Evaluation of Cloud Computing Services Based on NIST · PDF fileEvaluation of Cloud Computing Services Based on NIST ... The collection of hardware and software that ... Evaluation

SpecialPublication500-322

Draft-20170427

DRAFT - Evaluation of

Cloud Computing Services Based on NIST 800-145

National Institute of Standards and Technology (NIST)

Eric Simmon Based on work done by the NIST Cloud Computing Services Public Working Group

EvaluationofCloudComputingServicesBasedonNIST800-145

1

This document provides clarification for qualifying a given computing capability as a cloud service bydeterminingifitalignswiththeNISTdefinitionofcloudcomputing;andforcategorizingacloudserviceaccordingtothemostappropriateservicemodel(SaaS,PaaS,orIaaS).

AcknowledgementsNIST thanks the many experts in industry and government who contributed their thoughts to the creation and review of this definition. NIST would like to acknowledgement the members of the NIST Cloud Computing Services Public Working Group listed below who worked many hours providing input for this document. A special thanks to Cary Landis who was the industry chair of the group.

CaryLandis(Chair–NISTCloudComputingServicesPublicWorkingGroup)AliKhalvati(GSA)LalitBajaj(GSA)DonBeaver(GSA)JamesYapleAngelaRoweJamesMooneyJamesFowlerEugeneLusterLarryLamersKeithParker(ASI for GSA) GaryRouse(VMSI for GSA) TravisFergusonChrisFerrisKavyaPearlman


2

Contents1 Introduction.........................................................................................................................................3

2 TheNISTDefinitionofCloudComputing.............................................................................................4

3 AnalysisoftheEssentialCharacteristicsofCloudComputing.............................................................6

3.1 On-demandself-service..............................................................................................................6

3.2 Broadnetworkaccess.................................................................................................................7

3.3 ResourcePooling........................................................................................................................8

3.4 Rapidelasticity............................................................................................................................9

3.5 Measuredservice........................................................................................................................9

4 AnalysisofCloudServiceModels.......................................................................................................10

4.1 SoftwareasaService(SaaS).....................................................................................................11

4.2 PlatformasaService(PaaS)......................................................................................................12

4.3 InfrastructureasaService(IaaS)..............................................................................................13

5 AnalysisofCloudDeploymentModels..............................................................................................14

5.1 PrivateCloudComputingServiceDeployment.........................................................................17

5.2 CommunityCloudComputingServiceDeployment..................................................................18

5.3 PublicCloudComputingServiceDeployment...........................................................................19

5.4 HybridCloudComputingServiceDeployment..........................................................................19

6 Worksheets........................................................................................................................................20

6.1 CloudServiceWorksheet..........................................................................................................20

6.2 CloudServiceModelWorksheet...............................................................................................21

6.3 CloudDeploymentModelWorksheet......................................................................................22

7 ExampleCloudServiceMarketingTerms...........................................................................................22

8 References............................................................................................Error!Bookmarknotdefined.


3

1 Introduction TheFederalCloudComputingStrategy1characterizescloudcomputingasa“profoundeconomicandtechnicalshift(with)greatpotentialtoreducethecostoffederalInformationTechnology(IT)systemswhile…improvingITcapabilitiesandstimulatinginnovationinITsolutions.”Topromotethemissionandeconomicbenefitsofcloudservices,theOfficeofManagementandBudget(OMB)issueda“CloudFirst”policytoencouragetheadoptionofcloudcomputingservicestogainnewefficienciesandsavemoney.ThepolicyrequiresagencyChiefInformationOfficers(CIOs)toimplementacloud-basedservicewheneverthereisasecure,reliable,andcost-effectiveoption.ThepolicytakesadvantageofcostsavingsefficienciesthatweredescribedinseveralcomplementaryandparallelUnitedStatesGovernment(USG)initiatives,suchasthe25PointImplementationPlantoReformFederalInformationTechnologyManagement.

TheNationalInstituteofStandardsandTechnology(NIST),consistentwithitsmission,2hasatechnologyleadershiproleinsupportoftheUSGsecureandeffectiveadoptionoftheCloudComputingmodel3toreducecostsandimproveservices.NISTwaschargedwiththemissionofdevelopingacloudcomputingtechnologyroadmapandtoleadeffortsindevelopingandprioritizingcloudcomputingstandards.TheNISTCloudComputingProgram(NCCP)createdaseriesofpublicworkinggroupsoncloudcomputingtogenerateinputfortheSP500-291NISTCloudComputingStandardsandRoadmap,andSP500-293NISTCloudComputingTechnologyRoadmap,VolumeIandII.Thisdocument,hereafterreferredtoas“theRoadmap,”containstenhigh-levelpriorityrequirementsinsecurity,interoperability,andportabilityfortheUSG’sadoptionofcloudcomputing.

Requirement4oftheRoadmapisfor“Clearlyandconsistentlycategorizedcloudservices.”Thisrequirementisimportanttoensurethatcustomersunderstandthecharacteristicsofdifferenttypesofcloudservicesandareabletoobjectivelyevaluate,compare,andselectcloudservicessuitabletomeettheirbusinessobjectives.

Intheabsenceofclarification,organizationsareatriskofadopting“services”thatdonotprovidecharacteristicsofcloudcomputing.Forexample,somevendorsreportedlydecidetolabeltheircomputingofferingsas“cloudservices,”eveniftheofferingsdonotsupporttheessentialcharacteristicsofacloudserviceintheNISTdefinition.

Furthermore,thefrequentandcommonusageoftheinformal“aaS”suffixinmarketing,asin“EaaS”,“DaaS”,and“STaaS”(oftenreferedtoas“XaaS”or“EverythingasaService”)isconfusing,and(unintentionally)obfuscatingthearchitecturallywell-foundeddistinctionofIaaS,PaaS,andSaaS.These“cloudservicetypes”aregenerallycoinedbyappendingthesuffix“aaS”afteratypeofcomputingcapability.Thismakesitdifficulttodeterminewhethersomethingisacloudserviceandhasunintendedconsequencefororganizationstryingtosatisfytheircloud-firstobjectives.

Todemystifytheambiguitysurroundingcloudservices,theNISTCloudComputingServicesPublicWorkingGroupanalyzedtheNISTcloudcomputingdefinitionanddevelopedguidanceonhowtouseittoevaluatecloudservices.

1OfficeofManagementandBudget,U.S.ChiefInformationOfficer,FederalCloudComputingStrategy,Feb.8,2011.Online:www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf.2ThiseffortisconsistentwiththeNISTrolepertheNationalTechnologyTransferandAdvancementAct(NTTAA)of1995,whichbecamelawinMarch1996.3NISTDefinitionofCloudComputing,SpecialPublication800-145,September2011.


4

ThisdocumentclarifiesthecloudcomputingservicemodelsaspublishedinNISTSpecialPublication(SP)800-145,TheNISTDefinitionofCloudComputing(NISTDefinition,September2011).TheNISTDefinitionwasintendedforthestatedpurposeof“broadcomparisonsofcloudservicesanddeploymentstrategies,andtoprovideabaselinefordiscussionfromwhatiscloudcomputingtohowtobestusecloudcomputing.”4

Theclarificationsupportstheproperplanningforcloudmigration,deployment,andretirementofrelevantlegacysystems.TheGAOrecommendedinJuly2012thatsevenauditedfederalagenciesshouldestablishestimatedcosts,performancegoals,andplanstoretireassociatedlegacysystemsforeachtypeofcloud-basedserviceaswellasthesameforretiringlegacysystems,asapplicable,forplannedadditionalcloud-basedservices5.

Asthisdocumentismeanttoprovideguidanceinunderstandingthecategorization,evaluation,comparison,andselectionofcloudservices,itdoesnotprovideaprescriptivesetofguidelinesfortheselectionprocess.Instead,itusestheprinciplessetforthintheNISTcloudcomputingdefinitionasaframeworkforunderstandingaccustomer’srequirementsinacloudcomputingcontextandthecapabilitiesofferedbycloudserviceproviders(CSP)stoenableeasierdecisionmaking.TheNISTcloudcomputingdefinitionallowsforflexibilityinitsinterpretationandinmanycases,thefinaldecisionreliesonamixtureofobjectiveandsubjectiveperspectives.

Thisdocumentisintendedforusebyanystakeholder,including,butnotlimitedto,buyersofITandcloudservices,ITmanagers,programmanagers,FedRAMPstakeholders,systemsintegrators,resellersofcloudservices,etc.

2 The NIST Definition of Cloud Computing NISTSP800-145waspublishedinthefallof2010.Sincethattime,thecloudcomputingenvironmenthasexperiencedagrowthintechnicalmaturity,yettheNISTDefinitionhasretainedaworldwideacceptance.ThisdocumentprovidesananalysisoftheNISTDefinitionofCloudComputingbasedontoday’sperspectiveandprovidesamethodologyforevaluatingservices,complementingtheNISTdefinition.

NISTSP800-145providesaonesentencedefinitionofcloudcomputingas“amodelforenablingubiquitous,convenient,on-demandnetworkaccesstoasharedpoolofconfigurablecomputingresources(e.g.,networks,servers,storage,applications,andservices)thatcanberapidlyprovisionedandreleasedwithminimalmanagementeffortorserviceproviderinteraction.”Inaddition,theNISTdefinitionintroducesthesupportingconceptsofthreecloudservicemodels,fiveessentialcharacteristics,andfourtypesofclouddeployments.

Intotal,theNISTCloudComputingDefinitioniscomposedof14interrelatedtermsandtheirassociateddefinitions:

Coredefinitionofthecloudcomputingmodel(above)Fiveessentialcharacteristics

o On-demandself-serviceo Broadnetworkaccesso Resourcepoolingo Rapidelasticityo Measuredservice

4http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf5http://www.gao.gov/assets/600/592249.pdf


5

Threeservicemodelso SoftwareasaService(SaaS)o PlatformasaService(PaaS)o InfrastructureasaService(IaaS)

Fourdeploymentmodelso Publico Privateo Communityo Hybrid

Footnoteddefinitionof“cloudinfrastructure.”

SP500-145alsoincludesmultipleclarifyingstatementsthatareintegratedintothetextofthevariousdefinitions.TheNISTDefinitionmakesuseofadditionaltermsthatareclarifiedbelow:

Application:Withinthecontextofcloudcomputing,thetermapplicationmayrefertoeitheracloud-enabledSaaS,webormobileapplication(e.g.Facebook),oranapplicationthatexistsonavirtualmachine(e.g.,Linuxapplication).Itisthereforepreferabletoclarifythattypeofapplicationwhenusingthetermtoavoidconfusion.asaService(aaS):Theterm“asa[cloud]Service”isasuffixdescribingacomputingcapabilitythatsupportsallfiveessentialcharacteristicsofcloudcomputing.Theterm“asaservice(aaS)”impliesthatSaaS,PaaS,andIaaSaredeliveredbywayofsoftware.CloudInfrastructure:Thecollectionofhardwareandsoftwarethatenablesthefiveessentialcharacteristicsofcloudcomputing.Theconsumerofacloudservicedoesnotmanageorcontroltheunderlyingcloudinfrastructure.CloudInfrastructureisrepresentedinSP500-292NISTCloudComputingReferenceArchitecture(CCRA)withinthe‘ResourceAbstractionandControl’layerandHardwarelayer.CloudService:Acomputingcapabilitythatisdeliveredasaservice.EssentialCharacteristics:Thefivecharacteristicsthatmustbeavailableinacomputingcapabilitytobequalifiedasa“cloudservice.”Theyarelistedhereforclarity,butarediscussedingreaterdetailsinSection3.o on-demandself-service(seeclause3.1)o broadnetworkaccess(seeclause3.2)o resourcepooling(seeclause3.3)o rapidelasticity(seeclause3.4)o measuredservice(seeclause3.5)

