughts to the creation and review of this definition. NIST would like to acknowledgement the members of the NIST Cloud Computing Services Public Working Group listed below who worked many hours providing input for this document. A special thanks to Cary Landis who was the industry chair of the group.
CaryLandis(Chair–NISTCloudComputingServicesPublicWorkingGroup)AliKhalvati(GSA)LalitBajaj(GSA)DonBeaver(GSA)JamesYapleAngelaRoweJamesMooneyJamesFowlerEugeneLusterLarryLamersKeithParker(ASI for GSA) GaryRouse(VMSI for GSA) TravisFergusonChrisFerrisKavyaPearlman
EvaluationofCloudComputingServicesBasedonNIST800-145
2
Contents1 Introduction.........................................................................................................................................3
2 TheNISTDefinitionofCloudComputing.............................................................................................4
3 AnalysisoftheEssentialCharacteristicsofCloudComputing.............................................................6
3.1 On-demandself-service..............................................................................................................6
3.2 Broadnetworkaccess.................................................................................................................7
3.3 ResourcePooling........................................................................................................................8
3.4 Rapidelasticity............................................................................................................................9
3.5 Measuredservice........................................................................................................................9
4 AnalysisofCloudServiceModels.......................................................................................................10
4.1 SoftwareasaService(SaaS).....................................................................................................11
4.2 PlatformasaService(PaaS)......................................................................................................12
4.3 InfrastructureasaService(IaaS)..............................................................................................13
5 AnalysisofCloudDeploymentModels..............................................................................................14
5.1 PrivateCloudComputingServiceDeployment.........................................................................17
5.2 CommunityCloudComputingServiceDeployment..................................................................18
5.3 PublicCloudComputingServiceDeployment...........................................................................19
5.4 HybridCloudComputingServiceDeployment..........................................................................19
6 Worksheets........................................................................................................................................20
6.1 CloudServiceWorksheet..........................................................................................................20
6.2 CloudServiceModelWorksheet...............................................................................................21
6.3 CloudDeploymentModelWorksheet......................................................................................22
7 ExampleCloudServiceMarketingTerms...........................................................................................22
8 References............................................................................................Error!Bookmarknotdefined.
EvaluationofCloudComputingServicesBasedonNIST800-145
3
1 Introduction TheFederalCloudComputingStrategy1characterizescloudcomputingasa“profoundeconomicandtechnicalshift(with)greatpotentialtoreducethecostoffederalInformationTechnology(IT)systemswhile…improvingITcapabilitiesandstimulatinginnovationinITsolutions.”Topromotethemissionandeconomicbenefitsofcloudservices,theOfficeofManagementandBudget(OMB)issueda“CloudFirst”policytoencouragetheadoptionofcloudcomputingservicestogainnewefficienciesandsavemoney.ThepolicyrequiresagencyChiefInformationOfficers(CIOs)toimplementacloud-basedservicewheneverthereisasecure,reliable,andcost-effectiveoption.ThepolicytakesadvantageofcostsavingsefficienciesthatweredescribedinseveralcomplementaryandparallelUnitedStatesGovernment(USG)initiatives,suchasthe25PointImplementationPlantoReformFederalInformationTechnologyManagement.
TheNationalInstituteofStandardsandTechnology(NIST),consistentwithitsmission,2hasatechnologyleadershiproleinsupportoftheUSGsecureandeffectiveadoptionoftheCloudComputingmodel3toreducecostsandimproveservices.NISTwaschargedwiththemissionofdevelopingacloudcomputingtechnologyroadmapandtoleadeffortsindevelopingandprioritizingcloudcomputingstandards.TheNISTCloudComputingProgram(NCCP)createdaseriesofpublicworkinggroupsoncloudcomputingtogenerateinputfortheSP500-291NISTCloudComputingStandardsandRoadmap,andSP500-293NISTCloudComputingTechnologyRoadmap,VolumeIandII.Thisdocument,hereafterreferredtoas“theRoadmap,”containstenhigh-levelpriorityrequirementsinsecurity,interoperability,andportabilityfortheUSG’sadoptionofcloudcomputing.
Requirement4oftheRoadmapisfor“Clearlyandconsistentlycategorizedcloudservices.”Thisrequirementisimportanttoensurethatcustomersunderstandthecharacteristicsofdifferenttypesofcloudservicesandareabletoobjectivelyevaluate,compare,andselectcloudservicessuitabletomeettheirbusinessobjectives.
Intheabsenceofclarification,organizationsareatriskofadopting“services”thatdonotprovidecharacteristicsofcloudcomputing.Forexample,somevendorsreportedlydecidetolabeltheircomputingofferingsas“cloudservices,”eveniftheofferingsdonotsupporttheessentialcharacteristicsofacloudserviceintheNISTdefinition.
Furthermore,thefrequentandcommonusageoftheinformal“aaS”suffixinmarketing,asin“EaaS”,“DaaS”,and“STaaS”(oftenreferedtoas“XaaS”or“EverythingasaService”)isconfusing,and(unintentionally)obfuscatingthearchitecturallywell-foundeddistinctionofIaaS,PaaS,andSaaS.These“cloudservicetypes”aregenerallycoinedbyappendingthesuffix“aaS”afteratypeofcomputingcapability.Thismakesitdifficulttodeterminewhethersomethingisacloudserviceandhasunintendedconsequencefororganizationstryingtosatisfytheircloud-firstobjectives.
Todemystifytheambiguitysurroundingcloudservices,theNISTCloudComputingServicesPublicWorkingGroupanalyzedtheNISTcloudcomputingdefinitionanddevelopedguidanceonhowtouseittoevaluatecloudservices.
