William Stallings Independent Consultant
2.6 NIST CLOUD COMPUTING REFERENCE ARCHITECTURE
NIST SP 500-292 [3] establishes a reference architecture,
described as follows:
The NIST cloud computing reference architec- ture focuses on the requirements of “what” cloud services provide, not a “how to” design solution
and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.
NIST developed the reference architecture with the following objectives in mind:
• To illustrate and understand the various cloud services in the context of an overall cloud com- puting conceptual model
• To provide a technical reference for consumers to understand, discuss, categorize, and compare cloud services
• To facilitate the analysis of candidate standards for security, interoperability, and portability and reference implementations
2.6.1 Cloud Computing Actors
The reference architecture, depicted in Figure 2.4, defines
five major actors in terms of the roles and responsibili- ties as defined in the list that follows:
• Cloud consumer: A person or organization that maintains a business relationship with, and uses service from, CPs
• Cloud provider: A person, organization, or entity responsible for making a service available to inter- ested parties
• Cloud auditor: A party that can conduct indepen- dent assessment of cloud services, information system operations, performance, and security of the cloud implementation
TABLE 2.2 Comparison of Cloud Deployment Models
Private Community Public Hybrid
Scalability Limited Limited Very high Very high Security Most secure option Very secure Moderately secure Very secure Performance Very good Very good Low to medium Good
Reliability Very high Very high Medium Medium to high Cost High Medium Low Medium
• Cloud broker: An entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between CPs and cloud consumers
• Cloud carrier: An intermediary that provides con- nectivity and transport of cloud services from CPs to cloud consumers
The roles of the cloud consumer and provider have already been discussed. To summarize, a CP can pro- vide one or more of the cloud services to meet IT and business requirements of cloud consumers. For each of the three service models (SaaS, PaaS, and IaaS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers. For SaaS the CP deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so the services are provisioned at the expected service levels to cloud consumers. The con- sumers of SaaS can be organizations that provide their members with access to software applications, end users who directly use software applications, or soft- ware application administrators who configure appli- cations for end users.
For PaaS, the CP manages the computing infra- structure for the platform and runs the cloud software that provides the components of the platform, such as
runtime software execution stack, databases, and other middleware components. Cloud consumers of PaaS can employ the tools and execution resources provided by CPs to develop, test, deploy, and manage the applica- tions hosted in a cloud environment.
For IaaS, the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure. The IaaS cloud consumer in turn uses these computing resources, such as a virtual computer, for their fundamental com- puting needs.
The cloud carrier is a networking facility that pro- vides connectivity and transport of cloud services between cloud consumers and CPs. Typically, a CP will set up SLAs with a cloud carrier to provide services consistent with the level of SLAs offered to cloud con- sumers, and may require the cloud carrier to provide dedicated and secure connections between cloud con- sumers and CPs.
A cloud broker is useful when cloud services are too complex for a cloud consumer to easily manage. Three areas of support can be offered by a cloud broker:
• Service intermediation: These are value-added services, such as identity management, perfor- mance reporting, and enhanced security.
• Service aggregation: The broker combines mul- tiple cloud services to meet consumer needs not
Cloud consumer Cloud auditor Service intermediation Service aggregation Service arbitrage Cloud broker Cloud provider Security audit Performance audit Privacy impact audit SaaS Service layer
Service orchestration Cloud
service management PaaS
Hardware Physical resource layer
Facility Resource abstraction
and control layer IaaS Business support Provisioning/ configuration Portability/ interoperability Secu rity Privac y Cloud carrier
specifically addressed by a single CP, or to opti- mize performance or minimize cost.
• Service arbitrage: This is similar to service aggre- gation except that the services being aggregated are not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score.
A cloud auditor can evaluate the services provided by a CP in terms of security controls, privacy impact, performance, and so on. The auditor is an indepen- dent entity that can assure the CP conforms to a set of standards.
Figure 2.5 illustrates the interactions between the actors. A cloud consumer may request cloud services from a CP directly or via a cloud broker. A cloud auditor conducts independent audits and may contact the others to collect necessary information. This fig- ure shows that cloud networking issues in fact involve three separate types of networks. For a cloud producer, the network architecture is that of a typical large data center, which consists of racks of high- performance servers and storage devices, interconnected with high- speed top-of-rack ethernet switches. The concerns in this context focus on virtual machine placement and movement, load balancing, and availability issues. The enterprise network is likely to have a quite different architecture, typically including a number of LANs,
servers, workstations, PCs, and mobile devices, with a broad range of network performance, security, and management issues. The concern of both producer and consumer with respect to the cloud carrier, which is shared with many users, is the ability to create vir- tual networks, with appropriate SLAs and security guarantees.
2.6.2 Cloud Provider Architectural Components
Figure 2.4 shows four main architectural components of the CP. Service orchestration refers to the composi- tion of system components to support the CPs’ activi- ties in arrangement, coordination, and management of computing resources in order to provide cloud services to cloud consumers. Orchestration is shown as a three-layer architecture. We see here the famil- iar mapping of physical resources to consumer-visible services by a resource abstraction layer. Examples of resource abstraction components include software elements such as hypervisors, virtual machines, vir- tual data storage, and other computing resource abstractions.
Cloud service management includes all of the service- related functions that are necessary for the management and operation of those services required by or proposed to cloud consumers. It covers three main areas:
• Business support: This comprises business-related services dealing with customers, such as account- ing, billing, reporting, and auditing.
Cloud consumer Cloud broker Cloud producer Enterprise network Cloud carrier Data center network Cloud auditor
• Provisioning/configuration: This includes auto- mated tools for rapid deployment of cloud sys- tems for consumers, adjusting configuration and resource assignment, and monitoring and report- ing on resource usage.
• Portability/interoperability: Consumers are inter- ested in cloud offerings that support data and sys- tem portability, and service interoperability. This is particularly useful in a hybrid cloud environ- ment, where the consumer may wish to change the allocation of data and applications between on-premises and off-premises sites.
Security is a concern that spans all layers of the ref- erence architecture, ranging from physical security to application security. As such, it is the joint responsibil- ity of all the cloud actors, not just CPs. Privacy also encompasses all layers of the reference architecture. The key requirement with respect to privacy is that CPs provide assured and adequate protection of personal information (PI) and personally identifiable informa- tion (PII) in the cloud.