The National Institute of Standards and Technology has a cloud computing vision: to apply standards and foster a clear understanding of the ecosystem that supports the cloud model, the better to gain productivity gains and cost efficiencies for government agencies and others. In its Cloud Computing Standards Roadmap, NIST has clearly defined the players that all interact to make the model work.
NIST defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
And that’s a fairly broad definition. To further understand the actors within the ecosystem and how they work together, NIST has gone on to define five stakeholders: cloud consumers, cloud providers, cloud auditors, cloud brokers and cloud carriers.
The cloud consumer is the “ultimate stakeholder,” according to NIST: the person or organization that maintains a business relationship with, and uses the service from, a cloud provider.
A cloud consumer has a few different options when it comes to what they’re looking to use in the cloud: software as a service (SaaS (News - Alert)), platform as a service (PaaS) and infrastructure as a service (IaaS).
SaaS consumers are what we usually think of when we think of cloud consumers as a whole. They are the users of hosted applications that take the place of normal desktop software, accessed via public, private or hybrid networks that connect SaaS consumers and providers. SaaS consumers have several profiles: they can be organizations that provide their members with access to software applications, end users who directly use software applications or software application administrators who configure those applications for end users.
PaaS consumers, meanwhile, tend to be the next tier up, whose business it is to employ the tools and execution resources provided by cloud providers for the purpose of developing, testing, deploying, and managing their own applications for end users.
“PaaS consumers can be application developers who design and implement application software, application testers who run and test applications in various cloud systems, application deployers who publish applications into a cloud system and application administrators who configure and monitor application performance on a platform,” NIST explained.
Lastly, IaaS consumers are provisioned with the capabilities to access virtual computers, network-accessible storage, network infrastructure components and other fundamental computing resources, on which PaaS consumers can deploy and run arbitrary software. IaaS consumers can be system developers, system administrators and information technology (IT) managers who are interested in creating, installing, managing and monitoring services for IT infrastructure operations.
If consumers are the necessary engine of demand, providers are the ones that fulfill that demand. NIST defines a cloud provider as a person, organization or entity responsible for making a service available to cloud consumers. A cloud provider builds the requested software/platform/infrastructure services, manages the technical infrastructure required for providing the services, provisions the services at agreed-upon service levels, and protects the security and privacy of the services.
A cloud broker is the distribution piece of this; if a provider doesn’t sell directly to consumers, there is an entity that negotiates relationships between the two and manages the use, performance and delivery of cloud services.
As in most channel scenarios, brokers provide a single point of entry for managing multiple cloud services, and have the ability to provide a single, consistent interface to multiple differing providers, whether the interface is for business or technical purposes.
Brokers can provide value-added services like identity management or performance reporting, act as a data and service integration and sales aggregation point, or offer a resale-type white label offering, which NIST dubs “service arbitrage, where the broker has the flexibility to choose services from multiple [underlying] service providers.”
A cloud carrier provides the necessary connectivity and transport of cloud services between cloud consumers and cloud providers, often offering SLAs to cloud providers to ensure consistent service. They can offer best-efforts transport or provide dedicated and encrypted connections.
And finally, a cloud auditor is an ancillary player in the ecosystem; this is a party that can conduct independent assessment of cloud services, information system operations, performance and the security of a cloud computing implementation. This is an especially prevalent role in highly regulated industries like healthcare as well as government environments.
“A cloud auditor can evaluate the services provided by a cloud provider in terms of security controls, privacy impact, performance and adherence to service level agreement parameters,” NIST explained. “Auditing is especially important for federal agencies, as agencies should include a contractual section enabling third parties to assess security controls of cloud providers.”
Security auditing in particular should include the verification of the compliance with regulation and security policy.
Edited by Rory J. Thompson