1OfficeofManagementandBudget,U.S.ChiefInformationOfficer,FederalCloudComputingStrategy,Feb.8,2011.Online:www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf.2ThiseffortisconsistentwiththeNISTrolepertheNationalTechnologyTransferandAdvancementAct(NTTAA)of1995,whichbecamelawinMarch1996.3NISTDefinitionofCloudComputing,SpecialPublication800-145,September2011.
EvaluationofCloudComputingServicesBasedonNIST800-145
4
ThisdocumentclarifiesthecloudcomputingservicemodelsaspublishedinNISTSpecialPublication(SP)800-145,TheNISTDefinitionofCloudComputing(NISTDefinition,September2011).TheNISTDefinitionwasintendedforthestatedpurposeof“broadcomparisonsofcloudservicesanddeploymentstrategies,andtoprovideabaselinefordiscussionfromwhatiscloudcomputingtohowtobestusecloudcomputing.”4
Theclarificationsupportstheproperplanningforcloudmigration,deployment,andretirementofrelevantlegacysystems.TheGAOrecommendedinJuly2012thatsevenauditedfederalagenciesshouldestablishestimatedcosts,performancegoals,andplanstoretireassociatedlegacysystemsforeachtypeofcloud-basedserviceaswellasthesameforretiringlegacysystems,asapplicable,forplannedadditionalcloud-basedservices5.
Asthisdocumentismeanttoprovideguidanceinunderstandingthecategorization,evaluation,comparison,andselectionofcloudservices,itdoesnotprovideaprescriptivesetofguidelinesfortheselectionprocess.Instead,itusestheprinciplessetforthintheNISTcloudcomputingdefinitionasaframeworkforunderstandingaccustomer’srequirementsinacloudcomputingcontextandthecapabilitiesofferedbycloudserviceproviders(CSP)stoenableeasierdecisionmaking.TheNISTcloudcomputingdefinitionallowsforflexibilityinitsinterpretationandinmanycases,thefinaldecisionreliesonamixtureofobjectiveandsubjectiveperspectives.
Thisdocumentisintendedforusebyanystakeholder,including,butnotlimitedto,buyersofITandcloudservices,ITmanagers,programmanagers,FedRAMPstakeholders,systemsintegrators,resellersofcloudservices,etc.
2 The NIST Definition of Cloud Computing NISTSP800-145waspublishedinthefallof2010.Sincethattime,thecloudcomputingenvironmenthasexperiencedagrowthintechnicalmaturity,yettheNISTDefinitionhasretainedaworldwideacceptance.ThisdocumentprovidesananalysisoftheNISTDefinitionofCloudComputingbasedontoday’sperspectiveandprovidesamethodologyforevaluatingservices,complementingtheNISTdefinition.
NISTSP800-145providesaonesentencedefinitionofcloudcomputingas“amodelforenablingubiquitous,convenient,on-demandnetworkaccesstoasharedpoolofconfigurablecomputingresources(e.g.,networks,servers,storage,applications,andservices)thatcanberapidlyprovisionedandreleasedwithminimalmanagementeffortorserviceproviderinteraction.”Inaddition,theNISTdefinitionintroducesthesupportingconceptsofthreecloudservicemodels,fiveessentialcharacteristics,andfourtypesofclouddeployments.
Intotal,theNISTCloudComputingDefinitioniscomposedof14interrelatedtermsandtheirassociateddefinitions:
Coredefinitionofthecloudcomputingmodel(above)Fiveessentialcharacteristics
o On-demandself-serviceo Broadnetworkaccesso Resourcepoolingo Rapidelasticityo Measuredservice
4http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf5http://www.gao.gov/assets/600/592249.pdf
EvaluationofCloudComputingServicesBasedonNIST800-145
5
Threeservicemodelso SoftwareasaService(SaaS)o PlatformasaService(PaaS)o InfrastructureasaService(IaaS)
Fourdeploymentmodelso Publico Privateo Communityo Hybrid
Footnoteddefinitionof“cloudinfrastructure.”
SP500-145alsoincludesmultipleclarifyingstatementsthatareintegratedintothetextofthevariousdefinitions.TheNISTDefinitionmakesuseofadditionaltermsthatareclarifiedbelow:
Application:Withinthecontextofcloudcomputing,thetermapplicationmayrefertoeitheracloud-enabledSaaS,webormobileapplication(e.g.Facebook),oranapplicationthatexistsonavirtualmachine(e.g.,Linuxapplication).Itisthereforepreferabletoclarifythattypeofapplicationwhenusingthetermtoavoidconfusion.asaService(aaS):Theterm“asa[cloud]Service”isasuffixdescribingacomputingcapabilitythatsupportsallfiveessentialcharacteristicsofcloudcomputing.Theterm“asaservice(aaS)”impliesthatSaaS,PaaS,andIaaSaredeliveredbywayofsoftware.CloudInfrastructure:Thecollectionofhardwareandsoftwarethatenablesthefiveessentialcharacteristicsofcloudcomputing.Theconsumerofacloudservicedoesnotmanageorcontroltheunderlyingcloudinfrastructure.CloudInfrastructureisrepresentedinSP500-292NISTCloudComputingReferenceArchitecture(CCRA)withinthe‘ResourceAbstractionandControl’layerandHardwarelayer.CloudService:Acomputingcapabilitythatisdeliveredasaservice.EssentialCharacteristics:Thefivecharacteristicsthatmustbeavailableinacomputingcapabilitytobequalifiedasa“cloudservice.”Theyarelistedhereforclarity,butarediscussedingreaterdetailsinSection3.o on-demandself-service(seeclause3.1)o broadnetworkaccess(seeclause3.2)o resourcepooling(seeclause3.3)o rapidelasticity(seeclause3.4)o measuredservice(seeclause3.5)
Multi-tenant:Anarchitectureinwhichasinglecomputingresourceissharedbutlogicallyisolatedtoservemultipleconsumers.ServiceModel:Thehighest-levelcategorizationofcloudservicesasbasedonthetypeofcomputingcapabilitythatisprovided.Anygivencloudservicemaybecategorizedasoneofthreeservicemodels,namelySoftwareasaService(SaaS),PlatformasaService(PaaS),orInfrastructureasaService(IaaS).
