Following on the heels of its December guidance on cloud privacy and security, NIST has released SP 800-146, “Cloud Computing Synopsis and Recommendations.” The new guidance describes cloud computing services in each of its typical forms — Software-as-a-Service, Infrastructure-as-a-Service and Platform-as-a-Service — and sets out different scenarios to explain how cloud services are implemented. SP 800-146 goes on to discuss typical commercial terms and ongoing issues in cloud computing such as compliance, information security, and reliability.
In its description of each flavor of cloud services, SP 800-146 describes how clients interact with the service, describe the “software stack” and who controls each layer in the stack, discusses benefits, issues and concerns, and makes recommendations for using that particular cloud model. For example, in a Software-as-a-Service model, SP 800-146 recommends analyzing the provider’s data protection capabilities, including protection mechanisms, location configurations, and the provider’s ability to meet confidentiality, compliance, integrity and availability needs.
The typical commercial terms discussed in the guidance include reliability, remedies for failure to perform, data preservation and legal care of consumer information. SP 800-146 goes on to describe typical limitations in provider policies, such as scheduled maintenance, force majeure events, and service agreement changes. These are a few, but not all, issues that should be carefully weighed by both customers and providers when considering cloud services agreements and can mean the difference between a successful cloud deployment and a costly failure.
The NIST cloud computing guidance is an excellent overview of the current framework and issues in cloud computing. While the guidance strays into technical concepts at times, SP 800-146 is written in language generally understandable to the non-technical. NIST SP publications are not standards or regulations that require compliance, but they offer a well-researched look into relevant technologies and are respected in the industry. Anyone interested in how cloud computing works and its challenges will find SP 800-146 to be a useful and informative read.