Multi-tenant:Anarchitectureinwhichasinglecomputingresourceissharedbutlogicallyisolatedtoservemultipleconsumers.ServiceModel:Thehighest-levelcategorizationofcloudservicesasbasedonthetypeofcomputingcapabilitythatisprovided.Anygivencloudservicemaybecategorizedasoneofthreeservicemodels,namelySoftwareasaService(SaaS),PlatformasaService(PaaS),orInfrastructureasaService(IaaS).


6

Thisdocumentusesanadditionalterm“cloudservicetype”todescribeinformaltermsoftencoinedandusedbyindustrybyaddingthesuffix“aaS”afteracomputingcapability,e.g.,EmailasaService(EaaS).cloudservicetypesareanalyzedinSection7ofthisdocument.

3 Analysis of the Essential Characteristics of Cloud Computing ThissectionprovidesadetailedanalysisofthefiveEssentialCharacteristicsofCloudComputingfoundabove.Theapproachwastodecomposeeachcharacteristictodeterminetheprimarycriteriafordeterminingifacomputingcapabilityisofferedasacloudserviceandthedifferentoptionsfordeterminingwhetherthecriteriaismet.

Tounderstandtheessentialcharacteristics,itisimportanttounderstandthemeaningoftheterm“essential.”InthecontextofSP800-145andthisdocument,“essential”meanseachcloudserviceprovider(CSP)musthavethecapabilitytoofferandtoprovideeachessentialcharacteristictothecloudservicecustomer(CSC)foragivenservice.TheCSCmayormaynotelecttoimplementoruseeachessentialcharacteristicinaspecificinstance.Inaddition,theCSCmustmakeasubjectivejudgementtodetermineiftheirrequirementsarefulfilledandtodecideiftheCSP’sofferingcanbeconsideredacloudservicefortheirpurposes.

TheprocessofcategorizingacomputingcapabilityisnotalwaysdefinitivebecausetherequirementsfortheservicemayvarybyCSC.Therefore,thisdocumentallowsflexibilityindeterminingthatacomputingcapabilityqualifiesasacloudservicebyprovidingoptionsforevaluatingeachcapability.

Theoptionsaredescribedas“OptionA”or“OptionB,”where“OptionA”ismoreobjective,while“OptionB”ismoresubjectiveanddependentonthespecificrequirementsoftheCSC.IfaCSCchoosestouseOptionBinsteadofOptionA,theymustevaluatewhether“OptionB”meetstheirrequirements,andtheresultsarenotcomparablebetweenCSCswithdifferentrequirements.

Whetheranentitycanconfirmaspecificcriterionisdependentonthecriterionitself.Somecriteriaareexternallyvisible(suchasavailability)andcanbeconfirmedbytheCSCorotherthirdpartyentity,whileothercriteria(suchasresourcepooling)areinternaltothecloudserviceandmustbeconfirmedbytheCSP.

3.1 On-demand self-service “Aconsumercanunilaterallyprovisioncomputingcapabilities,suchasservertimeandnetworkstorage,asneededautomaticallywithoutrequiringhumaninteractionwitheachserviceprovider.”–NISTDefinitionofCloudComputing

PrimaryCriteria Thecomputingcapabilitycanbeprovisionedwithouthumaninteractionwiththeserviceprovider.

OptionA) Fullyautomatedserviceprovisioning(boththeCSCinterfaceandtheinternalcloudinfrastructure).

Option B) TheCSCusesanautomatedinterfacetorequestandtracktheservice,buttheprovidermayusemanuallabortoprovisiontheserviceinternally.

Entitycapableofconfirming?

TheCSCcanconfirmitiseitherOptionAorOptionBbutcannotdistinguishonefromtheotherbecausetheycanonlyseethe


7

provisioninginterface,notthesystembehindtheinterface.Therefore,theCSPwillconfirmwhetheritisOptionAorOptionB.

AdditionalClarification

• ThetermconsumerandCSCareusedsynonymously.• Examplesof“computingcapabilities”includeservertimeand

networkstorage.

• Theterm“Unilaterally”referstothefactthattheCSCinitiatestheservicewithouthumaninteractionwithahumanontheCSPside.TheCSCorganizationmayhaveaworkflowprocessinvolvinghumanssuchasthoseforoversightandapprovalofexpenditures,andthepurchasecanstillbedescribedasunilateral.

• Thetermautomaticallyreferstoautomatedprovisioning.

• Thequestionaroseastowhetheraticketingsystemsupportstherequirementforautomatedprovisioning.TheCloudServicesWorkingGroupmemberssuggest“yes,”aslongastheprovisioningisfastenoughtosupportCSCrequirementsasdescribedintheService-LevelAgreement(SLA).

Benefits • “Asneeded”accesstocomputingcapabilities.

3.2 Broad network access “Capabilitiesareavailableoverthenetworkandaccessedthroughstandardmechanismsthatpromoteusebyheterogeneousthinorthickclientplatforms(e.g.,mobilephones,tablets,laptops,andworkstations).”–NISTDefinitionofCloudComputing

PrimaryCriteria Thecomputingcapabilityisavailablefromawiderangeoflocationsusingstandardprotocols.

