Cloud computing is everywhere these days, which means that the security risks inherent to cloud computing are everywhere too — and corporations need to manage those risks somehow. 

One beacon of guidance is NIST, the National Institute of Standards and Technology. NIST offers numerous frameworks to help organizations manage technology risks, cloud computing included.  

For example, NIST Special Publication 800-145 (originally published in 2010) lays the groundwork for cloud computing, defining it as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” This definition captures the essence of cloud computing, NIST 800-145 identifies the technology’s five essential characteristics, three service models, and four deployment models.

This article unpacks the NIST definition of cloud computing to understand the value of cloud computing services and gain the best return on your cloud information technology investment.

What Is Cloud Computing?

The term “cloud computing” was coined in 1996 in an internal document from computer manufacturer Compaq (today a part of Hewlett-Packard). The concept, however, likely originated in the 1950s when some organizations started using complex systems of massive mainframe computers to process data.

Today cloud computing refers to “distributed” computing. In this model, IT hardware, software, and processes exist in different physical locations, and connect and communicate with each other via the Internet.

By hosting platforms, databases, and software remotely, cloud computing supports the on-demand delivery of computing power, storage, networking, databases, and applications to users.

Benefits of Cloud Computing

Cloud computing allows users to access applications and data from any location at any time and from any Internet-connected device, such as a laptop or mobile phone. Cloud systems also provide infrastructure for businesses to develop and deploy enterprise software and services. This infrastructure improves agility and time-to-market for software development.

Cloud systems also offer many other benefits over traditional, “on-premises” computing.


Cloud infrastructure can easily be scaled up or down to meet the organization’s fluctuating business demands.

Lower Costs

A pay-as-you-go payment model allows organizations to control their IT costs by paying only for the resources they use. Even better, they don’t have to purchase or maintain their equipment, which reduces capital expenditures (CAPEX) and lowers the total cost of ownership (TCO).

Multiple Storage Options

Enterprises can choose from public, private, or hybrid cloud storage offerings depending on their requirements and cloud security needs.

Data Security

Most “public” clouds (that is, those maintained by a cloud-services provider such as Amazon Web Services or Microsoft Azure) offer advanced security features including granular permissions and access management, authentication, encryption, API keys, and virtual private clouds (VPC) to secure sensitive data. In addition, networked backups minimize the probability of data loss.

Multiple Control Choices

Organizations can determine their desired level of cloud control with multiple “as-a-service” cloud options, including SaaS, IaaS, and PaaS (software, infrastructure, and platform as a service).

What Is the NIST’s Cloud Computing Definition and Model?

NIST’s cloud model (definition) is composed of:

  • Five essential characteristics
  • Three service models
  • Four deployment models

NIST’s Five Characteristics of Cloud Computing

The five essential characteristics of a cloud service create the cloud computing infrastructure. It includes a physical layer of hardware resources and an abstraction layer, which consists of the software deployed across the physical layer. These attributes are:

1. On-Demand Self-Service

Self-service means the cloud user can acquire the service independently, without going through an IT department, call center, or other middleman. To support self-service:

  • The cloud provider must have an automated interface such as a web portal or mobile app.
  • The user should be able to access the interface at any time.
  • The user should also be able to cancel the cloud service anytime.

2. Broad Network Access

The cloud service must be broadly available over the communication network. Users should be able to access it from any location and on an internet-enabled device.

3. Resource Pooling

Multiple customers share the cloud service resources in a multi-tenancy model. This model does raise privacy and security concerns, so users must protect their cloud data and assets by taking necessary security precautions.

4. Rapid Elasticity

Elasticity refers to the flexibility of the cloud service to scale up or down automatically to meet the user’s needs. That allows the user to access the right level and kind of resources, including processing power, memory, network bandwidth, and storage, to accommodate the user’s varying workloads.

5. Measured Service

A measured cloud service provides a metering capability that underpins the provider’s pay-as-you-go pricing model. This model provides users with greater transparency and control over their cloud costs.

What Is the NIST’s Cloud Computing Architecture Model?

NIST Special Publication 500-292 defines five distinct and significant roles within a cloud computing model:

  1. Cloud consumer
  2. Cloud provider
  3. Cloud auditor
  4. Cloud broker
  5. Cloud carrier

Discussing each of these roles in detail is beyond the scope of this article. We can, however, briefly list the cloud providers and deployment models to understand NIST’s perspective on the cloud computing architecture model. 

Cloud Providers in the NIST Cloud Computing Reference Architecture

NIST identifies three distinct cloud service provider categories:

1. Software-as-a-Service (SaaS)

In the SaaS model, the cloud provider manages the underlying software and IT infrastructure. Users access the SaaS offering via a web browser. Local installation is not required, and organizations don’t have to worry about managing data centers, IT operations, or maintenance.

Some famous examples of SaaS applications include:

  • Amazon Web Services (AWS)
  • Salesforce
  • Microsoft Office 365
  • Google applications (G-Suite), including Gmail
  • Dropbox
  • SAP
  • Adobe Creative Cloud

2. Platform-as-a-Service (PaaS)

PaaS provides a powerful development platform with programming languages, web-based APIs, and processes that allow software developers to create cloud-based applications. The PaaS provider fully manages the underlying infrastructure and automatically configures infrastructure resources across user-created environments.

Some popular PaaS providers include:

  • AWS Elastic Beanstalk
  • Oracle Cloud Platform (OCP)
  • Google App Engine
  • Microsoft Azure
  • Red Hat OpenShift PaaS

3. Infrastructure-as-a-Service (IaaS)

Users can rent the cloud IT infrastructure, such as servers, networking, and storage, from an IaaS provider on a pay-as-you-go basis, so the user doesn’t incur the cost of on-premises installation or maintenance.

