Expert Reference Series of White PapersA Practical View ofNIST’s m

A Practical View of NIST’s CloudDefinitionVince Lo Faso, Global Knowledge Instructor, Cloud Essentials Professional,ITIL ExpertIntroductionThe National Institute of Standards and Technology (NIST) has created a robust, comprehensive cloud definitionthat has been well-accepted across the IT industry. It covers five essential cloud characteristics, three servicemodels, and four deployment models. Spanning two pages of text, it initially seems overwhelming. Yet this clouddefinition is very effective in establishing clear boundaries and scope for cloud computing. It can be used to filterthe overly hyped cloud marketing literature to better understand the business value of true cloud services. Thiswhite paper examines NIST's cloud definition in detail with real world case study examples to illustrate how it isapplicable to today's cloud market landscape.At the request of the federal CIO Vivek Kundra, NIST was mandated to assist government agencies to adoptcloud computing for their IT operations. As part of their mandate, NIST created multiple working groups todefine cloud computing, its architecture, and requirements. In this paper we explore the center core of NIST'scloud definition (document Special Publication 800-145), which has been well accepted throughout the ITindustry across vendors, service suppliers, IT organizations, and customers.Overview of Cloud DefinitionThe NIST cloud definition is a comprehensive description of the essential defining quality of cloud computing.They define it as:"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidlyprovisioned and released with minimal management effort or service provider interaction. This cloud model iscomposed of five essential characteristics, three service models, and four deployment models."This paper will elaborate and further illustrate how this is applicable in the current environment of the cloudcomputing industry. In the next several sections, we will state the NIST definition, elaborate on the key principles,and provide some case study examples.Copyright 2014 Global Knowledge Training LLC. All rights reserved.2

Cloud CharacteristicsThere are five key attributes of a true cloud service. While there may be some variations in certain cases orenvironments, a cloud service should adhere to these traits.NIST's five essential characteristics are:1. On-demand self-serviceNIST defines this as:"A consumer can unilaterally provision computing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with each service provider."This is a key attribute of a true cloud service. A customer must be able to request the usage of a cloud servicethrough an automated interface (such as a web portal, kiosk, mobile app, etc.) without the need to speakwith a middleman or sales person. The consumer can request this at any time. This feature should also enablethe consumer to cancel the usage of a cloud service at any time. From the consumer's perspective, engaginga cloud service and releasing a cloud service should be as convenient and hassle free as possible. For example,there should be no need to speak with a call center representative or request/release a cloud service onlyduring working hours.2. Broad network access:NIST defines this as:"Capabilities are available over the network and accessed through standard mechanisms that promote use byheterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations)."A true cloud service must be accessible and usable through a broadly available communication network.Generally speaking, it means that as long as a consumer has Wi-Fi, broadband, or landline networkconnectivity, then he/she can utilize the cloud service. There should be no location dependency for the cloudservice. Furthermore, a cloud service should be accessible with minimal dependency on the device used foraccessing the cloud service.3. Resource pooling:NIST defines this as:"The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, withdifferent physical and virtual resources dynamically assigned and reassigned according to consumer demand.There is a sense of location independence in that the customer generally has no control or knowledge overthe exact location of the provided resources but may be able to specify location at a higher level ofabstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory,and network bandwidth."The underlying resources in a cloud service are shared across multiple customers. This multi-tenancy modelhas certain privacy and security concerns that is shared by all cloud users, therefore, all users must take thenecessary precautions and risk-management activities for protecting and guarding their assets, be it data orotherwise.Copyright 2014 Global Knowledge Training LLC. All rights reserved.3

