In September 2011, The National Institute for Standard and Technology (NIST) created Special Publication (SP) 500-292, “NIST Cloud Computing Reference Architecture,” to establish a baseline cloud computing architecture. NIST SP 500-292 defines services and relationships between cloud service providers, consumers, and other stakeholders. When preparing to implement or revisit your cloud computing architecture, you’ll want to review the specifics of NIST SP 500-292.
What is the NIST Cloud Computing Reference Architecture?
The NIST SP 500-292 breaks down into several sections that define and explain all elements of cloud computing. These form a taxonomy with four distinct levels, each representing a more nuanced, niche set of terms. The first two levels define the most essential terms:
- The Level 1 terms – A set of Roles that collectively comprise the cloud Reference Model
- The Level 2 terms – A set of Activities that define the model’s Architectural Components
By understanding these terms and the relationships between them, any company can begin to optimize its cloud computing security architecture in response to ever-evolving cloud threats.
The NIST’s Cloud Computing Architecture Model
The first portion of NIST SP 500-292 defines the relationships between all stakeholders involved in cloud computing. There are five major roles detailed within NIST SP 500-292:
- Cloud Consumer
- Cloud Provider
- Cloud Auditor
- Cloud Broker
- Cloud Carrier
As a disclaimer, these roles may be less stable today than they were in 2011, as providers and consumers alike have changed drastically in nature and scale. Still, the definitions are useful as templates for understanding the basis of stakeholders’ differing roles and responsibilities.
Download Our Comprehensive Guide to NIST Implementation
Cloud Consumers in the NIST Cloud Computing Reference Architecture
NIST designates Cloud Consumers as the principal stakeholders for cloud computing services. The category includes three Cloud Consumer distinctions according to the services used:
- Software as a service (SaaS) consumers who rely on cloud computing for general office or productivity services (e.g., HR and accounting tasks)
- Platform as a service (PaaS) consumers who rely on cloud computing for their business intelligence needs (e.g., database management and application integration)
- Information technology as a service (ITaaS) consumers who rely on cloud computing for IT needs (e.g., storage, backups, content delivery, and other general computing tasks)
Cloud Providers in the NIST Cloud Computing Reference Architecture
Cloud providers are the parties most closely associated with cloud consumers. They are responsible for making cloud services available. Cloud providers’ offerings correspond to the types of consumers, along with the “Activities” or “Components.”
SaaS cloud providers generally deploy or manage the configuration of given software on cloud infrastructure. PaaS cloud providers generally manage the cloud infrastructure while also developing tools for optimizing workflows. ITaaS cloud providers generally facilitate distribution, maintenance, and monitoring of cloud infrastructure.
Cloud Auditors in the NIST Cloud Computing Reference Architecture
The NIST defines cloud auditors as parties who can execute independent audits or assessments on a company’s cloud infrastructure. Audits are typically done to determine whether the infrastructure meets cybersecurity or compliance benchmarks. Critically, auditing services must be delivered separately from any cloud services when partnering with the same vendor or by another third party.
However, in the contemporary cloud environment, a provider may integrate a secure and logically separate auditing functionality into a suite of services. As a result, consumers might seek out providers who integrate this functionality for efficiency’s sake.
Cloud Brokers in the NIST Cloud Computing Reference Architecture
Cloud brokers are defined as managing service providers. Consumers may contact cloud brokers instead of cloud providers. Brokers tend to handle three cloud categories:
- Intermediation – Enhancing access, performance monitoring, identity management, etc.
- Aggregation – Integrating a provider’s cloud services into a comprehensive cloud suite
- Arbitrage – Integrating services from multiple providers into a uniform service suite
These parties may be distinct from providers, but providers may also conduct such activity.
Cloud Carriers in the NIST Cloud Computing Reference Architecture
The NIST defines cloud carriers as the parties facilitating consumers’ and providers’ data transmissions and their connectivity to cloud services.
Cloud carriers’ responsibilities include the production and distribution of all physical and virtual resources needed to maintain cloud computing. Responsibilities pertain to all the servers and hardware needed to keep cloud networks up and running, along with endpoints or network access devices used to access cloud data safely.
The NIST Cloud Computing Reference Architecture Components
The most critical stakeholders in the NIST Cloud Computing Reference Architecture are consumers and providers. The entire architecture, comprising five “Architectural Components,” can be understood as a way of defining the relationships between them.
The five functionalities explained below overlap with the SaaS, PaaS, and ITaaS models detailed above.
Deployment in the NIST Cloud Computing Reference Architecture
The first Architectural Component is Deployment, which follows one of four distinct models:
- Public – Most cloud infrastructure and resources are available or accessible to a diverse audience, including the general public and a wide range of subscription-level consumers.
- Private – The cloud infrastructure and resources are available or accessible to only an individual consumer. These are hosted on-site by the provider or off-site by a third party.
- Community – Most cloud infrastructure and resources are available or accessible to a group of consumers within the same industry or with similar security needs or concerns.
- Hybrid – Cloud infrastructure and resources are available via distinct, packaged distribution models (e.g., through a cloud broker).
Orchestration in the NIST Cloud Computing Reference Architecture
The second Architectural Component is Orchestration, which refers to three hierarchical layers of system components that providers require to deliver services:
- Service layer – This layer determines service type, corresponding to the SaaS, PaaS, and ITaaS categories of providers.
- Resource abstraction and control – This layer determines the internal software assets and systems needed to abstract data (e.g., virtual machines) and those needed for control (e.g., dynamic allocation) to communicate with system hardware.
- Physical resource layer – This layer concerns physical resources (e.g., endpoints, servers).
Management in the NIST Cloud Computing Reference Architecture
The third Architectural Component is Management, which breaks down into three categories:
- General business support – Cloud-based management of business processes (e.g., client, inventory, contract management, accounting, and reporting)
- Provisioning / configuration – Cloud-based management of logistical processes (e.g., deployment or adjustment of cloud systems or service-level agreements)
- Portability / interoperability – Cloud-based management of information-related tasks (e.g., optimization across various formats and wide-scale security and accessibility)
Cloud Security in the NIST Cloud Computing Reference Architecture
The fourth Architectural Component is Cloud Security, which includes the oversight and advisory for cloud infrastructure and all interacting physical or virtual resources. This component may involve general security architecture implementation, security control development, cloud patch monitoring, or various regulatory compliance framework implementations.
Critically, all stakeholders in a given service relationship must contend with the intricacies of their own security implications. Providers’ and consumers’ respective security practices may impact each other, as hackers may leverage a weaker consumer network to attack a provider or vice versa.
Cloud Privacy in the NIST Cloud Computing Reference Architecture
The fifth and final Architectural Component is Cloud Privacy, which is closely related to Cloud Security. NIST specifically designates that cloud providers must protect consumers’ data processed or stored via cloud services. In particular, providers must safeguard any personal information (PI) or personally identifiable information (PII).
There is a significant overlap between Cloud Privacy and compliance concerns, though it is generally addressed in particular compliance frameworks rather than in NIST SP 500-292. For example, the HIPAA framework’s Privacy and Security Rules detail controls to ensure protected health information (PHI) is private, but NIST doesn’t define any specific protocols.
Professional Cyberdefense Architecture with RSI Security
Cybersecurity threats evolve each year, and companies across all industries must update their cloud protections to maintain security and privacy.
Despite the NIST SP 500-292 being a decade old, it still defines cloud architecture in cloud computing. If you’re ready to optimize your cloud computing architecture and rethink your cybersecurity, contact RSI Security today.
We’ll show you just how simple and secure your cloud architecture can be.