Examples of popular IaaS providers include:

  • AWS EC2
  • Google Compute Engine
  • DigitalOcean
  • Microsoft Azure 

NIST Models for Deployment

The NIST cloud computing definition includes four cloud deployment models representing four types of cloud environments. Users can choose the model with features and capabilities best suited to their needs.

1. Private Cloud

A private cloud is a single-tenant environment provisioned by a single organization.

Security is one of the most significant benefits of a private cloud; the company’s data cannot be accessed by anyone other than its authorized users. That’s why the private cloud is a good choice for organizations whose data or assets are too valuable or sensitive to put on a public cloud and for firms aiming for HIPAA or PCI DSS compliance.

Some private cloud providers are:

  • VMWare
  • Dell
  • Oracle
  • IBM
  • Microsoft
  • Cisco
  • AWS

2. Public Cloud

In this multi-tenant deployment model, the cloud service provider owns the cloud. The underlying resources are shared by multiple customers who pay for the resources they use on a pay-as-you-use basis.

The provider owns, controls, and protects the data security requirements of different customers. It is also responsible for administration, maintenance, troubleshooting, capacity planning, and data backups.

As of the fourth quarter of 2023, the top three public cloud providers are AWS, Microsoft Azure, and Google Cloud, which own 31, 24, and 11 percent of the market share, respectively. Other up-and-coming public cloud providers include:

  • Alibaba Cloud
  • IBM
  • DigitalOcean
  • Dell
  • Adobe

3. Hybrid Cloud

In a hybrid cloud, the infrastructure comprises two or more distinct public or private clouds bound together by technology-supporting data and application portability. This deployment model provides greater flexibility, portability, and scalability than the others.

Examples of hybrid cloud providers include:

  • EMC
  • BMC
  • F5
  • NetApp

4. Community Cloud

Users from organizations with shared concerns use a community cloud. This multi-tenant platform allows multiple companies or special interest user groups to collaborate securely on projects or research.

Community clouds are expected in government, healthcare, and education for use cases such as:

  • Customer service
  • Partner relationship management
  • Channel sales
  • Dealer contract renewals
  • Employee engagement
  • Collaboration and business decision-making

NIST Models for Orchestration

The NIST cloud computing definition provides a view on orchestration as a key architectural component to describe how different cloud providers interact at each layer of the cloud infrastructure, namely:

Service Layer 

Determines the services made available depending on the Cloud Provider type (SaaS, PaaS, or IaaS)

Resources Layer 

Abstract the data and the allocation of resources among the different cloud providers.

Physical Layer 

Define the interaction between actual endpoints and devices across these providers.

NIST Models for Management

NIST defines management as another critical architectural component and describes it in three different categories:

  1. Interoperability: defines the management, security, and accessibility of information across different formats
  2. Provisioning: defines the adherence of service-level agreements between different cloud service models
  3. Support: defines accountability and reporting of capacity and availability across the different cloud service models

The Importance of NIST Cloud Security Standards

NIST’s comprehensive definition of cloud computing allows organizations to evaluate and compare various cloud services and deployment models more effectively. By understanding this definition, businesses can better appreciate the transformative benefits of cloud technology, implement robust security controls and compliance best practices outlined by NIST, and be empowered to make well-informed investments in cloud resources.

Adhering to NIST’s cloud security guidelines is crucial for organizations operating in regulated industries, such as federal agencies, where information security and risk management are paramount. 

Conducting thorough risk assessments and implementing strong access control measures can fortify an organization’s information systems against potential vulnerabilities and assure compliance with regulations such as the Federal Risk and Authorization Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA).

NIST’s guidance extends beyond mere compliance. It enables organizations to establish comprehensive incident response protocols and foster a culture of continuous improvement by adopting frameworks including the NIST Cybersecurity Framework (CSF). 

By embracing NIST’s best practices, businesses can unlock the full potential of secure and cost-effective cloud computing solutions while maintaining a steadfast commitment to data protection and operational resilience.

Frequently Asked Questions (FAQs)

What Are the Core NIST Functions?

The NIST Cybersecurity Framework outlines five core functions: identify, protect, detect, respond, and recover. These functions provide a strategic view of an organization’s cybersecurity practices and enable effective risk management.

What Does the Cloud Security Framework Cover?

NIST’s cloud security framework offers comprehensive guidance on various aspects of cloud computing security, including risk assessment, access control, data protection, incident response, and continuous monitoring.

How Do NIST Guidelines Affect Cloud Computing Security?

NIST guidelines serve as valuable references for organizations adopting cloud computing solutions. By following NIST’s best practices, businesses can support robust security controls, regulatory compliance, and effective risk management in their cloud environments.

What Are the Main Components of NIST’s Cloud Security Model?

The NIST cloud security model has several key components: security controls, risk assessment methodologies, incident response plans, and continuous monitoring processes. Together, these components provide a holistic approach to cloud security.

How Can Organizations Implement NIST Cloud Security Standards?

Organizations can implement NIST cloud security standards by conducting thorough risk assessments, establishing strong access control measures, implementing incident response protocols, and adopting frameworks such as the NIST Cybersecurity Framework (CSF). Regular security audits and employee training are also crucial for effective implementation.

Maintain Cloud Compliance with ZenGRC

ZenGRC streamlines evidence and audit management for all of your compliance frameworks. Whether you are implementing NIST guidelines or SOC2 regulations, we can help you strengthen your security posture and cloud compliance.

The integrated, automated ZenGRC platform provides a comprehensive view of control environments and relevant compliance information. Leverage this knowledge to evaluate risks, close gaps, and assure your business systems and data are safe.

ZenGRC provides modern organizations the tools to transition from “check-the-box” compliance to compliance-driven cybersecurity. Schedule a demo today.