Home Cybersecurity SolutionsCloud Security What is the NIST Cloud Computing Reference Architecture?
Cloud Security

What is the NIST Cloud Computing Reference Architecture?

by RSI Security
written by RSI Security

Strategy

In September 2011, The National Institute for Standard and Technology (NIST) created Special Publication (SP) 500-292, “NIST Cloud Computing Reference Architecture,” to establish a baseline cloud computing architecture. NIST SP 500-292 defines services and relationships between cloud service providers, consumers, and other stakeholders. When preparing to implement or revisit your cloud computing architecture, you’ll want to review the specifics of NIST SP 500-292.

 

What is the NIST Architecture in Cloud Computing

The NIST SP 500-292 breaks down into several sections that define and explain all elements of cloud computing. These form a taxonomy with four distinct levels, each representing a more nuanced, niche set of terms. The first two levels define the most essential terms:

  • The Level 1 terms – A set of Roles that collectively comprise the cloud Reference Model
  • The Level 2 terms – A set of Activities that define the model’s Architectural Components

By understanding these terms and the relationships between them, any company can begin to optimize its cloud computing security architecture in response to ever-evolving cloud threats.

 

The NIST’s Cloud Computing Architecture Model

The first portion of NIST SP 500-292 defines the relationships between all stakeholders involved in cloud computing. There are five major roles detailed within NIST SP 500-292:

  • Cloud Consumer
  • Cloud Provider
  • Cloud Auditor
  • Cloud Broker
  • Cloud Carrier

As a disclaimer, these roles may be less stable today than they were in 2011, as providers and consumers alike have changed drastically in nature and scale. Still, the definitions are useful as templates for understanding the basis of stakeholders’ differing roles and responsibilities.

 

Download Our Comprehensive Guide to NIST Implementation

 

Cloud Consumers in the NIST Cloud Computing Reference Architecture

NIST designates Cloud Consumers as the principal stakeholders for cloud computing services. The category includes three Cloud Consumer distinctions according to the services used:

  • Software as a service (SaaS) consumers who rely on cloud computing for general office or productivity services (e.g., HR and accounting tasks)
  • Platform as a service (PaaS) consumers who rely on cloud computing for their business intelligence needs (e.g., database management and application integration)
  • Information technology as a service (ITaaS) consumers who rely on cloud computing for IT needs (e.g., storage, backups, content delivery, and other general computing tasks)

 

Request a Free Consultation

 

Cloud Providers in the NIST Cloud Computing Reference Architecture

Cloud providers are the parties most closely associated with cloud consumers. They are responsible for making cloud services available. Cloud providers’ offerings correspond to the types of consumers, along with the “Activities” or “Components.”

SaaS cloud providers generally deploy or manage the configuration of given software on cloud infrastructure. PaaS cloud providers generally manage the cloud infrastructure while also developing tools for optimizing workflows. ITaaS cloud providers generally facilitate distribution, maintenance, and monitoring of cloud infrastructure.

desk

Cloud Auditors in the NIST Cloud Computing Reference Architecture

The NIST defines cloud auditors as parties who can execute independent audits or assessments on a company’s cloud infrastructure. Audits are typically done to determine whether the infrastructure meets cybersecurity or compliance benchmarks. Critically, auditing services must be delivered separately from any cloud services when partnering with the same vendor or by another third party.

However, in the contemporary cloud environment, a provider may integrate a secure and logically separate auditing functionality into a suite of services. As a result, consumers might seek out providers who integrate this functionality for efficiency’s sake.

 

Cloud Brokers in the NIST Cloud Computing Reference Architecture

Cloud brokers are defined as managing service providers. Consumers may contact cloud brokers instead of cloud providers. Brokers tend to handle three cloud categories:

  • Intermediation – Enhancing access, performance monitoring, identity management, etc.
  • Aggregation – Integrating a provider’s cloud services into a comprehensive cloud suite
  • Arbitrage – Integrating services from multiple providers into a uniform service suite

These parties may be distinct from providers, but providers may also conduct such activity.

 

Cloud Carriers in the NIST Cloud Computing Reference Architecture

The NIST defines cloud carriers as the parties facilitating consumers’ and providers’ data transmissions and their connectivity to cloud services.

Cloud carriers’ responsibilities include the production and distribution of all physical and virtual resources needed to maintain cloud computing. Responsibilities pertain to all the servers and hardware needed to keep cloud networks up and running, along with endpoints or network access devices used to access cloud data safely.