4. Rapid elasticity:NIST defines this as:"Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outwardand inward commensurate with demand. To the consumer, the capabilities available for provisioning oftenappear to be unlimited and can be appropriated in any quantity at any time."A powerful attribute of a cloud service is that it can scale up or down as required automatically and in realtime (or near real-time). This means that varying workloads will be met with the right level of resourcecapacity (CPU power, storage, network bandwidth, etc.), adjusting to real-world demands from end users.5. Measured service:NIST defines this as:"Cloud systems automatically control and optimize resource use by leveraging a metering capability at somelevel of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active useraccounts). Resource usage can be monitored, controlled, and reported, providing transparency for both theprovider and consumer of the utilized service."A measured cloud service provides the underpinning for the pay-as-you-go model. This allows a cloudprovider to charge consumers for only the resources or services that are actually consumed by the customer.The old model of having a fixed IT budget that pays for IT resources regardless of whether they areunderutilized or over utilized, which no longer applies in cloud computing.Cloud Service ModelsNIST defines three general yet distinctive cloud service models. In practice, there are other service modelsavailable. However, even these additional service models are a variation or combination of these three basicservice models. For each service model, we state the NIST definition, elaborate on key principles, and illustrate theservice model with three real-world case studies.SaaS ModelThe SaaS service model is defined as:"Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applicationsrunning on a cloud infrastructure. The applications are accessible from various client devices through either a thinclient interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does notmanage or control the underlying cloud infrastructure including network, servers, operating systems, storage, oreven individual application capabilities, with the possible exception of limited user specific applicationconfiguration settings."The SaaS service model generates the most interest to business users and managers. Through SaaS-basedapplications, IT and business units can focus on supporting and enabling business operations and functions. TheSaaS model manages the underlying software and IT infrastructure. IT is released from the day-to-day activities ofrunning a data center, IT operations, and maintenance.Copyright 2014 Global Knowledge Training LLC. All rights reserved.4

Case Study Examples of SaaS Cloud Providers1. is one of the pioneers of enterprise-quality SaaS cloud providers. Its service offerings displacethe traditional data center based CRM application such as Siebel and PeopleSoft. Headquartered in SanFrancisco, has revenue of over 4.07 billion. Initially started by four former Oracle executives, has grown to 13,400 employees (as of May 2014). Currently, it has 2,100,000 servicesubscribers across 104,000 customers (as of 2011). Its subscription model is based on a per-user basis, permonth. Presently, there are five subscription levels: Contact Manager level ( 5/user/month); Group level( 25/user/month); Professional level ( 65/user/month); Enterprise level ( 125/user/month); andPerformance level ( 300/user/month). All subscriptions are billed annually.2. GmailGmail is a free cloud-based email service from Google. It was initially launched as an invitation only service inApril 1, 2004. It became a production quality service available to the general public on Feb 7, 2007. As ofJune 2014, it boasts over 500 million users. Its distinguishing feature has been its ever growing space foremail users. When it launched, Gmail stunned the world by offering 1GB of email space. The competition atthe time (such as Hotmail and Yahoo!) quickly followed suit by increasing their email space from an initialstorage space of only 2-4MB of email. Today, Gmail has evolved into a critical component of Google's overalloffice productivity SaaS offering, which now includes 30GB of disk storage and can support email fileattachments of 25MB.3. Intuit - QuickBooksIntuit is an example of a software provider that offers both conventional software (purchased softwarelicenses for self-hosting) and SaaS-based online offerings. Its beginnings started as a traditional softwareprovider in 1983 in Palo Alto, CA by its two founders, Scott Cook and Tom Proulx. Today, Intuit has over8,200 employees with over 4.1 billion in revenue (2013). It offers a range of financial accounting and taxsoftware. Its flagship product is QuickBooks, a software suite for managing business financial operations. Asa SaaS offering is it available in three different levels. Each level offers an increasing set of functions andfeatures. The three levels and subscription pricing are: Simple Start ( 9.95/month for 1 user); Essentials( 14.95/month for 3 users); and Plus ( 24.95/month for 5 users). Subscriptions are billed monthly. Intuit'soverall SaaS offerings now represent 1.5 billion of its 2013 revenue.PaaS ModelThe PaaS service model is defined as:"Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructureconsumer-created or acquired applications created using programming languages, libraries, services, and toolssupported by the provider. The consumer does not manage or control the underlying cloud infrastructureincluding network, servers, operating systems, or storage, but has control over the deployed applications andpossibly configuration settings for the application-hosting environment."The PaaS service model provides a powerful development platform for software developers. Most PaaS providerssupport a range of programming languages for developers to use. All leverage Web Services (i.e., web-based API)to create cloud-based application. The underlying infrastructure is opaque to the developer as it is fully managedby the PaaS provider.Copyright 2014 Global Knowledge Training LLC. All rights reserved.5