OptionA) AvailableovertheInternet.OptionB) Availableoveranetworkthatisavailablefromall

accesspointstheCSCrequires.

Entitycapableofconfirming

TheCSCorCSPcanconfirmOptionA.

TheCSCwillconfirmOptionB(thisisbasedontheCSC'srequirementsforthecloudservice).


• Examplesofthinorthickclientplatformsaremobilephones,tablets,laptops,andworkstations.

• Thephrase“thinorthick”isnotincludedasprimarycriteriabecauseitincludesallclients.


8

• Theterm“standardmechanisms”impliesthatthecomputingcapabilityisavailableusingstandardprotocolssuchofhttp,REST,TCP/IP,UDP,and/orotherInternetprotocols.

• Theterm“broadnetwork”canapplyequallytopublic,private,orhybridclouds.

Benefits • Anytimeanyplaceaccesstocomputingresourcesfromanymachinewithinpolicyandsecurityconstraints,

3.3 Resource Pooling “Theprovider’scomputingresourcesarepooledtoservemultipleconsumersusingamulti-tenantmodel,withdifferentphysicalandvirtualresourcesdynamicallyassignedandreassignedaccordingtoconsumerdemand.Thereisasenseoflocationindependenceinthatthecustomergenerallyhasnocontrolorknowledgeovertheexactlocationoftheprovidedresourcesbutmaybeabletospecifylocationatahigherlevelofabstraction(e.g.,country,state,ordatacenter).Examplesofresourcesincludestorage,processing,memory,andnetworkbandwidth.”–NISTDefinitionofCloudComputing

PrimaryCriteria ThecomputinginfrastructureissharedamongmorethanoneCSC.OptionA)TwoormoreCSCscansharethecloudservice

resourcesusingamulti-tenantmodel.Entitycapableofconfirming

Thisisdependentontheinternalarchitectureofthecloudservice–thereforetheCSPwillconfirm.


• ThereisasenseoflocationindependenceinthattheCSCgenerallyhasnocontrolorknowledgeovertheexactlocationoftheprovidedresourcesbutmaybeabletospecifylocationatahigherlevelofabstraction(e.g.,country,state,ordatacenter).

• Examplesof“resources”includestorage,processing,memory,andnetworkbandwidth.

• ThetermconsumerandCSCareusedsynonymously.• Theessentialcharacteristicismetifthecapabilitytoserve

multipletenantsexists,regardlessofhowmanytenantsareactuallyserved.

• AccordingtotheNISTSpecialPublication500-293–U.S.GovernmentCloudComputingTechnologyRoadmapVolumeII,theResourceAbstractionandControlLayeroftheCloudComputingReferenceArchitecture“tiestogetherthenumerousunderlyingphysicalresourcesandtheirsoftwareabstractionstoenableresourcepooling.”


9

• Resourcepoolingisaninherentbenefitofanyservicemodel(SaaS,PaaS,orIaaS)thatishostedoncloudinfrastructure.

Benefits • Lowerscostsbysharingresources.

3.4 Rapid elasticity “Capabilitiescanbeelasticallyprovisionedandreleased,insomecasesautomatically,toscalerapidlyoutwardandinwardcommensuratewithdemand.Totheconsumer,thecapabilitiesavailableforprovisioningoftenappeartobeunlimitedandcanbeappropriatedinanyquantityatanytime.”–NISTDefinitionofCloudComputing

PrimaryCriteria Thecomputingcapabilitiescanbe“rapidly”provisionedandreleasedtoscale.

OptionA) Resourceallocationmodificationisautomatedandnear-real-time.

OptionB) Notfullyautomated,butfastenoughtosupporttherequirementsoftheCSC.


TheCSCorCSPcanconfirm.


• TotheCSC,thecapabilitiesavailableforprovisioningoftenappeartobeunlimitedandcanbeappropriatedinanyquantityatanytime.

• Rapidelasticitygenerallyrelatestohorizontalscaling.

Benefits • Abilitytoquicklygrowandshrinkcomputingcapability–andassociatedcosts–dynamicallyaccordingtoneed.

3.5 Measured service “Cloudsystemsautomaticallycontrolandoptimizeresourceusebyleveragingameteringcapability1atsomelevelofabstractionappropriatetothetypeofservice(e.g.,storage,processing,bandwidth,andactiveuseraccounts).Resourceusagecanbemonitored,controlled,andreported,providingtransparencyforboththeproviderandconsumeroftheutilizedservice.”–NISTDefinitionofCloudComputing


10

PrimaryCriteria CloudservicescharacteristicsincludingresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.

OptionA) CloudservicecharacteristicsaremeasuredwithenoughdetailtosupporttherequirementsoftheCSC.


TheCSCorCSPcanconfirm.


• ThetermconsumerandCSCareusedsynonymously.• Typically“metering”isdoneonapay-per-useorcharge-per-

usebasis,thoughmeteringmaybeusedfor“showback,”aswellaschargeback.Forexample,inaprivatecloud,meteringmaybeusedtoshoworganizationalleadershipwhichpartsoftheorganizationareconsumingwhatportionofcloudresources.

• Examplesincludetrackingunitsofservicesconsumedandassociatedcosts,andtrackingresourceusagetotheapplicationlevel.

• Resourceusagecanbemonitored,controlled,andreported,providingtransparencyforboththeCSPandCSCoftheutilizedservice.

4 Analysis of Cloud Service Models InSP800-145,cloudservicesarethecomputingcapabilitiesthatareprovidedbytheCSP(thatsupportstheessentialcharacteristicsofcloudcomputing.TheNISTCloudComputingDefinitionprovidesthreepossiblecloudservicescategories(calledservicemodels):SoftwareasaService(SaaS),PlatformasaService(PaaS),andInfrastructureasaService(IaaS).WithrespecttotheNISTCloudComputingReferenceArchitecture(CCRA),cloudservicesaremadeavailableintheServicelayer,whichispartoftheServiceOrchestrationstack.

