Get a Demo
Published December 2, 2021 • By Reciprocity • Blog
Cloud computing with young man holding his hands

According to recent research, 92 percent of large organizations use more than one cloud. The report also predicts that by the end of 2021, 55 percent of enterprise workloads will rely on a public cloud. Clearly cloud adoption is expanding, and will continue to do so into the future.

Despite its prevalence, cloud computing can be a confusing concept. To ease that confusion, the National Institute of Standards and Technology (NIST) proposed a definition of cloud computing in its NIST Special Publication 800-145 as:

“A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

This article unpacks the NIST definition of cloud computing so you can understand the value of cloud computing services and gain the best return on your cloud information technology investment.

What Is Cloud Computing?

The term “cloud computing” was first coined in 1996 in an internal document from computer manufacturer Compaq (later acquired by Hewlett-Packard). The concept, however, likely originated in the 1950s when some organizations started using complex systems of massive mainframe computers to process data.

Today cloud computing refers to “distributed computing.” In this model, IT hardware, software, and processes exist in different physical locations while connecting and communicating with each other via the Internet.

By remotely hosting platforms, databases, and software, cloud computing supports the on-demand delivery of computing power, storage, networking, database, and applications to users.

Benefits of Cloud Computing

Cloud computing allows users to access applications and data remotely, from any location, at any time, and from any online device such as a laptop or mobile phone. Cloud systems also provide an infrastructure for businesses to develop and deploy enterprise software and services. This infrastructure improves agility and time-to-market for software development.

Cloud systems also offer many other benefits over traditional, “on premises” computing:

Scalability

Cloud infrastructure can be easily scaled up or down to meet the organization’s fluctuating business demands.

Lower Costs

A “pay-as-you-go” payment model enables organizations to control their IT costs since they pay for only the resources they use. Moreover, they don’t have to purchase or maintain their own equipment, which reduces CAPEX (capital expenditures) and lowers TCO (total cost of ownership).

Multiple Storage Options

Enterprises can choose from public, private, or hybrid cloud storage offerings, depending on their requirements and cloud security needs.

Data Security

Most public clouds offer advanced security features like granular permissions and access management, authentication, encryption, API keys, and virtual private clouds (VPC) to secure sensitive data. In addition, networked backups minimize the probability of data loss.

Multiple Control Choices

With multiple “as-a-service” cloud options like SaaS, IaaS, and PaaS (software, infrastructure, and platform as a service, respectively), organizations can determine their desired level of control in the cloud.

NIST’s Cloud Computing Definition and Model

NIST’s cloud model (definition) is composed of:

  • Five essential characteristics
  • Three service models
  • Four deployment models

NIST’s Five Characteristics of Cloud Computing

The five essential characteristics of a cloud service create the cloud computing infrastructure. It includes a physical layer of hardware resources and an abstraction layer which consists of the software deployed across the physical layer. These attributes are:

On-Demand Self-Service

Self-service means that the cloud user can acquire the service on their own without having to go through an IT department, call center, or other middle man.

To support self-service:

    The cloud provider must provide an automated interface, such as a web portal or mobile app.

    The user should be able to request the interface at any time.

    The user should also be able to cancel the cloud service at any time.

Broad Network Access

The cloud service must be broadly available over the communication network, and users should be able to access it from any location and internet-enabled device.

Resource Pooling

Multiple customers share the cloud service resources in a multi-tenancy model. This model raises privacy and security concerns, so users must protect their cloud data and assets by taking all necessary security precautions.

Rapid Elasticity

Elasticity refers to the flexibility of the cloud service to scale up or down automatically to meet the user’s needs. That allows the user to access the right level and kind of resources, including processing power, memory, network bandwidth, and storage, to accommodate the user’s varying workloads.

Measured Service

A measured cloud service provides a metering capability that underpins the provider’s pay-as-you-go pricing model. This model provides users with greater transparency and control over their cloud costs.

NIST’s Three Cloud Service Models

NIST identifies three cloud service models:

Software-as-a-Service or SaaS

In the SaaS model, the cloud provider manages the underlying software and IT infrastructure. Users access the SaaS offering via a web browser. Local installation is not required, and organizations don’t have to worry about managing data centers, IT operations, or maintenance.

Some popular examples of SaaS applications include:

  • AWS
  • Salesforce
  • Microsoft Office 365
  • Google applications (G-Suite), including Gmail
  • Dropbox
  • SAP
  • Adobe Creative Cloud

Platform-as-a-Service or PaaS

PaaS provides a powerful development platform with programming languages, web-based APIs, and processes that allow software developers to create cloud-based applications. The PaaS provider fully manages the underlying infrastructure. Moreover, the platform automatically configures infrastructure resources across user-created environments.