Case Study Examples of PaaS Cloud Providers1. Google App EngineAs a platform as a service, App Engine allows software developers to write applications in one of severallanguages (Python, Java, and its derivatives, Go and PHP) and are run over a scalable, elastic infrastructure. EachGoogle application is executed in a “sandbox” environment, protecting it and other Google applications frominterfering with each other or monopolizing the underlying infrastructure resources. As a platform, it wasreleased initially on April 7, 2008 in "preview" mode, and then came out of preview mode on September 2011.Google does not charge developers for writing software on App Engine; they charge only for the resources thatapplications consume when they are executed and running on Google's infrastructure. Google tracks, monitors,and invoices applications based on resources such as storage, virtual servers, network traffic, and API calls.App Engine offers a free tier, which means that an application can run on App Engine as long as it stays withinlimits of infrastructure resource utilization. For example, a Google app can use up to 1GB of data storage.Storage above that limit will incur expenses. For paid applications, there are no functional limits. Hard limits,however, do exist to prevent misuse (intentionally or unintentionally) of resources. For paid application usage,Google provides an uptime guarantee of 99.95% on a monthly basis. Some key customers include Rovio and KhanAcademy.2. AzureMicrosoft presents its Azure platform as a tightly grouped IaaS and PaaS offering that is integrated withMicrosoft's traditional product line of Windows Servers, SQL, SharePoint, Active Directory, and BizTalk. It wasinitially released on February 1, 2010 and was called "Windows Azure." Recently, it was renamed to MicrosoftAzure (March 25, 2014). The PaaS development offering supports several programming languages: .NET, Java,PHP, Node.js, Python, and Ruby.The scope of services within the Azure PaaS offering is broad, and includes services that other cloud providerswould consider IaaS. More specifically, the Azure app service (PaaS) includes:Media Services, Service Bus, Notification Hubs, Scheduler, Automation, BizTalk Services, Visual Studio Online,Active Directory, Multi-Factor Authentication, CDN, API Management, and RemoteApp. For the underlyinginfrastructure, Microsoft uses a customized Windows OS and Hyper-V hypervisor called Microsoft Azure andMicrosoft Azure Hypervisor, respectively. Scalability is managed through a fabric layer called Microsoft AzureFabric Controller.The subscription model is billed on the app service that is used. It offers a pay-as-you-go monthly plan, as well as aprepaid six-month and 12-month plan. The longer the term, the greater discount Microsoft provides (up to 32%).Azure provides an SLA of 99.9% per month for its PaaS services. Key customers include BMW, NBC Sports, andHarperCollins.3. is a PaaS offering from It was the underlying foundation upon which software was developed and hosted. With its 2013 acquisition of ExactTarget (marketing SaaS)and a previous acquisition of Heroku (PaaS provider) in 2010, the three environments are in the process ofmerging and are collectively referred to as Salesforce1 Platform. This merged platform is a comprehensiveintegrated environment for building enterprise-quality applications that are primarily focused on supportingbusiness sales and marketing operations and have greater explicit support for mobile platforms. Their mainwebsite is 2014 Global Knowledge Training LLC. All rights reserved.6