TheServiceModelsaredepictedintheCCRAas“Lshaped”horizontalandverticalbars,ratherthanasasimple“three-layercake”stack.Thereasonisthat,althoughcloudservicescanbedependentuponeachotherinthestack,itisalsopossiblefortheservicestobeimplementedindependentlyandinteractdirectlywiththeresourceabstractionandcontrollayer.

SaaS,PaaS,andIaaSarebestdistinguishedbytwofactors:thecomputingcapabilitythatisprovisionedandtheprimaryCSCs(enduser,developer/deployer,orIToperations).Theterm“platform”inthePaaScontextreferstoadevelopmentplatformand/ordeploymentplatformforcloud-enabledapplications.Theterm“platform”isbroadlyusedinthecomputingindustry.ItthereforehelpstounderstandthecontextofthetermwithregardtoPlatformasaService.


11

Thissectionsupportsthecategorizationofagivencloudserviceasasoftware,platform,orinfrastructureservice.ThisguidanceforcategorizingcloudservicessupportsRequirement#4oftheU.S.GovernmentCloudComputingTechnologyRoadmapVolumeI(SP500-293,October2014),whichcallsfor“clearandconsistentlycategorizedcloudservices.”

Theprimarydeterminingfactorsforcategorizingacloudserviceare:

1) Thecomputingcapabilitythatisprovisioned(softwareapplication,platformorinfrastructure);and

2) TheprimaryCSCs(enduser,developer/deployer,orIToperations).

4.1 Software as a Service (SaaS) ThecapabilityprovidedtotheCSCistousetheCSP’sapplicationsrunningonacloudinfrastructure.6Theapplicationsareaccessiblefromvariousclientdevicesthrougheitherathinclientinterface,suchasawebbrowser(e.g.,web-basedemail),oraprograminterface.TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,storage,orevenindividualapplicationcapabilities,withthepossibleexceptionoflimiteduser-specificapplicationconfigurationsettings.

PrimaryCriteria 1) Theservicethatisprovisionedisasoftwareapplication,describedascomputerprogramsdesignedtopermittheusertoperformagroupofcoordinatedfunctions,tasks,oractivities.7

AND

2) TheprimaryCSCsareendusersofsoftwareapplications.8


TheCSCwillconfirm.


• Theterm“applications”intheSaaScontextreferstocloud-enabledapplications(e.g.,webormobile)bynatureofsupportingessentialcharacteristic#2–broadnetworkaccess.ThisdiffersfromVM/desktopapplicationsthatmaybeinstalledonavirtualmachine.

• SaaSapplicationsareaccessiblefromvariousclientdevicesthrougheitherathinclientinterface,suchasawebbrowser(e.g.,web-basedemail),orapplicationprogramminginterface(API).9

• SaaSapplicationsmaybeextensiblebywayofanAPI.• AwebapplicationisnotnecessarilyconsideredSaaS,unlessthe

applicationitselfqualifiesasacloudservice.• TheSaaSprovideristypicallyresponsibleforallaspectsof

makingthesoftwareserviceavailable,includingtheavailabilityofanyPaaSandIaaSdependencies.TheNISTReference

6SeedefinitionofCloudInfrastructureonpage5.7http://www.pcmag.com/encyclopedia/term/37919/application-program8ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.19http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf


12

ArchitectureforCloudComputingclarifiesthattheSaaSproviderisresponsiblefordeploying,configuring,maintaining,andupdatingtheoperationofthesoftwareapplicationsonacloudinfrastructure.Theterm“provider”referstotheentityresponsibleformakingtheserviceavailableandmaythereforebedifferentthantheSaaSapplicationdeveloper.

• ManymodernSaaSapplicationsareextensible.ExtensibilityalonedoesnotdenotethatasoftwareserviceisPaaS.

Commoncategories • Custom(Forexample,customapplicationsbuiltordeployedusingPaaS)

• Offtheshelf(Forexample,cloud-basedemailapplications)

4.2 Platform as a Service (PaaS) ThecapabilityprovidedtotheCSCistodeployontothecloudinfrastructureCSC-createdoracquiredapplicationscreatedusingprogramminglanguages,libraries,services,andtoolssupportedbytheprovider.*3TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructureincludingnetwork,servers,operatingsystems,orstorage,buthascontroloverthedeployedapplicationsandpossiblyconfigurationsettingsfortheapplication-hostingenvironment.*3Thiscapabilitydoesnotnecessarilyprecludetheuseofcompatibleprogramminglanguages,libraries,services,andtoolsfromothersources.

PrimaryCriteria 1. Theservicethatisprovisionedisasoftwaredevelopmentand/ordeploymentplatform,describedasthecapabilityto[developand/or]deployapplications10withoutthecomplexitiesofmanagingunderlyinginfrastructureservices.11

AND

2. TheprimaryCSCsareapplicationdeveloperswhodesignandimplementapplicationsoftware,andapplicationdeployerswhopublishapplicationsintothecloud.12


TheCSCwillconfirm.


• Theterm“platform”inthePaaScontextreferstoadevelopmentand/ordeploymentplatformforcloud-enabledapplications.

10http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf11http://www.networkworld.com/article/2163430/cloud-computing/paas-primer--what-is-platform-as-a-service-and-why-does-it-matter-.html12ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.1(CloudConsumer)


13

• Theterm“applications”inthePaaScontextreferstocloud-enabledapplications(e.g.,webormobile)bynatureofsupportingessentialcharacteristic#2–broadnetworkaccess.ThisdiffersfromVM/desktopapplicationsthatmaybeinstalledonavirtualmachine.

