SP-800-146 (Draft) | Cloudcontrols.org – Cloud assurance compliance

SP-800-146 (Draft)

Cloud computing synopsis and Recommendations

This document takes the NIST definition of Cloud to a next step and provides example implementations of the various Cloud deployment models.

Link to original document (mirror)

Summary of this draft:

1. Introduction

Outlines the structure of the document.

2. Cloud computing definition

Starts out with the industry-accepted definition of cloud:

“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.”

Details the essential characteristics of cloud services:

  1. On-demand self-service.
  2. Broad network access
  3. Resource pooling
  4. Rapid elasticity
  5. Measured Service

The cloud service models:

  1. Software as a service
  2. Platform as a service
  3. Infrastructure as a service

The chapter finishes with outlining the cloud deployment models:

  1. Private cloud
  2. Community cloud
  3. Public cloud
  4. Hybrid cloud

3. Typical Commercial Terms of Service

Outlines the typical construction of provider contracts and terms of service, starting with promises made by providers:

  • Availability
  • Remedies for Failure to Perform
  • Data preservation
  • Legal Care of Subscriber information

Providers usually include limitations in their terms of service:

  • Scheduled outages
  • Force majeure events
  • SLA Changes
  • Security (providers generally assert they are not responsible for security)
  • Service API changes

Obligations to which subscribers of the service must agree with:

  • Acceptable use policies (prohibiting illegal activities and storage of illegal content)
  • Licensed software
  • Timely Payments

Recommendations for cloud consumers to take into account when judging terms of service:

  • Terminology (SLA terms)
  • Remedies (regarding failure)
  • Compliance
  • Security, Criticality and Backup
  • Negotiated SLA

4. General Cloud Environments

Details the various cloud deployment models and evaluates statements regarding Cloud deployment.

5. Software as a Service environments

Defining “Software deployed as a hosted service and accessed over the Internet.” [Cho06]

6. Platform as a Service environments

Defining development and deployment platforms.

7. Infrastructure as a Service environments

Describes several important characteristics of IaaS offerings: Abstract Interaction Dynamics; Software Stack and Provider/Subscriber Scopes of Control; an Operational View of an IaaS cloud; Benefits; Issues and Concerns; and Recommendations.

8. Open Issues

Lists the issues and areas not yet appropriately addressed by cloud providers:

  • Computing performance (latency)
  • Working offline
  • Scalable programming
  • Data storage management
  • Cloud reliability
  • Network dependence
  • Cloud provider outages
  • Safety-critical processing
  • Economic goals
  • Business continuity risks
  • SLA Evaluation
  • Portability of workloads
  • Interoperability between cloud providers
  • Disaster recovery
  • Compliance
  • Lack of visiblity
  • Physical data location
  • Jurisdiction and Regulation
  • Support for forensics
  • Information security (Data leakage, Data privacy, System integrity, multi-tenancy, Browsers, Hardware support for trust and Key management)

9. General Recommendations

Provides general recommendations to cloud users and providers regarding cloud: Management, Data Governance, Security and Reliability, Virtual Machines, and Software and Applications.

Appendix A and B

Appendix A outlines typical cost models and financial benefits for cloud computing. Appendix B details the roles and responsibilities in the cloud.

Executive Summary:

“Cloud computing allows computer users to conveniently rent access to fully featured applications, to software development and deployment environments, and to computing infrastructure assets such as network-accessible data storage and processing.”