The subscription model for the platform has three levels. Unlike Google App and Azure, theunits of measure are less focused on infrastructure consumption and more on programming objects andinterfaces. Their three subscriptions levels are: Enterprise App level ( 25/user/month); App Bundle( 80/user/model); and Unlimited App level ( 150/user/month). All subscriptions are billed annually. Each levelhas increasing usage of application objects, supported apps, API calls, and so forth.Key users and clients of that have integrated their own applications with software viaan integration application include Evernote, DocuSign, and MailChimp.IaaS ModelThe IaaS service model is defined as:"Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing,storage, networks, and other fundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems and applications. The consumer does notmanage or control the underlying cloud infrastructure but has control over operating systems, storage,and deployed applications; and possibly limited control of select networking components (e.g., hostfirewalls)."The IaaS model allows IT administrators to operate and manage traditional data center resources in the cloud. Allof the traditional IT infrastructure layers (servers, storage, network, and so forth) are available virtually from acloud IaaS provider. Customers are responsible for managing the OS layer and higher, while the cloud providerfocuses on the hypervisor layer and below (server hardware, network connectivity, power/cooling, HVAC, etc).Case Study Examples of IaaS Cloud Providers1. Amazon Web ServicesAmazon Web Services (AWS) is an operation of that provides cloud services (primarily IaaS andPaaS) to the general public. AWS has been a pioneer in the commercial cloud computing space and is currentlythe market leader. Recently Gartner positioned AWS at the highest level in its Magic Quadrant for CloudComputing (June 2014).AWS was launched in 2006. Its first major service offering was EC2 (elastic cloud compute), a virtual serveroffering. It launched on Aug 25, 2006 (Linux-based version). It was initially in public-beta mode, and then wentinto production mode on Oct 23, 2008 with formal SLAs.AWS currently has a large selection of IaaS component offerings. Some of the major services include S3 (fileobject storage), EBS (block storage), ELB (load balancer), Route 53 (DNS service), VPC (virtual private cloud-networking and subletting), Glacier (tape archival).AWS global infrastructure covers 10 regions across the world, each one with multiple data centers (AvailabilityZones) to provide redundancy and resource distribution. Due to security concerns, AWS provides a dedicate cloudenvironment uniquely for US government agencies and partners called GovCloud.Each IaaS component has its own pricing model with a variety of tiers. Generally, these are all based on resourcesconsumed (on a pay-as-you-go basis) or for a guaranteed level of performance. For example, the EC2 virtualserver service has price ranges from the low end (t2.micro) for 0.013/hour to the high end (c3.8xlarge) at 1.68/hour.Copyright 2014 Global Knowledge Training LLC. All rights reserved.7

Some of AWS major customers include: Netflix, Dropbox, Samsung, NY Times, Washington Post, Newsweek, andAdobe.2. RackspaceRackspace is an IaaS cloud provider based in San Antonio, TX. It started out as a traditional web-hosting companyand has grown into a leading cloud IaaS provider. Rackspace was founded in October 1998 by three individuals.Currently, it employs over 5,700 employees and has revenue over 1.5 billion 2013.Its underlying architecture is based on Xen open source virtualization and OpenStack. Rackspace has been a keycontributor to the OpenStack foundation and was a co-founder with NASA.Rackspace IaaS offerings cover the following components: cloud servers, block storage, databases, file storage,load balancers, backups, and cloud monitoring. Each has its own pricing model with a variety of tiers, andsupport both pay-as-go-you and long-term discounted plans. For example, a low end cloud server starts at 0.04/hour and a high end server is priced at 5.44/hour. Key customers of Rackspace include: BitHub, Domino's,KarmaCRM3. CenturyLinkCenturyLink is a major telecommunication company that has entered into the cloud computing industry via twokey acquisitions, Savvis in April 2011 and Tier 3 in Nov 2013. It recently (Jan. 2014) rebranded these entities intoCenturyLink Cloud (CLC).CenturyLink Cloud's IaaS offerings span a wide range of IT components from servers and storage to network,firewalls and Content Distribution Network (CDN). Pricing is based on a per-as-you-go model. For long term plans,a sales quote from their sales team is required. For a basic virtual Linux server, the cost can be as low as 0.01/hr.Some key customers of CenturyLink Cloud include exterro, Obeo, and XSP.Cloud Deployment ModelNIST outlines four cloud deployment models. For each deployment model, we state NIST's definition, elaborateon key principles, and provide two case study examples. In all four models, there are three determining factors:who controls security, who has access to the data, and whether the resources are shared or dedicated.Public CloudA Public cloud deployment is defined as:"The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, andoperated by a business, academic, or government organization, or some combination of them. It exists on thepremises of the cloud provider."For public cloud services, it is assumed that it is multi-tenant and the underlying resources are shared amongmultiple customers. The public cloud provider owns and controls the security and protection of data between onecustomer and another customer.Case Study Examples of Public Cloud DeploymentAll of the case study examples from the Service Model section (, Gmail, Intuit, App Engine, Azure,, Amazon Web Services, Rackspace, CenturyLink) are examples of public cloud providers.Copyright 2014 Global Knowledge Training LLC. All rights reserved.8

