According to a recent survey of 750 corporations using cloud computing, 87 percent of them use more than one cloud. The report also states that 96 percent rely on a public cloud, either as part of a hybrid approach or as the only source.

Despite that prevalence, however, cloud computing can be a confusing concept. To ease that confusion, the National Institute of Standards and Technology (NIST) offered a definition of cloud computing in its NIST Special Publication 800-145:

A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model comprises five essential characteristics, three service, and four deployment models.

This article unpacks the NIST definition of cloud computing so that you can understand the value of cloud computing services, and gain the best return on your cloud information technology investment.

What Is Cloud Computing?

The term “cloud computing” was coined in 1996 in an internal document from computer manufacturer Compaq (later acquired by Hewlett-Packard). The concept, however, likely originated in the 1950s when some organizations started using complex systems of massive mainframe computers to process data.

Today cloud computing refers to “distributed” computing. In this model, IT hardware, software, and processes exist in different physical locations while connecting and communicating with each other via the Internet.

By remotely hosting platforms, databases, and software, cloud computing supports the on-demand delivery of computing power, storage, networking, database, and applications to users.

Benefits of Cloud Computing

Cloud computing allows users to access applications and data remotely, from any location at any time and from any online device, such as a laptop or mobile phone. Cloud systems also provide infrastructure for businesses to develop and deploy enterprise software and services. This infrastructure improves agility and time-to-market for software development.

Cloud systems also offer many other benefits over traditional, “on-premises” computing:


Cloud infrastructure can easily be scaled up or down to meet the organization’s fluctuating business demands.

Lower Costs

A “pay-as-you-go” payment model allows organizations to control their IT costs since they only pay for the resources they use. Moreover, they don’t have to purchase or maintain their equipment, which reduces capital expenditures (CAPEX) and lowers total cost of ownership (TCO).

Multiple Storage Options

Enterprises can choose from public, private, or hybrid cloud storage offerings, depending on their requirements and cloud security needs.

Data Security

Most public clouds offer advanced security features such as granular permissions and access management, authentication, encryption, API keys, and virtual private clouds (VPC) to secure sensitive data. In addition, networked backups minimize the probability of data loss.

Multiple Control Choices

With multiple “as-a-service” cloud options including SaaS, IaaS, and PaaS (software, infrastructure, and platform as a service, respectively), organizations can determine their desired level of control in the cloud.

What Is the NIST’s Cloud Computing Definition and Model?

NIST’s cloud model (definition) is composed of:

  • Five essential characteristics
  • Three service models
  • Four deployment models

NIST’s Five Characteristics of Cloud Computing

The five essential characteristics of a cloud service create the cloud computing infrastructure. It includes a physical layer of hardware resources and an abstraction layer which consists of the software deployed across the physical layer. These attributes are:

1. On-Demand Self-Service

Self-service means that the cloud user can acquire the service independently: without going through an IT department, call center, or other middle man. To support self-service:

  • The cloud provider must have an automated interface, such as a web portal or mobile app.
  • The user should be able to access the interface at any time.
  • The user should also be able to cancel the cloud service at any time.

2. Broad Network Access

The cloud service must be broadly available over the communication network. Users should be able to access it from any location and internet-enabled device.

3. Resource Pooling

Multiple customers share the cloud service resources in a multi-tenancy model. This model raises privacy and security concerns, so users must protect their cloud data and assets by taking necessary security precautions.

4. Rapid Elasticity

Elasticity refers to the flexibility of the cloud service to scale up or down automatically to meet the user’s needs. That allows the user to access the right level and kind of resources, including processing power, memory, network bandwidth, and storage, to accommodate the user’s varying workloads.

5. Measured Service

A measured cloud service provides a metering capability that underpins the provider’s pay-as-you-go pricing model. This model provides users with greater transparency and control over their cloud costs.

What Is the NIST’s Cloud Computing Architecture Model?

The initial portion of the NIST SP 500-292 defines five major roles within a cloud computing architecture model:

  1. Cloud Consumer
  2. Cloud Provider
  3. Cloud Auditor
  4. Cloud Broker
  5. Cloud Carrier

We would need dedicated topics to discuss each of these roles in detail, so let’s briefly list the cloud providers and the different deployment models to understand NIST’s point of view on the cloud computing architecture model. 

Cloud Providers in the NIST Cloud Computing Reference Architecture

NIST identifies three distinct cloud service provider categories:

1. Software-as-a-Service (SaaS)

In the SaaS model, the cloud provider manages the underlying software and IT infrastructure. Users access the SaaS offering via a web browser. Local installation is not required, and organizations don’t have to worry about managing data centers, IT operations, or maintenance.

