Mike Daconta


Why NIST's cloud definition is fatally flawed

I recently sat through a briefing on cloud security in which the presenter incorrectly defined platform as a service and then asserted that “PaaS is going away.” 

Given that PaaS incarnations such as Hadoop are the mainstay of big data, that would imply that big data is going away — and that is patently wrong. 

Furthermore, the laypeople in the audience failed to grasp the slide on NIST’s “3-4-5” definition framework of cloud computing, which uses three service models, four deployment models and five characteristics. The framework was too complex and failed to provide the simple, unified concept of cloud computing that this audience desperately needed.

Related coverage:

NIST to tackle big data in 2012

NIST tackles security, privacy of cloud computing

NIST had failed an audience that had heard so much about cloud computing, only to remain lost in a flawed and tangled definition. Over the next few weeks, that continued to grate on me until I realized the root cause of the problem: NIST’s definition of cloud computing is incomplete, distorted and short-sighted. 

Here’s how:

NIST’s definition of cloud computing is incomplete in two significant ways: first, by excluding the notion of big data and second, by limiting itself to three out of an almost infinite number of possible “things as a service.”

In relation to big data, GCN’s recent cover story “Taming Big Data” and a recent InformationWeek article on “Hadoopla!” reported on the big data revolution and its explosive growth in both vendor implementations and customer adoption. 

Rapid elasticity?

Big data is a critical cloud business driver that must be part of any serious definition. Although some may feel the characteristic of “rapid elasticity” broadly covers data volume, it is one-dimensional and omits the equally key aspects of variety and velocity.

In relation to everything as a service, a recent Network World article titled “(fill-in-the-blank)-as-a-service” demonstrates how vendors have absurdly twisted the “as-a-service” moniker into anything they already do. This fails to differentiate and thereby define what the cloud actually is.

The NIST definition is distorted because it implies that the three service models — software as a service, platform as a service, and infrastructure as a service — are layered, which is not necessarily true. It also implies the models are of equal importance and scope, which is significantly false. 

In isolation from PaaS, SaaS is simply a rebranding of Web apps via an Application Service Provider. Instead, the focus must and should be on developing cloud apps that use cloud services. This is the Apple iCloud model.

And IaaS is just server virtualization. This is great for data-center efficiency but offers none of the key cloud benefits, including scalability, metering and big data. Virtualizing what you currently do, while it might be good business, does not deliver any meaningful cloud capabilities.

New type of OS

A cloud is not about virtualizing a single operating system. It is about a new type of OS that can span any number of machines. That is the magic of the cloud. Google rewrote a file system to allow its index of Web pages to span across any number of cheap Linux-based machines and thus spawned the notion of the cloud. That concept of a multi-machine approach must be the heart of any true definition of cloud computing.

The NIST definition is short-sighted because it merely describes the current state of IT affairs through some empirical observations and fails to account for how the cloud is evolving. PaaS is in extreme flux; SaaS is irrelevant (in cloud terms) without PaaS; and IaaS is actually unrelated to true, multi-machine cloud capabilities.

What are the ramifications of all of this? NIST has been forced between a rock and a hard place by the “Cloud First” policy to take a stand on a set of technologies that is still emerging. In the end, that will cause the government to spend double or triple what it should by rushing into unfinished technology. 

Consider a recent InformationWeek article that proclaimed “Cloud computing is still in its adolescence.” Add to that the fact that Apple’s iCloud is a major new entry in this space with its own ideas on the cloud.  So, let me again caution government IT managers: Until you know how to define the cloud, don’t migrate to it.

Michael C. Daconta ([email protected]) is vice president of advanced technology at InCadence Strategic Solutions and the former Metadata Program Manager for the Homeland Security Department. He is currently working on the second edition of his book, “Information as Product: How to Deliver the Right Information to the Right Person at the Right Time."


About the Author

Michael C. Daconta ([email protected]) is the Vice President of Advanced Technology at InCadence Strategic Solutions and the former Metadata Program Manager for the Homeland Security Department. His new book is entitled, The Great Cloud Migration: Your Roadmap to Cloud Computing, Big Data and Linked Data.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected