NIST plan for cloud encourages innovation

An assessment of existing technical standards that could be used in cloud computing and a reference architecture for government use in the cloud have been published by the National Institute of Standards and Technology.

“There is a fast-changing landscape of relevant standardization under way in a number of standards developing organizations,” the Cloud Computing Roadmap working group said. Special Publication 500-291, the "Cloud Computing Standards Roadmap," identifies existing applicable standards as well as gaps where new standards are needed.

SP 500-292, "Cloud Computing Reference Architecture" establishes a vendor- and technology-neutral architecture that encourages innovation. It lays out the central elements of cloud computing for federal CIOs, procurement officials and IT program managers.


Related coverage:

NIST looks to define the pros and cons of cloud models


NIST has been mandated to create the standards framework necessary to enable government’s quick and secure adoption of cloud computing, which NIST has defined as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” The two new documents, along with others under way, will be included in the broader U.S. Government Cloud Computing Technology Roadmap, expected to be published in November.

One of the first challenges in creating the framework is to determine which standards are needed. The road map’s working group “has surveyed the existing standards landscape for security, portability, and interoperability standards relevant to cloud computing,” the working group wrote. “Using this available information, current standards, standards gaps, and standardization priorities are identified in this document.”

Although only a few cloud-specific standards have been approved so far, many standards designed to support Web services and other Internet services already are available and can be applied to functions and requirements for cloud computing. Some are being developed specifically for cloud computing. The working group is creating an inventory of relevant standards.

Gaps where new standards are needed include:

  • Software-as-a-service functional interfaces.
  • Software-as-a-service self-service management interfaces.
  • Platform-as-a-service functional interfaces.
  • Business support, provisioning and configuration.
  • Security and privacy.

Areas identified as priorities for the federal government include security auditing and compliance, identity and access management, software-as-a-service application-specific data and metadata, and resource description and discovery.

The reference architecture provides an overview of the actors in the cloud computing process and their roles, as well as the architectural components and managing and providing cloud services. The five major actors in cloud computing are:

  • Cloud consumer — An individual or organization that acquires and uses cloud products and services.
  • Cloud provider — The purveyor of products and services.
  • Cloud broker  — Entity that acts as the intermediary between consumer and provider and will help consumers through the complexity of cloud service offerings and may also create value-added cloud services as well.
  • Cloud auditor — Conducts the independent performance and security monitoring of cloud services.
  • Cloud carrier — The organization that has the responsibility for transferring the data, akin to the power distributor for the electric grid.

“As a major architectural component of the cloud, security and privacy concerns need to be addressed, and there needs to be a level of confidence and trust in order to create an atmosphere of acceptance in the cloud’s ability to provide a trustworthy and reliable system,” the Reference Architecture Working Group wrote. “Security responsibilities and security consideration for different cloud service models and deployment models are also discussed.”

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Sep 19, 2011

Are Cloud Auditors going to ask the same silly questions that they ask about our in house services? Like why don't you run McAfee Anti-Virus on your z/OS mainframe?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above