EvaluationofCloudComputingServicesBasedonNIST800-145
6
Thisdocumentusesanadditionalterm“cloudservicetype”todescribeinformaltermsoftencoinedandusedbyindustrybyaddingthesuffix“aaS”afteracomputingcapability,e.g.,EmailasaService(EaaS).cloudservicetypesareanalyzedinSection7ofthisdocument.
3 Analysis of the Essential Characteristics of Cloud Computing ThissectionprovidesadetailedanalysisofthefiveEssentialCharacteristicsofCloudComputingfoundabove.Theapproachwastodecomposeeachcharacteristictodeterminetheprimarycriteriafordeterminingifacomputingcapabilityisofferedasacloudserviceandthedifferentoptionsfordeterminingwhetherthecriteriaismet.
Tounderstandtheessentialcharacteristics,itisimportanttounderstandthemeaningoftheterm“essential.”InthecontextofSP800-145andthisdocument,“essential”meanseachcloudserviceprovider(CSP)musthavethecapabilitytoofferandtoprovideeachessentialcharacteristictothecloudservicecustomer(CSC)foragivenservice.TheCSCmayormaynotelecttoimplementoruseeachessentialcharacteristicinaspecificinstance.Inaddition,theCSCmustmakeasubjectivejudgementtodetermineiftheirrequirementsarefulfilledandtodecideiftheCSP’sofferingcanbeconsideredacloudservicefortheirpurposes.
TheprocessofcategorizingacomputingcapabilityisnotalwaysdefinitivebecausetherequirementsfortheservicemayvarybyCSC.Therefore,thisdocumentallowsflexibilityindeterminingthatacomputingcapabilityqualifiesasacloudservicebyprovidingoptionsforevaluatingeachcapability.
Theoptionsaredescribedas“OptionA”or“OptionB,”where“OptionA”ismoreobjective,while“OptionB”ismoresubjectiveanddependentonthespecificrequirementsoftheCSC.IfaCSCchoosestouseOptionBinsteadofOptionA,theymustevaluatewhether“OptionB”meetstheirrequirements,andtheresultsarenotcomparablebetweenCSCswithdifferentrequirements.
Whetheranentitycanconfirmaspecificcriterionisdependentonthecriterionitself.Somecriteriaareexternallyvisible(suchasavailability)andcanbeconfirmedbytheCSCorotherthirdpartyentity,whileothercriteria(suchasresourcepooling)areinternaltothecloudserviceandmustbeconfirmedbytheCSP.
3.1 On-demand self-service “Aconsumercanunilaterallyprovisioncomputingcapabilities,suchasservertimeandnetworkstorage,asneededautomaticallywithoutrequiringhumaninteractionwitheachserviceprovider.”–NISTDefinitionofCloudComputing
PrimaryCriteria Thecomputingcapabilitycanbeprovisionedwithouthumaninteractionwiththeserviceprovider.
OptionA) Fullyautomatedserviceprovisioning(boththeCSCinterfaceandtheinternalcloudinfrastructure).
Option B) TheCSCusesanautomatedinterfacetorequestandtracktheservice,buttheprovidermayusemanuallabortoprovisiontheserviceinternally.
Entitycapableofconfirming?
TheCSCcanconfirmitiseitherOptionAorOptionBbutcannotdistinguishonefromtheotherbecausetheycanonlyseethe
EvaluationofCloudComputingServicesBasedonNIST800-145
7
provisioninginterface,notthesystembehindtheinterface.Therefore,theCSPwillconfirmwhetheritisOptionAorOptionB.
AdditionalClarification
• ThetermconsumerandCSCareusedsynonymously.• Examplesof“computingcapabilities”includeservertimeand
networkstorage.
• Theterm“Unilaterally”referstothefactthattheCSCinitiatestheservicewithouthumaninteractionwithahumanontheCSPside.TheCSCorganizationmayhaveaworkflowprocessinvolvinghumanssuchasthoseforoversightandapprovalofexpenditures,andthepurchasecanstillbedescribedasunilateral.
• Thetermautomaticallyreferstoautomatedprovisioning.
• Thequestionaroseastowhetheraticketingsystemsupportstherequirementforautomatedprovisioning.TheCloudServicesWorkingGroupmemberssuggest“yes,”aslongastheprovisioningisfastenoughtosupportCSCrequirementsasdescribedintheService-LevelAgreement(SLA).
Benefits • “Asneeded”accesstocomputingcapabilities.
3.2 Broad network access “Capabilitiesareavailableoverthenetworkandaccessedthroughstandardmechanismsthatpromoteusebyheterogeneousthinorthickclientplatforms(e.g.,mobilephones,tablets,laptops,andworkstations).”–NISTDefinitionofCloudComputing
PrimaryCriteria Thecomputingcapabilityisavailablefromawiderangeoflocationsusingstandardprotocols.
OptionA) AvailableovertheInternet.OptionB) Availableoveranetworkthatisavailablefromall
accesspointstheCSCrequires.
Entitycapableofconfirming
TheCSCorCSPcanconfirmOptionA.
TheCSCwillconfirmOptionB(thisisbasedontheCSC'srequirementsforthecloudservice).