Some popular PaaS providers include:

  • AWS Elastic Beanstalk
  • Oracle Cloud Platform (OCP)
  • Google App Engine
  • Microsoft Azure
  • Red Hat OpenShift PaaS
  • IBM Cloud Platform
  • SAP Cloud Platform

Infrastructure-as-a-Service or IaaS

Users can rent the cloud IT infrastructure, such as servers, networking, and storage, from an IaaS provider on a pay-as-you-go basis, so the user doesn’t have to incur the cost of on-premises installation or maintenance.

Examples of popular IaaS providers include:

  • AWS EC2
  • Google Compute Engine
  • Linode
  • DigitalOcean
  • Azure Virtual Machines
  • IBM Cloud Private

NIST’s Four Cloud Deployment Models

The final part of the NIST cloud computing definition includes four cloud deployment models, representing four types of cloud environments. Users can choose the model with features and capabilities that are best suited for their needs.

Private Cloud

A private cloud is a single-tenant environment provisioned for use by a single organization.

Security is one of the most significant benefits of a private cloud, which means that the company’s data cannot be accessed by anyone other than its authorized users. That’s why the private cloud is a good choice for organizations whose data or assets are too valuable or sensitive to put on a public cloud and for firms aiming for HIPAA or PCI DSS compliance.

Some key private cloud providers are:

  • VMWare
  • Dell
  • Oracle
  • IBM
  • Microsoft
  • Cisco
  • AWS

Public Cloud

In this multi-tenant deployment model, the cloud is owned by the cloud service provider. The underlying resources are shared by multiple customers who pay for the resources they use on a pay-as-you-use basis.

The provider owns, controls, and protects the security requirements of data among different customers. The provider is also responsible for administration, maintenance, troubleshooting, capacity planning, and data backups.

As of third-quarter 2021, the top three public cloud providers are AWS, Microsoft Azure, and Google Cloud, which occupy 32, 21, and 8 percent of market share, respectively. Other up-and-coming public cloud providers include:

  • Alibaba Cloud
  • IBM
  • DigitalOcean
  • Dell
  • Adobe

Hybrid Cloud

In a hybrid cloud, the cloud infrastructure comprises two or more distinct public or private clouds, bound together by technology that supports data and application portability. It provides greater flexibility, portability, and scalability than the other deployment models.

Examples of hybrid cloud providers include:

  • AWS VPC
  • EMC
  • BMC
  • F5
  • NetApp

Community Cloud

A community cloud is used by a community of users from organizations with shared concerns. This multi-tenant platform allows multiple companies or special interest user groups to collaborate securely on projects or research.

Community clouds are common in government, healthcare, and education; for use cases such as:

  • Customer service
  • Partner relationship management
  • Channel sales
  • Dealer contract renewals
  • Employee engagement
  • Collaboration and business decision-making

The Benefits of NIST’s Cloud Computing Definition

NIST’s cloud computing definition allows organizations to compare various cloud services and deployment strategies. A deep understanding of this definition can help organizations better appreciate the benefits of this technology, implement NIST compliance best practices, and guide decision-makers to make optimal cloud investment decisions.

Maintain Cloud Compliance with ZenGRC

ZenGRC streamlines evidence and audit management for all of your compliance frameworks. Whether you are implementing NIST guidelines or SOC2 regulations, ZenGRC can help you strengthen your security posture and cloud compliance.

This integrated and automated platform provides a comprehensive view of control environments and relevant compliance information. Leverage this knowledge to evaluate risks, close gaps, and ensure that your business systems and data are safe.

ZenGRC provides all the tools modern organizations need to transition from “check-the-box” compliance to compliance-driven cybersecurity. Schedule a demo today.

Why sign up for the Risk Insiders newsletter?

To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

Thank you for subscribing to the Risk Insiders newsletter!

Recommended

Image
What Is an Audit of Internal Control Over Financial Reporting?
financial data chart
Compliance

What Is an Audit of Internal Control Over Financial Reporting?

Read more
Image
Which NIST Framework Is Best For Your Organization?
business developer working with frameworks
NIST

Which NIST Framework Is Best For Your Organization?

Read more
Image
5 Steps to Performing a Cybersecurity Risk Assessment
professional typing on a laptop with secure key and padlock overlay
NIST

5 Steps to Performing a Cybersecurity Risk Assessment

Read more

Discover the Power of the Reciprocity ROAR Platform

Get a Demo