• PaaSisdistinguishedfromanextensibleSaaSorwebapplicationbyitsprimaryCSCs:developersanddeployersversusendusers.

• TheapplicationscanbeCSC-createdoracquired.• Theapplicationscanbecreatedusingprogramminglanguages,

libraries,services,andtoolssupportedbytheprovider.Thisdoesnotnecessarilyprecludetheuseofcompatibleprogramminglanguages,libraries,services,andtoolsfromothersources.13

• APaaSprovidermayberesponsibleformakingtheplatformserviceavailable,includinganyIaaSdependencies.Thesetypicaltermsmaybenegotiatedasasharedresponsibilitymodel.

CommonCategories • Applicationdevelopmentplatforms• Applicationdeploymentplatforms• Integrationplatforms

4.3 Infrastructure as a Service (IaaS) ThecapabilityprovidedtotheCSCtoprovisionprocessing,storage,networks,andotherfundamentalcomputingresourceswheretheCSCcandeployandrunarbitrarysoftware,whichcanincludeoperatingsystemsandapplications.TheCSCdoesnotmanageorcontroltheunderlyingcloudinfrastructurebuthascontroloveroperatingsystems,storage,anddeployedapplications,andpossiblylimitedcontrolofselectnetworkingcomponents(e.g.,hostfirewalls).

PrimaryCriteria 1. Theservicethatisprovisionedisinfrastructure.AND2. TheprimaryCSCsareanITOperationsrolecreating,

installing,monitoring,andmanagingservicesandapplicationsdeployedinanIaaScloud.14


TheCSCwillconfirm.


• Theinfrastructureserviceistypicallysoftware-defined.• InfrastructureasaServiceisdistinctlydifferentfromcloud

infrastructure(seedefinition)andalsodifferentfromtheunderlyingphysicalinfrastructure.

13http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf14ReferenceArchitecture2.2(CloudConsumer);andUSGCloudComputingTechnologyRoadmap2.2.2.1(CloudConsumer)


14

• Theterms“software”and“application”intheIaaScontextreferstoVM/desktopsoftwareandapplications,ratherthanreferringtocloud-enabledSaaSorwebapplications.

• Theinfrastructureservicemayoptionallyincludeapre-installedoperatingsystemandothersupportVM/desktopsoftwareandapplications,suchaswebserver.

• Theterm“arbitrarysoftware”inthiscontextmeansthattheCSCcandeployandrunmanytypesofVM/desktopsoftware.

CommonCategories • Computingresources• Networkresources• Storageresources

5 Analysis of Cloud Deployment Models DefinitionoftheCloudDeploymentModels

InSP800-145,clouddeploymentmodelsdescribehowthecloudisoperatedandwhohasaccesstothecloudserviceresources.ThefourdeploymentmodelsaredefinedinSP800-145asfollows:

Privatecloud.ThecloudinfrastructureisprovisionedforexclusiveusebyasingleorganizationcomprisingmultipleCSCs(e.g.,businessunits).Itmaybeowned,managed,andoperatedbytheorganization,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.

Communitycloud.ThecloudinfrastructureisprovisionedforexclusiveusebyaspecificcommunityofCSCsfromorganizationsthathavesharedconcerns(e.g.,mission,securityrequirements,policy,andcomplianceconsiderations).Itmaybeowned,managed,andoperatedbyoneormoreoftheorganizationsinthecommunity,athirdparty,orsomecombinationofthem,anditmayexistonoroffpremises.

Publiccloud.Thecloudinfrastructureisprovisionedforopenusebythegeneralpublic.Itmaybeowned,managed,andoperatedbyabusiness,academic,orgovernmentorganization,orsomecombinationofthem.Itexistsonthepremisesofthecloudprovider.

Hybridcloud.Thecloudinfrastructureisacompositionoftwoormoredistinctcloudinfrastructures(private,community,orpublic)thatremainuniqueentities,butareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability(e.g.,cloudburstingforloadbalancingbetweenclouds).

DetailsoftheCloudDeploymentModels

ThefollowingdetaileddiscussionofclouddeploymentmodelsisfromtheNISTCloudComputingStandardsRoadmap.

PrivateCloud-AprivatecloudgivesasingleCSC’sorganizationtheexclusiveaccesstoandusageofthecloudserviceandrelatedinfrastructureandcomputationalresources.ItmaybemanagedeitherbytheCSCorganizationorbyathirdparty,andmaybehostedontheorganization’spremises(i.e.,on-site


15

privateclouds)oroutsourcedtoahostingcompany(i.e.,outsourcedprivateclouds).Figure1andFigure2presentanon-siteprivatecloudandanoutsourcedprivatecloud,respectively.

Figure 1: On-site Private Cloud

Figure 2: Outsourced Private Cloud

CommunityCloud-AcommunitycloudservesagroupofCSCsthathavesharedconcernssuchasmissionobjectives,security,privacyandcompliancepolicy,ratherthanservingasingleorganization(e.g.,aprivatecloud).Similartoprivateclouds,acommunitycloudmaybemanagedbytheorganizationsorbyathirdparty,andmaybeimplementedontheCSC’spremise(i.e.,on-sitecommunitycloud)oroutsourcedtoahostingcompany(i.e.,outsourcedcommunitycloud).Figure3depictsanon-sitecommunitycloudcomprisedofanumberofparticipantorganizations.ACSCcanaccessthelocalcloudresources,andalsotheresourcesofotherparticipatingorganizationsthroughtheconnectionsbetweentheassociatedorganizations.Figure4showsanoutsourcedcommunitycloud,wheretheserversideisoutsourcedtoahostingcompany.Inthiscase,anoutsourcedcommunitycloudbuildsitsinfrastructureoffpremise,andservesasetoforganizationsthatrequestandconsumecloudservices.