AdditionalClarification
• Examplesofthinorthickclientplatformsaremobilephones,tablets,laptops,andworkstations.
• Thephrase“thinorthick”isnotincludedasprimarycriteriabecauseitincludesallclients.
EvaluationofCloudComputingServicesBasedonNIST800-145
8
• Theterm“standardmechanisms”impliesthatthecomputingcapabilityisavailableusingstandardprotocolssuchofhttp,REST,TCP/IP,UDP,and/orotherInternetprotocols.
• Theterm“broadnetwork”canapplyequallytopublic,private,orhybridclouds.
Benefits • Anytimeanyplaceaccesstocomputingresourcesfromanymachinewithinpolicyandsecurityconstraints,
3.3 Resource Pooling “Theprovider’scomputingresourcesarepooledtoservemultipleconsumersusingamulti-tenantmodel,withdifferentphysicalandvirtualresourcesdynamicallyassignedandreassignedaccordingtoconsumerdemand.Thereisasenseoflocationindependenceinthatthecustomergenerallyhasnocontrolorknowledgeovertheexactlocationoftheprovidedresourcesbutmaybeabletospecifylocationatahigherlevelofabstraction(e.g.,country,state,ordatacenter).Examplesofresourcesincludestorage,processing,memory,andnetworkbandwidth.”–NISTDefinitionofCloudComputing
PrimaryCriteria ThecomputinginfrastructureissharedamongmorethanoneCSC.OptionA)TwoormoreCSCscansharethecloudservice
resourcesusingamulti-tenantmodel.Entitycapableofconfirming
Thisisdependentontheinternalarchitectureofthecloudservice–thereforetheCSPwillconfirm.
AdditionalClarification
• ThereisasenseoflocationindependenceinthattheCSCgenerallyhasnocontrolorknowledgeovertheexactlocationoftheprovidedresourcesbutmaybeabletospecifylocationatahigherlevelofabstraction(e.g.,country,state,ordatacenter).
• Examplesof“resources”includestorage,processing,memory,andnetworkbandwidth.
• ThetermconsumerandCSCareusedsynonymously.• Theessentialcharacteristicismetifthecapabilitytoserve
multipletenantsexists,regardlessofhowmanytenantsareactuallyserved.
• AccordingtotheNISTSpecialPublication500-293–U.S.GovernmentCloudComputingTechnologyRoadmapVolumeII,theResourceAbstractionandControlLayeroftheCloudComputingReferenceArchitecture“tiestogetherthenumerousunderlyingphysicalresourcesandtheirsoftwareabstractionstoenableresourcepooling.”
EvaluationofCloudComputingServicesBasedonNIST800-145
9
• Resourcepoolingisaninherentbenefitofanyservicemodel(SaaS,PaaS,orIaaS)thatishostedoncloudinfrastructure.
Benefits • Lowerscostsbysharingresources.
3.4 Rapid elasticity “Capabilitiescanbeelasticallyprovisionedandreleased,insomecasesautomatically,toscalerapidlyoutwardandinwardcommensuratewithdemand.Totheconsumer,thecapabilitiesavailableforprovisioningoftenappeartobeunlimitedandcanbeappropriatedinanyquantityatanytime.”–NISTDefinitionofCloudComputing
PrimaryCriteria Thecomputingcapabilitiescanbe“rapidly”provisionedandreleasedtoscale.
OptionA) Resourceallocationmodificationisautomatedandnear-real-time.
OptionB) Notfullyautomated,butfastenoughtosupporttherequirementsoftheCSC.
Entitycapableofconfirming
TheCSCorCSPcanconfirm.
AdditionalClarification
• TotheCSC,thecapabilitiesavailableforprovisioningoftenappeartobeunlimitedandcanbeappropriatedinanyquantityatanytime.
• Rapidelasticitygenerallyrelatestohorizontalscaling.
Benefits • Abilitytoquicklygrowandshrinkcomputingcapability–andassociatedcosts–dynamicallyaccordingtoneed.
3.5 Measured service “Cloudsystemsautomaticallycontrolandoptimizeresourceusebyleveragingameteringcapability1atsomelevelofabstractionappropriatetothetypeofservice(e.g.,storage,processing,bandwidth,andactiveuseraccounts).Resourceusagecanbemonitored,controlled,andreported,providingtransparencyforboththeproviderandconsumeroftheutilizedservice.”–NISTDefinitionofCloudComputing
EvaluationofCloudComputingServicesBasedonNIST800-145
10
PrimaryCriteria CloudservicescharacteristicsincludingresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.
OptionA) CloudservicecharacteristicsaremeasuredwithenoughdetailtosupporttherequirementsoftheCSC.
Entitycapableofconfirming
TheCSCorCSPcanconfirm.
AdditionalClarification
• ThetermconsumerandCSCareusedsynonymously.• Typically“metering”isdoneonapay-per-useorcharge-per-
usebasis,thoughmeteringmaybeusedfor“showback,”aswellaschargeback.Forexample,inaprivatecloud,meteringmaybeusedtoshoworganizationalleadershipwhichpartsoftheorganizationareconsumingwhatportionofcloudresources.
• Examplesincludetrackingunitsofservicesconsumedandassociatedcosts,andtrackingresourceusagetotheapplicationlevel.
• Resourceusagecanbemonitored,controlled,andreported,providingtransparencyforboththeCSPandCSCoftheutilizedservice.
4 Analysis of Cloud Service Models InSP800-145,cloudservicesarethecomputingcapabilitiesthatareprovidedbytheCSP(thatsupportstheessentialcharacteristicsofcloudcomputing.TheNISTCloudComputingDefinitionprovidesthreepossiblecloudservicescategories(calledservicemodels):SoftwareasaService(SaaS),PlatformasaService(PaaS),andInfrastructureasaService(IaaS).WithrespecttotheNISTCloudComputingReferenceArchitecture(CCRA),cloudservicesaremadeavailableintheServicelayer,whichispartoftheServiceOrchestrationstack.