Private CloudA Private cloud deployment is defined as:"The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers(e.g., business units). It may be owned, managed, and operated by the organization, a third party, or somecombination of them, and it may exist on or off premises."In private cloud deployment, the IT assets are fully dedicated to a single company, with no sharing of resourcesoutside of the corporate entity. Security and data protection is owned by the same business entity.Case Study Examples of Private Cloud Deployment1) OpenStackOpenStack is an open source cloud platform that provides private cloud computing services for IaaS model. Somecompanies use it to deliver IaaS services internally to their business units. As a cloud technology, it can also beused by organizations to deliver IaaS to the public.OpenStack started in July 2010 as a joint project by NASA and Rackspace. Ownership and management of itsdevelopment was transitioned in September 2012 to the OpenStack Foundation, a non-profit entity. Support forOpenStack has grown tremendously and numerous vendors committed their support for its ongoingdevelopment. Some vendors include: VMware, Red Hat, HP, IBM, EMC, and Oracle.OpenStack uses a very modular structure in which each component delivers a specific IaaS resource. Some ofthese are: Compute (Nova), Object Storage (Swift), Block Storage (Cinder), Networking (Neutron), Orchestration(Heat), and Database (Trove). Some key companies who use OpenStack internally include Intel, Argonne NationalLaboratory, CERN, and NeCTAR.2) vCloudvCloud Suite is a private cloud technology platform from VMware. Customers use the vCloud Suite to implementa private cloud computing IaaS type environment. The vCloud Suite consists of several core products: vSphere,vCenter Site Recovery Manager, vCloud Network and Security, Automation Center, Operations ManagementSuite, and vCloud Director. Together, these key VMware products enable a cloud-based virtual data center. ITorganizations can deliver cloud services to their internal business units with the same scalability and pay-as-go-gocapabilities that public cloud providers deliver.The vCloud Suite is available in three configurations: Standard, Advanced, and Enterprise. Key customers ofvCloud include: Columbia Sportswear, Catholic Health Initiatives, and Microstrategy.Community CloudA community cloud deployment is defined as:"The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizationsthat have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may beowned, managed, and operated by one or more of the organizations in the community, a third party, or somecombination of them, and it may exist on or off premises."This deployment is effective for consortium groups and special interest user groups. Generally, security and dataaccess between members of a consortium or user group is permitted. However, outside of the consortium or usergroup, access is restricted.Copyright 2014 Global Knowledge Training LLC. All rights reserved.9