16

Figure 3: On-site Community Cloud

Figure 4: Outsourced Community Cloud

PublicCloud-Apubliccloudisoneinwhichthecloudinfrastructureandcomputingresourcesaremadeavailabletothegeneralpublicoverapublicnetwork.Apubliccloudisownedbyanorganization


17

providingcloudservices,andservesadiversepoolofclients.Figure5presentsasimpleviewofapubliccloudanditscustomers.

Figure 5: Public Cloud

Ahybridcloudisacompositionoftwoormoreclouds(on-siteprivate,on-sitecommunity,off-siteprivate,off-sitecommunityorpublic)thatremainasdistinctentitiesbutareboundtogetherbystandardizedorproprietarytechnologythatenablesdataandapplicationportability.Figure6presentsasimpleviewofahybridcloudthatcouldbebuiltwithasetofcloudsinthefivedeploymentmodelvariants.

Figure 6: Hybrid Cloud

5.1 Private Cloud Computing Service Deployment

PrimaryCriteria Onlyoneorganizationcanusethecloudserviceandtheunderlyingresources.


TheCSPmustconfirm.


18


Organizationinprivatecloudcontext–Inaprivatecloudcontext,themodel,definition,andassociatedriskstoanorganizationremainsintact,asthecloudresourcesareprovisionedforexclusiveusebyasingleorganizationcomprisingmultiplebusinessunits.Inaprivatecloudmodel,theorganizationgetsaffectedinthefollowingways:

• Organization’scloudresourcesmaybeowned,managed,and

operatedbyorganization,athirdpartyoracombination.• Privatecloudmaybeonpremisesoroffpremisesandprovides

muchgreatercontroloverdata,underlyingsystems,andapplications.

• Privatecloudmodelprovidesanorganizationgreatercontroloversecurity,assuranceoverdatalocation,andremovalofmultiplejurisdictionlegalandcompliancerequirements.

Commoncategories on-siteprivatecloudoutsourcedprivatecloud

5.2 Community Cloud Service Deployment

PrimaryCriteria AspecificcommunityofCSCsfromorganizationsthathavesharedconcernshaveexclusiveuseofthecloudserviceandtheunderlyingresources.


ThecommunityofcloudCSCsformingthegroupoforganizationsverifiesthescopeofthegroupoforganizations,whiletheCSPmustconfirmthattheserviceandunderlyinginfrastructureareexclusivetothegroup.


Organizationincommunitycloudcontext-Inacommunitycloudcontext,themodel,definition,andassociatedriskstoanorganizationaresharedbyotherorganizations,asthecloudresourcesareprovisionedforexclusiveusebyaspecificcommunityofCSCsfromorganizationsthathavesharedobjectivesandrequirements.Inacommunitycloudmodel,theorganizationgetsaffectedinthefollowingways:• Organization’scloudresourcesmaybeoperatedbyoneor

moreoftheorganizationsinthecommunityorathirdparty.• Communitycloudsgenerallygetthecostbenefitsofapublic

cloudwhileprovidingheightenedprivacy,security,andregulatorycompliance.

Acloudserviceauditorcanconductindependentassessmentofcloudservicestoconfirmthescopeofthegroupandconfirm


19

thattheserviceandunderlyinginfrastructureareexclusivetothegroup.

Commoncategories on-sitecommunitycloud

outsourcedprivatecloud

5.3 Public Cloud Service Deployment

PrimaryCriteria UnrelatedCSCsusethesharedcloudserviceandtheunderlyingresources.


TheCSCwillconfirmaccesstotheprovidedservices.


WhiletheCSPmaylimitaccesstoaservice,theCSChasnocontroloverthesetofusersaccessingtheservice.

Commoncategories

5.4 Hybrid Cloud Service Deployment

Criteria Atleasttwoormoredistinctcloudinfrastructuresareconnectedtogethertofacilitatehosteddataandapplicationportability.


TheCSPwillconfirm.


Commoncategories

Criteria ThecloudserviceinfrastructureforeachsetofCSCsisvirtuallyseparatedfromtheothersetsofCSCs.


TheCSPwillconfirm.


Commoncategories

Criteria ThecloudserviceinfrastructurehardwareissharedbetweenallsetsofCSCs.


TheCSPwillconfirm.


20


Commoncategories

6 Worksheets

6.1 Cloud Service Worksheet

ThefollowingworksheetmaybeusedalongwithSection3todeterminewhetheraserviceisacloudservice.

On-DemandSelf-Service

CanthecomputingcapabilitybeprovisionedwithouthumaninteractionwiththeCSP?

____YES____NO

IfYes,whatlevel?

____OptionA)Fullyautomatedserviceprovisioning

____OptionB)TheCSCusesanautomatedinterfacetorequestandtracktheservice,buttheCSPmayusemanuallabortoprovisioningtheservice.BroadNetworkAccess

Isthecomputingcapabilityavailablefromawiderangeoflocationsusingstandardprotocols?

____OptionA)AvailableovertheInternetusinginternetprotocols

____OptionB)AvailableoveranetworkthatavailablefromallaccesspointstheCSCrequiresResourcePooling

CantwoormoreCSCsuseasinglecloudservicewheretheresourcesaresharedbasedonamulti-tenantmodel?____YES____NO


21

CantheresourcesbeassignedandreassignedaccordingtoCSCdemand?

____YES___NO

RapidElasticity

Canthecomputingcapabilitiesbe“rapidly”provisionedandreleasedtoscale?____YES____NO

____OptionA)Resourceallocationmodificationisautomatedandnear-real-time(withinfiveminutes).____OptionB)Notfullyautomated,butfastenoughtosupporttherequirementsoftheCSC.