TheServiceModelsaredepictedintheCCRAas“Lshaped”horizontalandverticalbars,ratherthanasasimple“three-layercake”stack.Thereasonisthat,althoughcloudservicescanbedependentuponeachotherinthestack,itisalsopossiblefortheservicestobeimplementedindependentlyandinteractdirectlywiththeresourceabstractionandcontrollayer.
SaaS,PaaS,andIaaSarebestdistinguishedbytwofactors:thecomputingcapabilitythatisprovisionedandtheprimaryCSCs(enduser,developer/deployer,orIToperations).Theterm“platform”inthePaaScontextreferstoadevelopmentplatformand/ordeploymentplatformforcloud-enabledapplications.Theterm“platform”isbroadlyusedinthecomputingindustry.ItthereforehelpstounderstandthecontextofthetermwithregardtoPlatformasaService.
EvaluationofCloudComputingServicesBasedonNIST800-145
11
Thissectionsupportsthecategorizationofagivencloudserviceasasoftware,platform,orinfrastructureservice.ThisguidanceforcategorizingcloudservicessupportsRequirement#4oftheU.S.GovernmentCloudComputingTechnologyRoadmapVolumeI(SP500-293,October2014),whichcallsfor“clearandconsistentlycategorizedcloudservices.”
Theprimarydeterminingfactorsforcategorizingacloudserviceare:
1) Thecomputingcapabilitythatisprovisioned(softwareapplication,platformorinfrastructure);and
2) TheprimaryCSCs(enduser,developer/deployer,orIToperations).
4.1 Software as a Service (SaaS) ThecapabilityprovidedtotheCSCistousetheCSP’sapplicationsrunningonacloudinfrastructure.6Theapplicationsareaccessiblefromvariousclientdevicesthrougheitherathinclientinterface,suchasawebbrowser(e.g.,web-basedemail),oraprograminterface.TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,storage,orevenindividualapplicationcapabilities,withthepossibleexceptionoflimiteduser-specificapplicationconfigurationsettings.
PrimaryCriteria 1) Theservicethatisprovisionedisasoftwareapplication,describedascomputerprogramsdesignedtopermittheusertoperformagroupofcoordinatedfunctions,tasks,oractivities.7
AND
2) TheprimaryCSCsareendusersofsoftwareapplications.8
Entitycapableofconfirming
TheCSCwillconfirm.
AdditionalClarification
• Theterm“applications”intheSaaScontextreferstocloud-enabledapplications(e.g.,webormobile)bynatureofsupportingessentialcharacteristic#2–broadnetworkaccess.ThisdiffersfromVM/desktopapplicationsthatmaybeinstalledonavirtualmachine.
• SaaSapplicationsareaccessiblefromvariousclientdevicesthrougheitherathinclientinterface,suchasawebbrowser(e.g.,web-basedemail),orapplicationprogramminginterface(API).9
• SaaSapplicationsmaybeextensiblebywayofanAPI.• AwebapplicationisnotnecessarilyconsideredSaaS,unlessthe
applicationitselfqualifiesasacloudservice.• TheSaaSprovideristypicallyresponsibleforallaspectsof
makingthesoftwareserviceavailable,includingtheavailabilityofanyPaaSandIaaSdependencies.TheNISTReference
6SeedefinitionofCloudInfrastructureonpage5.7http://www.pcmag.com/encyclopedia/term/37919/application-program8ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.19http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
EvaluationofCloudComputingServicesBasedonNIST800-145
12
ArchitectureforCloudComputingclarifiesthattheSaaSproviderisresponsiblefordeploying,configuring,maintaining,andupdatingtheoperationofthesoftwareapplicationsonacloudinfrastructure.Theterm“provider”referstotheentityresponsibleformakingtheserviceavailableandmaythereforebedifferentthantheSaaSapplicationdeveloper.
• ManymodernSaaSapplicationsareextensible.ExtensibilityalonedoesnotdenotethatasoftwareserviceisPaaS.
Commoncategories • Custom(Forexample,customapplicationsbuiltordeployedusingPaaS)
• Offtheshelf(Forexample,cloud-basedemailapplications)
4.2 Platform as a Service (PaaS) ThecapabilityprovidedtotheCSCistodeployontothecloudinfrastructureCSC-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.*3TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.*3Thiscapabilitydoesnotnecessarilyprecludetheuseofcompatibleprogramminglanguages,libraries,services,andtoolsfromothersources.
PrimaryCriteria 1. Theservicethatisprovisionedisasoftwaredevelopmentand/ordeploymentplatform,describedasthecapabilityto[developand/or]deployapplications10withoutthecomplexitiesofmanagingunderlyinginfrastructureservices.11
AND
2. TheprimaryCSCsareapplicationdeveloperswhodesignandimplementapplicationsoftware,andapplicationdeployerswhopublishapplicationsintothecloud.12
Entitycapableofconfirming
TheCSCwillconfirm.
AdditionalClarification
• Theterm“platform”inthePaaScontextreferstoadevelopmentand/ordeploymentplatformforcloud-enabledapplications.
10http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf11http://www.networkworld.com/article/2163430/cloud-computing/paas-primer--what-is-platform-as-a-service-and-why-does-it-matter-.html12ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.1(CloudConsumer)
EvaluationofCloudComputingServicesBasedonNIST800-145
13
• Theterm“applications”inthePaaScontextreferstocloud-enabledapplications(e.g.,webormobile)bynatureofsupportingessentialcharacteristic#2–broadnetworkaccess.ThisdiffersfromVM/desktopapplicationsthatmaybeinstalledonavirtualmachine.