 

The NIST Cloud Computing Reference Architecture Components

The most critical stakeholders in the NIST Cloud Computing Reference Architecture are consumers and providers. The entire architecture, comprising five “Architectural Components,” can be understood as a way of defining the relationships between them.

The five functionalities explained below overlap with the SaaS, PaaS, and ITaaS models detailed above.

 

Deployment in the NIST Cloud Computing Reference Architecture

The first Architectural Component is Deployment, which follows one of four distinct models:

  • Public – Most cloud infrastructure and resources are available or accessible to a diverse audience, including the general public and a wide range of subscription-level consumers.
  • Private – The cloud infrastructure and resources are available or accessible to only an individual consumer. These are hosted on-site by the provider or off-site by a third party.
  • Community – Most cloud infrastructure and resources are available or accessible to a group of consumers within the same industry or with similar security needs or concerns.
  • Hybrid – Cloud infrastructure and resources are available via distinct, packaged distribution models (e.g., through a cloud broker).

third-party-office-man2

Orchestration in the NIST Cloud Computing Reference Architecture

The second Architectural Component is Orchestration, which refers to three hierarchical layers of system components that providers require to deliver services:

  • Service layer – This layer determines service type, corresponding to the SaaS, PaaS, and ITaaS categories of providers.
  • Resource abstraction and control – This layer determines the internal software assets and systems needed to abstract data (e.g., virtual machines) and those needed for control (e.g., dynamic allocation) to communicate with system hardware.
  • Physical resource layer – This layer concerns physical resources (e.g., endpoints, servers).

 

Management in the NIST Cloud Computing Reference Architecture

The third Architectural Component is Management, which breaks down into three categories:

  • General business support – Cloud-based management of business processes (e.g.,  client, inventory, contract management, accounting, and reporting)
  • Provisioning / configuration – Cloud-based management of logistical processes (e.g., deployment or adjustment of cloud systems or service-level agreements)
  • Portability / interoperability – Cloud-based management of information-related tasks (e.g., optimization across various formats and wide-scale security and accessibility)

 

Cloud Security in the NIST Cloud Computing Reference Architecture

The fourth Architectural Component is Cloud Security, which includes the oversight and advisory for cloud infrastructure and all interacting physical or virtual resources. This component may involve general security architecture implementation, security control development, cloud patch monitoring, or various regulatory compliance framework implementations.

Critically, all stakeholders in a given service relationship must contend with the intricacies of their own security implications. Providers’ and consumers’ respective security practices may impact each other, as hackers may leverage a weaker consumer network to attack a provider or vice versa.

 

Cloud Privacy in the NIST Cloud Computing Reference Architecture

The fifth and final Architectural Component is Cloud Privacy, which is closely related to Cloud Security. NIST specifically designates that cloud providers must protect consumers’ data processed or stored via cloud services. In particular, providers must safeguard any personal information (PI) or personally identifiable information (PII).

There is a significant overlap between Cloud Privacy and compliance concerns, though it is generally addressed in particular compliance frameworks rather than in NIST SP 500-292. For example, the HIPAA framework’s Privacy and Security Rules detail controls to ensure protected health information (PHI) is private, but NIST doesn’t define any specific protocols.

 

Professional Cyberdefense Architecture with RSI Security

Cybersecurity threats evolve each year, and companies across all industries must update their cloud protections to maintain security and privacy.

Despite the NIST SP 500-292 being a decade old, it still defines cloud architecture in cloud computing. If you’re ready to optimize your cloud computing architecture and rethink your cybersecurity, contact RSI Security today.

We’ll show you just how simple and secure your cloud architecture can be.

 

Learn how RSI Security can help your organization. Request a Free Consultation

 

0 comment
1
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

The Essential Characteristics of Cloud Computing

June 3, 2021

Top Benefits Of Cloud Computing

March 1, 2019

Cloud Security Architecture Best Practices

April 29, 2022

Guide to Security Governance in Cloud Computing

March 25, 2023

NIST Definition of Cloud Computing

September 12, 2018

10 Tips For Keeping Private Information Secure On...

March 1, 2019

How To Prevent Cloud Data Breaches

April 27, 2021

Best Practices for Implementing Strong Cloud Security

March 15, 2019

Is It Safe To Store Personal Data On...

March 1, 2019

Cloud Identity and Access Management?

March 7, 2023

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More