Some popular examples of SaaS applications include:

  • Amazon Web Services (AWS)
  • Salesforce
  • Microsoft Office 365
  • Google applications (G-Suite), including Gmail
  • Dropbox
  • SAP
  • Adobe Creative Cloud

2. Platform-as-a-Service (PaaS)

PaaS provides a powerful development platform with programming languages, web-based APIs, and processes that allow software developers to create cloud-based applications. The PaaS provider fully manages the underlying infrastructure. Moreover, the platform automatically configures infrastructure resources across user-created environments.

Some popular PaaS providers include:

  • AWS Elastic Beanstalk
  • Oracle Cloud Platform (OCP)
  • Google App Engine
  • Microsoft Azure
  • Red Hat OpenShift PaaS

3. Infrastructure-as-a-Service (IaaS)

Users can rent the cloud IT infrastructure, such as servers, networking, and storage, from an IaaS provider on a pay-as-you-go basis, so the user doesn’t incur the cost of on-premises installation or maintenance.

Examples of popular IaaS providers include:

  • AWS EC2
  • Google Compute Engine
  • DigitalOcean
  • Microsoft Azure 

NIST Models for Deployment

The NIST cloud computing definition includes four cloud deployment models representing four types of cloud environments. Users can choose the model with features and capabilities best suited to their needs.

1. Private Cloud

A private cloud is a single-tenant environment provisioned by a single organization.

Security is one of the most significant benefits of a private cloud; the company’s data cannot be accessed by anyone other than its authorized users. That’s why the private cloud is a good choice for organizations whose data or assets are too valuable or sensitive to put on a public cloud and for firms aiming for HIPAA or PCI DSS compliance.

Some private cloud providers are:

  • VMWare
  • Dell
  • Oracle
  • IBM
  • Microsoft
  • Cisco
  • AWS

2. Public Cloud

In this multi-tenant deployment model, the cloud is owned by the cloud service provider. The underlying resources are shared by multiple customers who pay for the resources they use on a pay-as-you-use basis.

The provider owns, controls, and protects the data security requirements among different customers. The provider is also responsible for administration, maintenance, troubleshooting, capacity planning, and data backups.

As of fourth-quarter 2022, the top three public cloud providers are AWS, Microsoft Azure, and Google Cloud, which own 32, 23, and 10 percent of the market share, respectively. Other up-and-coming public cloud providers include:

  • Alibaba Cloud
  • IBM
  • DigitalOcean
  • Dell
  • Adobe

3. Hybrid Cloud

In a hybrid cloud, the cloud infrastructure is composed of two or more distinct public or private clouds, bound together by technology supporting data and application portability. It provides greater flexibility, portability, and scalability than the other deployment models.

Examples of hybrid cloud providers include:

  • EMC
  • BMC
  • F5
  • NetApp

4. Community Cloud

A community cloud is used by a community of users from organizations with shared concerns. This multi-tenant platform allows multiple companies or special interest user groups to collaborate securely on projects or research.

Community clouds are common in government, healthcare, and education for use cases such as:

  • Customer service
  • Partner relationship management
  • Channel sales
  • Dealer contract renewals
  • Employee engagement
  • Collaboration and business decision-making

NIST Models for Orchestration

The NIST cloud computing definition provides a view on orchestration as a key architectural component to describe how different cloud providers interact at each layer of the cloud infrastructure, namely:

Service Layer 

Determines the services made available depending on the Cloud Provider type (SaaS, PaaS, or IaaS)

Resources Layer 

Abstract the data and the allocation of resources among the different cloud providers

Physical Layer 

Define the interaction between actual endpoints and devices across these providers

NIST Models for Management

NIST defines management as another key architectural component and describes it in three different categories:

  1. Interoperability. Defines the management, security, and accessibility of information across different formats
  2. Provisioning. Defines the adherence of service-level agreements between different cloud service models
  3. Support. Defines accountability and reporting of capacity and availability across the different cloud service models

Benefits of NIST’s Cloud Computing Definition

NIST’s cloud computing definition allows organizations to compare various cloud services and deployment strategies. A deep understanding of this definition can help organizations better appreciate the benefits of this technology, implement NIST compliance best practices, and guide decision-makers to make optimal cloud investment decisions.

Maintain Cloud Compliance with RiskOptics

RiskOptics streamlines evidence and audit management for all of your compliance frameworks. Whether you are implementing NIST guidelines or SOC2 regulations, RiskOptics can help you strengthen your security posture and cloud compliance.

The integrated, automated ZenGRC platform provides a comprehensive view of control environments and relevant compliance information. Leverage this knowledge to evaluate risks, close gaps, and ensure your business systems and data are safe.

RiskOptics provides all the tools modern organizations need to transition from “check-the-box” compliance to compliance-driven cybersecurity. Schedule a demo today.