• PaaSisdistinguishedfromanextensibleSaaSorwebapplicationbyitsprimaryCSCs:developersanddeployersversusendusers.
• TheapplicationscanbeCSC-createdoracquired.• Theapplicationscanbecreatedusingprogramminglanguages,
libraries,services,andtoolssupportedbytheprovider.Thisdoesnotnecessarilyprecludetheuseofcompatibleprogramminglanguages,libraries,services,andtoolsfromothersources.13
• APaaSprovidermayberesponsibleformakingtheplatformserviceavailable,includinganyIaaSdependencies.Thesetypicaltermsmaybenegotiatedasasharedresponsibilitymodel.
CommonCategories • Applicationdevelopmentplatforms• Applicationdeploymentplatforms• Integrationplatforms
4.3 Infrastructure as a Service (IaaS) ThecapabilityprovidedtotheCSCtoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheCSCcandeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructurebuthascontroloveroperatingsystems,storage,anddeployedapplications,andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).
PrimaryCriteria 1. Theservicethatisprovisionedisinfrastructure.AND2. TheprimaryCSCsareanITOperationsrolecreating,
installing,monitoring,andmanagingservicesandapplicationsdeployedinanIaaScloud.14
Entitycapableofconfirming
TheCSCwillconfirm.
AdditionalClarification
• Theinfrastructureserviceistypicallysoftware-defined.• InfrastructureasaServiceisdistinctlydifferentfromcloud
infrastructure(seedefinition)andalsodifferentfromtheunderlyingphysicalinfrastructure.
13http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf14ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.1(CloudConsumer)
EvaluationofCloudComputingServicesBasedonNIST800-145
14
• Theterms“software”and“application”intheIaaScontextreferstoVM/desktopsoftwareandapplications,ratherthanreferringtocloud-enabledSaaSorwebapplications.
• Theinfrastructureservicemayoptionallyincludeapre-installedoperatingsystemandothersupportVM/desktopsoftwareandapplications,suchaswebserver.
• Theterm“arbitrarysoftware”inthiscontextmeansthattheCSCcandeployandrunmanytypesofVM/desktopsoftware.
CommonCategories • Computingresources• Networkresources• Storageresources
5 Analysis of Cloud Deployment Models DefinitionoftheCloudDeploymentModels
InSP800-145,clouddeploymentmodelsdescribehowthecloudisoperatedandwhohasaccesstothecloudserviceresources.ThefourdeploymentmodelsaredefinedinSP800-145asfollows:
Privatecloud.ThecloudinfrastructureisprovisionedforexclusiveusebyasingleorganizationcomprisingmultipleCSCs(e.g.,businessunits).Itmaybeowned,managed,andoperatedbytheorganization,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.
Communitycloud.ThecloudinfrastructureisprovisionedforexclusiveusebyaspecificcommunityofCSCsfromorganizationsthathavesharedconcerns(e.g.,mission,securityrequirements,policy,andcomplianceconsiderations).Itmaybeowned,managed,andoperatedbyoneormoreoftheorganizationsinthecommunity,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.
Publiccloud.Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganization,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.
Hybridcloud.Thecloudinfrastructureisacompositionoftwoormoredistinctcloudinfrastructures(private,community,orpublic)thatremainuniqueentities,butareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability(e.g.,cloudburstingforloadbalancingbetweenclouds).
DetailsoftheCloudDeploymentModels
ThefollowingdetaileddiscussionofclouddeploymentmodelsisfromtheNISTCloudComputingStandardsRoadmap.
PrivateCloud-AprivatecloudgivesasingleCSC’sorganizationtheexclusiveaccesstoandusageofthecloudserviceandrelatedinfrastructureandcomputationalresources.ItmaybemanagedeitherbytheCSCorganizationorbyathirdparty,andmaybehostedontheorganization’spremises(i.e.,on-site
EvaluationofCloudComputingServicesBasedonNIST800-145
15
privateclouds)oroutsourcedtoahostingcompany(i.e.,outsourcedprivateclouds).Figure1andFigure2presentanon-siteprivatecloudandanoutsourcedprivatecloud,respectively.
Figure 1: On-site Private Cloud
Figure 2: Outsourced Private Cloud
CommunityCloud-AcommunitycloudservesagroupofCSCsthathavesharedconcernssuchasmissionobjectives,security,privacyandcompliancepolicy,ratherthanservingasingleorganization(e.g.,aprivatecloud).Similartoprivateclouds,acommunitycloudmaybemanagedbytheorganizationsorbyathirdparty,andmaybeimplementedontheCSC’spremise(i.e.,on-sitecommunitycloud)oroutsourcedtoahostingcompany(i.e.,outsourcedcommunitycloud).Figure3depictsanon-sitecommunitycloudcomprisedofanumberofparticipantorganizations.ACSCcanaccessthelocalcloudresources,andalsotheresourcesofotherparticipatingorganizationsthroughtheconnectionsbetweentheassociatedorganizations.Figure4showsanoutsourcedcommunitycloud,wheretheserversideisoutsourcedtoahostingcompany.Inthiscase,anoutsourcedcommunitycloudbuildsitsinfrastructureoffpremise,andservesasetoforganizationsthatrequestandconsumecloudservices.
EvaluationofCloudComputingServicesBasedonNIST800-145
16
Figure 3: On-site Community Cloud
Figure 4: Outsourced Community Cloud
PublicCloud-Apubliccloudisoneinwhichthecloudinfrastructureandcomputingresourcesaremadeavailabletothegeneralpublicoverapublicnetwork.Apubliccloudisownedbyanorganization
EvaluationofCloudComputingServicesBasedonNIST800-145
17
providingcloudservices,andservesadiversepoolofclients.Figure5presentsasimpleviewofapubliccloudanditscustomers.