MeasuredService

CloudservicescharacteristicsincludingresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.____YES____NO

____OptionB)Cloudservicesand/orresourceusagearemeasuredwithenoughdetailtosupporttherequirementsoftheCSC.

6.2 Cloud Service Model Worksheet

ThefollowingworksheetmaybeusedalongwithSection4todeterminewhetheraserviceisacloudservice.

IsthecloudserviceSaaS,PaaSorIaaS?

SoftwareasaService(SaaS)

• IsthecloudserviceaSoftwareApplication?____YES____NO

• IstheprimaryCSCan“enduser”oftheapplication?____YES____NO

IstheservicePlatformasaService(PaaS)?

• IsthecloudserviceaSoftwareDevelopmentand/orDeploymentPlatform?____YES____NO


22

• IstheprimaryCSCadeveloperordeployer?____YES____NO

IstheserviceInfrastructureasaService?(IaaS)?

• IsthecloudserviceITInfrastructure?____YES____NO

• IstheprimaryCSCsupportinganITOperationsrole?____YES____NO

6.3 Cloud Deployment Model Worksheet ThefollowingworksheetmaybeusedalongwithSection5todeterminewhetheraserviceisacloudservice.

Isthecloudserviceprivate,community,public,orhybrid?

PrivateDeployment

• Isthecloudserviceinfrastructure,includinghardwareresources,usedonlybyasingleCSC?____YES____NO

CommunityDeployment

• IsthecloudserviceinfrastructureincludinghardwareresourcesusedbyaknownsetofCSCs,butnotavailabletoanyCSC?____YES____NO

PublicDeployment

• IsthecloudserviceinfrastructureavailableforusebyanyCSCs?____YES____NO

7 Example Cloud Service Marketing Terms Cloudservicemarketingtermsareinformaltermsoftencoinedandusedbyindustrybyaddingthesuffix“aaS”afteracomputingcapability(e.g.,EmailasaService).Cloudservicemarketingtermsdonotreplacethethreeservicemodels(SaaS,PaaS,andIaaS),whichserveasthehigh-levelcategorizationofcloudservices,butratherservetoinformallyfacilitatecommunicationrelatingtospecializedservices.AtthistimeNISTdoesnottakeapositionondefininganygivencloudservicetypes.Acloudservicetypemayoptionallybeinformallyusedtosubcategorizethecloudservicesmodels;however,theusageisinconsistentdependingonthesourceoftheterm.Thefollowingisalistofexamplesidentifiedfromvarioussources,includingInternetsearches,solicitations,andmarketingcollaterals.Thisisnotacompletelistofallcloudservicemarketingterms,andthelistisnotvalidatedorfilteredinanyway.

AddressVerificationasaServiceAnythingasaService

EncryptionasaService MobilityBackendasaServiceMonitoringasaService


23

APIasaservice(APIaaS)ApplicationDeliveryasaServiceApplicationPlatformasaServiceArchitectureasaServiceAuthenticationasaServiceBackendasaServiceBackupasaServiceBigDataasaServiceBrokerasaServiceBusinessasaServiceBusinessProcessasaServiceCloudLoadBalancersasaServiceCloudSearchasaServiceCollaboration-as-a-ServiceCommerceasaServiceCommunicationasaServiceComputingasaServiceContactCenterasaServiceConversationsasaServiceDataasaserviceDatabaseasaserviceDesktopasaServiceDevelopmentasaServiceDevTestasaServiceDisasterRecoveryasaServiceDrupalasaServiceEmailasaService

EnterpriseResourceManagementasaServiceEthernetasaServiceEverythingasaServiceFirewallasaServiceFrameworkasaServiceGlobalizationasaServiceHadoopasaServiceHardwareasaServiceHighPerformanceComputingasaServiceIdentityasaServiceInfrastructurePaaSInsightasaServiceIntegratedDevelopmentEnvironmentasaServiceIntegrationasaServiceIntegrationPlatformasaServiceIntegrationPlatformasaServiceITasaServiceJavaPlatformasaServiceKnowledgeasaServiceLightasaServiceLogonasaServiceManagementasaServiceMashupsasaServiceMessageQueuingasaServiceMetalasaServiceMobilityasaService

NetworkAccessControlasaServiceNetworkasaServiceOperationsasaServiceOptimizationasaServicePaymentasaServiceQualityasaServiceQueryasaServiceRecoveryasaServiceRemoteBackupasaServiceRiskAssessmentasaServiceRobotasaServiceSecurityasaserviceServiceDeskasaServiceSolutionsasaServiceStorageasaServiceTelepresenceasaServiceTestenvironmentasaServiceTestingasaServiceTransportasaServiceUnifiedCommunicationsasaServiceUserInterfaceasaServiceVideoConferencingasaServiceVideoSurveillanceasaServiceVoiceasaServiceWebsiteasaService

8 Bibliography TheNISTDefinitionofCloudComputing(SP800-145)

NISTCloudComputingStandardsRoadmap(SP500-291)

TheNISTCloudComputingReferenceArchitecture(SP500-292)

USGovernmentCloudComputingTechnologyRoadmapVolumesIandII(SP500-293)

TheNISTCloudComputingSecurityArchitecture(SP500-299)

GAOReport-INFORMATIONTECHNOLOGYREFORMProgressMadebutFutureCloudComputingEffortsShouldbeBetterPlanned-(GAO-12-756)

Documents

Evaluation of Cloud Computing Services Based on NIST · PDF fileEvaluation of Cloud Computing Services Based on NIST ... The collection of hardware and software that ... Evaluation