NIST CLOUD

COMPUTING
REFERENCE
ARCHITECTURE
 THE CONCEPTUAL REFERENCE
MODEL
• National Institute of Standards and Technology
• NIST cloud computing reference architecture, which identifies the major actors, their activities and functions
in cloud computing.
• NIST cloud computing reference architecture defines five major actors:
• cloud consumer
• cloud provider
• cloud carrier
• cloud auditor
• cloud broker.
Each actor is an entity (a person or an organization) that participates in a transaction or process and/or
performs tasks in cloud computing
THE INTERACTIONS AMONG THE
ACTORS
Usage Usage
SCENARIO 1 SCENARIO 2
 Usage SCENARIO 1
A cloud consumer may request service from a cloud broker instead
of contacting a cloud provider directly.
The cloud broker may create a new service by combining
multiple services or by enhancing an existing service.
The actual cloud providers
are invisible to the cloud consumer and the cloud consumer interacts directly with the cloud broker.

Usage SCENARIO 2
• Cloud carriers provide the connectivity and transport of cloud services from cloud providers to cloud
consumers.
• A cloud provider participates in and arranges for two unique service level agreements (SLAs), one with a
cloud carrier (e.g. SLA2) and one with a cloud consumer (e.g. SLA1).
• A cloud provider arranges service level agreements (SLAs) with a cloud carrier and may request dedicated
and encrypted connections to ensure the cloud services are consumed at a consistent level according
to the contractual obligations with the cloud consumers.
• In this case, the provider may specify its requirements on capability, flexibility and functionality in SLA2 in
order to provide essential requirements in SLA1.
Usage SCENARIO 3:
For a cloud service, a cloud auditor conducts independent
assessments of the operation and security of the cloud service implementation. The audit may
involve interactions with both the Cloud Consumer and the Cloud Provider.
 CLOUD CONSUMER
• The cloud consumer is the principal stakeholder for the cloud computing service.
• A cloud consumer represents a person or organization that maintains a business relationship with, and uses the service from a
cloud provider.
• A cloud consumer browses the service catalog from a cloud provider, requests the appropriate service, sets up service
contracts with the cloud provider, and uses the service.
• The cloud consumer may be billed for the service provisioned, and needs to arrange payments accordingly.
• Cloud consumers need SLAs to specify the technical performance requirements fulfilled by a cloud provider.

• SLAs can cover terms regarding the quality of service, security, remedies for performance failures.
• A cloud provider may also list in the SLAs a set of promises explicitly not made to consumers, i.e. limitations, and
obligations that cloud consumers must accept.
• A cloud consumer can freely choose a cloud provider with better pricing and more favorable terms. Typically a cloud
provider‟s pricing policy and SLAs are non-negotiable, unless the customer expects heavy usage and might be able to
negotiate for better contracts.
S E R V I C E S AVA I L A B L E T O A C L O U D
CONSUMER
CLOUD PROVIDER
• A cloud provider is a person, an organization; it is the entity responsible for making a service available to
• interested parties. A Cloud Provider acquires and manages the computing infrastructure required for
• providing the services, runs the cloud software that provides the services, and makes arrangement to
• deliver the cloud services to the Cloud Consumers through network access.
• For Software as a Service, the cloud provider deploys, configures, maintains and updates the operation of
• the software applications on a cloud infrastructure so that the services are provisioned at the expected
• service levels to cloud consumers.
CLOUD PROVIDER
 CLOUD AUDITOR
• A cloud auditor is a party that can perform an independent examination of cloud service controls with the intent to express an
opinion thereon.
• Audits are performed to verify conformance to standards through review of objective evidence.
• A cloud auditor can evaluate the services provided by a cloud provider in terms of security controls, privacy impact,
performance, etc.
• Auditing is especially important for federal agencies as “agencies should include a contractual clause enabling third parties to
assess security controls of cloud providers”
• an auditor can be tasked with ensuring that the correct policies are applied to data retention according to relevant rules for the
jurisdiction.
• The auditor may ensure that fixed content has not been modified and that the legal and business data archival requirements
have been satisfied.
• A privacy impact audit can help Federal agencies comply with applicable privacy laws and regulations governing an
individual‟s privacy, and to ensure confidentiality, integrity, and availability of an individual‟s personal information at every
stage of development and operation.
 CLOUD BROKER
• A cloud consumer may request cloud services from a cloud broker, instead of contacting a cloud provider directly.
A cloud broker is an entity that manages the use, performance and delivery of cloud services and negotiates
relationships between cloud providers and cloud consumers.
• Service Intermediation: A cloud broker enhances a given service by improving some specific capability and
providing value-added services to cloud consumers. The improvement can be managing access to cloud services,
identity management, performance reporting, enhanced security, etc.
• Service Aggregation: A cloud broker combines and integrates multiple services into one or more new services.
The broker provides data integration and ensures the secure data movement between the cloud consumer and
multiple cloud providers.
• Service Arbitrage: Service arbitrage is similar to service aggregation except that the services being aggregated are
not fixed. Service arbitrage means a broker has the flexibility to choose services from multiple agencies. The
cloud broker, for example, can use a credit-scoring service to measure and select an agency with the best score
 CLOUD CARRIER
• A cloud carrier acts as an intermediary that provides connectivity and transport of cloud services between
cloud consumers and cloud providers.
• Cloud carriers provide access to consumers through network, telecommunication and other access devices.
• The distribution of cloud services is normally provided by network and telecommunication carriers or a
transport agent , where a transport agent refers to a business organization that provides physical transport of
storage media such as high-capacity hard drives.
• Note that a cloud provider will set up SLAs with a cloud carrier to provide services consistent with the
level of SLAs offered to cloud consumers, and may require the cloud carrier to provide dedicated and
secure connections between cloud consumers and cloud providers.
 SCOPE OF CONTROL BETWEEN
PROVIDER AND CONSUMER

The Cloud Provider and Cloud Consumer share the control of resources in a cloud system.
The different service models affect an organization‟s control over the computational
resources and thus what can be done in a cloud system.
• The application layer includes software applications targeted at end users or programs. The applications are
used by SaaS consumers, or installed/managed/ maintained by PaaS consumers, IaaS consumers, and SaaS
providers. The middleware layer provides software building blocks (e.g., libraries, database, and Java
virtual machine) for developing application software in the cloud.
• The middleware is used by PaaS consumers, installed/managed/maintained by IaaS consumers or PaaS
providers, and hidden from SaaS consumers.
• The OS layer includes operating system and drivers, and is hidden from SaaS consumers and PaaS
consumers. An IaaS cloud allows one or multiple guest OS‟s to run virtualized on a single physical host.
Generally, consumers have broad freedom to choose which OS to be hosted among all the OS‟s that could
be supported by the cloud provider. The IaaS consumers should assume full responsibility for the guest
OS‟s, while the IaaS provider controls the host OS.