Figure 5: Public Cloud
Ahybridcloudisacompositionoftwoormoreclouds(on-siteprivate,on-sitecommunity,off-siteprivate,off-sitecommunityorpublic)thatremainasdistinctentitiesbutareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability.Figure6presentsasimpleviewofahybridcloudthatcouldbebuiltwithasetofcloudsinthefivedeploymentmodelvariants.
Figure 6: Hybrid Cloud
5.1 Private Cloud Computing Service Deployment
PrimaryCriteria Onlyoneorganizationcanusethecloudserviceandtheunderlyingresources.
Entitycapableofconfirming
TheCSPmustconfirm.
EvaluationofCloudComputingServicesBasedonNIST800-145
18
AdditionalClarification
Organizationinprivatecloudcontext–Inaprivatecloudcontext,themodel,definition,andassociatedriskstoanorganizationremainsintact,asthecloudresourcesareprovisionedforexclusiveusebyasingleorganizationcomprisingmultiplebusinessunits.Inaprivatecloudmodel,theorganizationgetsaffectedinthefollowingways:
• Organization’scloudresourcesmaybeowned,managed,and
operatedbyorganization,athirdpartyoracombination.• Privatecloudmaybeonpremisesoroffpremisesandprovides
muchgreatercontroloverdata,underlyingsystems,andapplications.
• Privatecloudmodelprovidesanorganizationgreatercontroloversecurity,assuranceoverdatalocation,andremovalofmultiplejurisdictionlegalandcompliancerequirements.
Commoncategories on-siteprivatecloudoutsourcedprivatecloud
5.2 Community Cloud Service Deployment
PrimaryCriteria AspecificcommunityofCSCsfromorganizationsthathavesharedconcernshaveexclusiveuseofthecloudserviceandtheunderlyingresources.
Entitycapableofconfirming
ThecommunityofcloudCSCsformingthegroupoforganizationsverifiesthescopeofthegroupoforganizations,whiletheCSPmustconfirmthattheserviceandunderlyinginfrastructureareexclusivetothegroup.
AdditionalClarification
Organizationincommunitycloudcontext-Inacommunitycloudcontext,themodel,definition,andassociatedriskstoanorganizationaresharedbyotherorganizations,asthecloudresourcesareprovisionedforexclusiveusebyaspecificcommunityofCSCsfromorganizationsthathavesharedobjectivesandrequirements.Inacommunitycloudmodel,theorganizationgetsaffectedinthefollowingways:• Organization’scloudresourcesmaybeoperatedbyoneor
moreoftheorganizationsinthecommunityorathirdparty.• Communitycloudsgenerallygetthecostbenefitsofapublic
cloudwhileprovidingheightenedprivacy,security,andregulatorycompliance.
Acloudserviceauditorcanconductindependentassessmentofcloudservicestoconfirmthescopeofthegroupandconfirm
EvaluationofCloudComputingServicesBasedonNIST800-145
19
thattheserviceandunderlyinginfrastructureareexclusivetothegroup.
Commoncategories on-sitecommunitycloud
outsourcedprivatecloud
5.3 Public Cloud Service Deployment
PrimaryCriteria UnrelatedCSCsusethesharedcloudserviceandtheunderlyingresources.
Entitycapableofconfirming
TheCSCwillconfirmaccesstotheprovidedservices.
AdditionalClarification
WhiletheCSPmaylimitaccesstoaservice,theCSChasnocontroloverthesetofusersaccessingtheservice.
Commoncategories
5.4 Hybrid Cloud Service Deployment
Criteria Atleasttwoormoredistinctcloudinfrastructuresareconnectedtogethertofacilitatehosteddataandapplicationportability.
Entitycapableofconfirming
TheCSPwillconfirm.
AdditionalClarification
Commoncategories
Criteria ThecloudserviceinfrastructureforeachsetofCSCsisvirtuallyseparatedfromtheothersetsofCSCs.
Entitycapableofconfirming
TheCSPwillconfirm.
AdditionalClarification
Commoncategories
Criteria ThecloudserviceinfrastructurehardwareissharedbetweenallsetsofCSCs.
Entitycapableofconfirming
TheCSPwillconfirm.
EvaluationofCloudComputingServicesBasedonNIST800-145
20
AdditionalClarification
Commoncategories
6 Worksheets
6.1 Cloud Service Worksheet
ThefollowingworksheetmaybeusedalongwithSection3todeterminewhetheraserviceisacloudservice.
On-DemandSelf-Service
CanthecomputingcapabilitybeprovisionedwithouthumaninteractionwiththeCSP?
____YES____NO
IfYes,whatlevel?
____OptionA)Fullyautomatedserviceprovisioning
____OptionB)TheCSCusesanautomatedinterfacetorequestandtracktheservice,buttheCSPmayusemanuallabortoprovisioningtheservice.BroadNetworkAccess
Isthecomputingcapabilityavailablefromawiderangeoflocationsusingstandardprotocols?
____OptionA)AvailableovertheInternetusinginternetprotocols
____OptionB)AvailableoveranetworkthatavailablefromallaccesspointstheCSCrequiresResourcePooling
CantwoormoreCSCsuseasinglecloudservicewheretheresourcesaresharedbasedonamulti-tenantmodel?____YES____NO
EvaluationofCloudComputingServicesBasedonNIST800-145
21
CantheresourcesbeassignedandreassignedaccordingtoCSCdemand?
____YES___NO
RapidElasticity
Canthecomputingcapabilitiesbe“rapidly”provisionedandreleasedtoscale?____YES____NO
____OptionA)Resourceallocationmodificationisautomatedandnear-real-time(withinfiveminutes).____OptionB)Notfullyautomated,butfastenoughtosupporttherequirementsoftheCSC.
MeasuredService
CloudservicescharacteristicsincludingresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.____YES____NO
____OptionB)Cloudservicesand/orresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.
6.2 Cloud Service Model Worksheet
ThefollowingworksheetmaybeusedalongwithSection4todeterminewhetheraserviceisacloudservice.
IsthecloudserviceSaaS,PaaSorIaaS?
SoftwareasaService(SaaS)
• IsthecloudserviceaSoftwareApplication?____YES____NO
• IstheprimaryCSCan“enduser”oftheapplication?____YES____NO
IstheservicePlatformasaService(PaaS)?
• IsthecloudserviceaSoftwareDevelopmentand/orDeploymentPlatform?____YES____NO
EvaluationofCloudComputingServicesBasedonNIST800-145
22
• IstheprimaryCSCadeveloperordeployer?____YES____NO
IstheserviceInfrastructureasaService?(IaaS)?
• IsthecloudserviceITInfrastructure?____YES____NO
• IstheprimaryCSCsupportinganITOperationsrole?____YES____NO
6.3 Cloud Deployment Model Worksheet ThefollowingworksheetmaybeusedalongwithSection5todeterminewhetheraserviceisacloudservice.
Isthecloudserviceprivate,community,public,orhybrid?
PrivateDeployment
• Isthecloudserviceinfrastructure,includinghardwareresources,usedonlybyasingleCSC?____YES____NO
CommunityDeployment
• IsthecloudserviceinfrastructureincludinghardwareresourcesusedbyaknownsetofCSCs,butnotavailabletoanyCSC?____YES____NO
PublicDeployment
• IsthecloudserviceinfrastructureavailableforusebyanyCSCs?____YES____NO
7 Example Cloud Service Marketing Terms Cloudservicemarketingtermsareinformaltermsoftencoinedandusedbyindustrybyaddingthesuffix“aaS”afteracomputingcapability(e.g.,EmailasaService).Cloudservicemarketingtermsdonotreplacethethreeservicemodels(SaaS,PaaS,andIaaS),whichserveasthehigh-levelcategorizationofcloudservices,butratherservetoinformallyfacilitatecommunicationrelatingtospecializedservices.AtthistimeNISTdoesnottakeapositionondefininganygivencloudservicetypes.Acloudservicetypemayoptionallybeinformallyusedtosubcategorizethecloudservicesmodels;however,theusageisinconsistentdependingonthesourceoftheterm.Thefollowingisalistofexamplesidentifiedfromvarioussources,includingInternetsearches,solicitations,andmarketingcollaterals.Thisisnotacompletelistofallcloudservicemarketingterms,andthelistisnotvalidatedorfilteredinanyway.
AddressVerificationasaServiceAnythingasaService
EncryptionasaService MobilityBackendasaServiceMonitoringasaService
EvaluationofCloudComputingServicesBasedonNIST800-145
23
APIasaservice(APIaaS)ApplicationDeliveryasaServiceApplicationPlatformasaServiceArchitectureasaServiceAuthenticationasaServiceBackendasaServiceBackupasaServiceBigDataasaServiceBrokerasaServiceBusinessasaServiceBusinessProcessasaServiceCloudLoadBalancersasaServiceCloudSearchasaServiceCollaboration-as-a-ServiceCommerceasaServiceCommunicationasaServiceComputingasaServiceContactCenterasaServiceConversationsasaServiceDataasaserviceDatabaseasaserviceDesktopasaServiceDevelopmentasaServiceDevTestasaServiceDisasterRecoveryasaServiceDrupalasaServiceEmailasaService
EnterpriseResourceManagementasaServiceEthernetasaServiceEverythingasaServiceFirewallasaServiceFrameworkasaServiceGlobalizationasaServiceHadoopasaServiceHardwareasaServiceHighPerformanceComputingasaServiceIdentityasaServiceInfrastructurePaaSInsightasaServiceIntegratedDevelopmentEnvironmentasaServiceIntegrationasaServiceIntegrationPlatformasaServiceIntegrationPlatformasaServiceITasaServiceJavaPlatformasaServiceKnowledgeasaServiceLightasaServiceLogonasaServiceManagementasaServiceMashupsasaServiceMessageQueuingasaServiceMetalasaServiceMobilityasaService
NetworkAccessControlasaServiceNetworkasaServiceOperationsasaServiceOptimizationasaServicePaymentasaServiceQualityasaServiceQueryasaServiceRecoveryasaServiceRemoteBackupasaServiceRiskAssessmentasaServiceRobotasaServiceSecurityasaserviceServiceDeskasaServiceSolutionsasaServiceStorageasaServiceTelepresenceasaServiceTestenvironmentasaServiceTestingasaServiceTransportasaServiceUnifiedCommunicationsasaServiceUserInterfaceasaServiceVideoConferencingasaServiceVideoSurveillanceasaServiceVoiceasaServiceWebsiteasaService
8 Bibliography TheNISTDefinitionofCloudComputing(SP800-145)
NISTCloudComputingStandardsRoadmap(SP500-291)
TheNISTCloudComputingReferenceArchitecture(SP500-292)
USGovernmentCloudComputingTechnologyRoadmapVolumesIandII(SP500-293)
TheNISTCloudComputingSecurityArchitecture(SP500-299)
GAOReport-INFORMATIONTECHNOLOGYREFORMProgressMadebutFutureCloudComputingEffortsShouldbeBetterPlanned-(GAO-12-756)