Case Study Examples of Community Cloud Deployment1) FacebookFacebook is the largest social networking service with a community user base of over 1.28 billion (as of March,2014). It was started by Mark Zuckerberg and four other Harvard college mates in February 2004. It is nowheadquartered in Menlo Park, CA and employs over 6,800 employees. As a community cloud service, there is nosubscription fee to join Facebook. All revenue for Facebook is through advertising. As of 2012, revenue was 7.87billion.A major challenge with Facebook, from a community perspective, is privacy. General Internet users who are notsubscribed to Facebook do not have viewable access to the information in Facebook. Subscribed Facebook usershave varying levels of access to data about other Facebook users. While users have control over their privacysettings, the default settings and types of control level are sometimes changed independently by Facebook. Issuesabout ownership of photos and information about one's self have caused concerns among some Facebook users.Most recently (July 2014), news about Facebook conducting psychological experiments and studies on Facebooksubscribers, without direct explicit consent, caused significant outcry from the public.2) LinkedInLinkedIn is a professional business social network service. It was launched on May 5, 2003 by five foundingmembers. It is based in Mountain View, CA and has 5,000 employees. As of June 2013 there are over 259 millionusers across 200 plus countries.Subscription to LinkedIn is free for all users. There are paid subscription levels that provide additional featuresand access to more information. In 2013, LinkedIn had revenue of 1.52 billion. There are three levels of paidsubscriptions: Business level ( 29.99/month); Business Plus level ( 59.99/month); and Executive level( 99.99/month). If users pay annually, LinkedIn provides a 25% discount. Other sources of revenue include paidadvertising, directory services, and recruiting services.Hybrid CloudA Hybrid cloud deployment is defined as:"The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private,community, or public) that remain unique entities, but are bound together by standardized or proprietarytechnology that enables data and application portability (e.g., cloud bursting for load balancing betweenclouds)."There are several use cases or cloud configurations that employ a hybrid cloud deployment model. One is cloudbursting, which means going from private cloud to public cloud. Another is backup and disaster recovery, alsogoing from private cloud to public cloud.Case Study Examples of Hybrid Cloud Deployment1) AWS - Virtual Private Cloud (VPC)Amazon Web Services (AWS) provides a cloud service called Virtual Private Cloud (VPC), which allows a customerto extend their data center into AWS' cloud infrastructure. For example, with an AWS VPC, a customer can runtheir application servers in AWS and have all their data stored in their own data center and storage devices. Thishybrid configuration gives the client control and ownership of data security and data protection while enablingfull scalability of server resources for the application servers running in the AWS cloud.Copyright 2014 Global Knowledge Training LLC. All rights reserved.10

2) BluelockBluelock's cloud services is another example of how an IT organization can extend their data center resources andoperations to the public cloud.Bluelock is a VMware partner that enables IT organizations that are VMware based to extend their current datacenter into a VMware technology-based public cloud provider. Bluelock can provide backup in the cloud, recoveryto the cloud, or recovery from a cloud provider through their hybrid cloud service model.ConclusionWith case study examples, we have reviewed NIST's definition of cloud computing in this white paper. Althoughthe definitions may at times appear verbose, they clearly delineate the attributes and features that make cloudcomputing a true game-changer for IT organizations and businesses. It provides clear boundaries and scope tothe cloud computing paradigm and is very effective in sorting out the marketing hype that currently surroundscloud computing.Learn MoreLearn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edgethrough training.Telecom Architectures and Information TechnologiesCloud EssentialsVisit or call 1-800-COURSES (1-800-268-7737) to speak with a Global Knowledgetraining advisor.About the AuthorVince Lo Faso is the Managing Director of Cloud Service Management at Navigo Technologies, LLC. He is an ITService and Cloud Management professional with more than 24 years of IT industry experience. He is ITIL V3Expert certified; Cloud Essentials Professional (CEP) certified; and AWS Partner Business and TechnicalProfessional accredited. Vince holds a master’s degree in computer science and has spoken as conferences such asVMworld User Conference, HP Universe, and local user groups. In addition to having worked as a consultant andpractice manager for sever

the national institute of standards and technology (nist) has created a robust, comprehensive cloud definition that has been well-accepted across the it industry. it covers five essential cloud characteristics, three service models, and four deployment models. spanning two pages of text, it initially seems overwhelming. yet this cloud definition