Upload
trananh
View
216
Download
1
Embed Size (px)
Citation preview
The attached DRAFT document (provided here for HISTORICAL purposes) has been superseded by the following publication:
Publication Number: Special Publication 800-146
Title: Cloud Computing Synopsis and Recommendations
Publication Date: 05/29/2012
Final Publication: http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf
Related Information on CSRC: http://csrc.nist.gov/publications/PubsSPs.html#800-146
Information on other NIST Computer Security Division publications and programs can be found at: http://csrc.nist.gov/
http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdfhttp://csrc.nist.gov/publications/PubsSPs.html#800-146http://csrc.nist.gov/
The following information was posted with the attached DRAFT document:
NIST Computer Security Division 800-146, Cloud Computing Synopsis and Recommendations May 29, 2012
The final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations is NISTs general guide to cloud computing. It explains cloud systems in plain language and provides recommendations for information technology decision makers ranging from chief information officers, information systems developers, system and network administrators, information system security officer and systems owners. This document presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing.
Special Publication 800-146
DRAFT Cloud
Computing Synopsis
and Recommendations
Recommendations of the National Institute of Standards and Technology
LeeBadger Tim Grance RobertPatt-Corner JeffVoas
DRAFT Cloud Computing Synopsis and NIST Special Publication 800-146 Recommendations
Recommendations of the National Institute of Standards and Technology
Lee Badger Tim Grance Robert Patt-Corner Jeff Voas
C O M P U T E R S E C U R I T Y
Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930
May 2011
U.S. Department of Commerce
Gary Locke, Secretary
National Institute of Standards and Technology
Patrick D. Gallagher, Director
DRAFT CLOUD COMPUTING SYNOPSIS AND RECOMMENDATIONS
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nations measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITLs responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITLs research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations.
National Institute of Standards and Technology Special Publication 800-146 Natl. Inst. Stand. Technol. Spec. Publ. 800-146, 84 pages (May 2011)
Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
ii
DRAFT CLOUD COMPUTING SYNOPSIS AND RECOMMENDATIONS
Acknowledgments
The authors, Lee Badger of the National Institute of Standards and Technology (NIST), Tim Grance, of the National Institute of Standards and Technology (NIST), Robert Patt-Corner of Global Tech, Inc, and Jeff Voas of the National Institute of Standards and Technology (NIST), wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content. The authors gratefully acknowledge and appreciate the contributions from individuals and organizations whose comments improved the overall quality of this publication.
Trademark Information
All names are trademarks or registered trademarks of their respective owners.
iii
DRAFT CLOUD COMPUTING SYNOPSIS AND RECOMMENDATIONS
Table of Contents
Executive Summary.................................................................................................................... 1
1. Introduction .......................................................................................................................1-1 1.1 Authority................................................................................................................... 1-1 1.2 Purpose and Scope ................................................................................................. 1-1 1.3 Audience .................................................................................................................. 1-1 1.4 Document Structure ................................................................................................. 1-1
2. Cloud Computing Definition ............................................................................................2-1
3. Typical Commercial Terms of Service ............................................................................3-1 3.1 Promises .................................................................................................................. 3-1 3.2 Limitations................................................................................................................ 3-2 3.3 Obligations ............................................................................................................... 3-2 3.4 Recommendations ................................................................................................... 3-3
4. General Cloud Environments ..........................................................................................4-1 4.1 Understanding Who Controls Resources in a Cloud ............................................... 4-3 4.2 The On-site Private Cloud Scenario ........................................................................ 4-4 4.3 The Outsourced Private Cloud Scenario ................................................................. 4-7 4.4 The On-site Community Cloud Scenario ................................................................. 4-9 4.5 The Outsourced Community Cloud Scenario ........................................................ 4-12 4.6 The Public Cloud Scenario .................................................................................... 4-13 4.7 The Hybrid Cloud Scenario.................................................................................... 4-15
5. Software-as-a-Service Environments .............................................................................5-1 5.1 Abstract Interaction Dynamics ................................................................................. 5-2 5.2 Software Stack and Provider/Subscriber Scopes of Control.................................... 5-3 5.3 Benefits .................................................................................................................... 5-4
5.3.1 Very Modest Software Tool Footprint...........................................................5-4 5.3.2 Efficient Use of Software Licenses...............................................................5-4 5.3.3 Centralized Management and Data .............................................................5-4 5.3.4 Platform Responsibilities Managed by Providers.........................................5-5 5.3.5 Savings in Up-front Costs ............................................................................5-5
5.4 Issues and Concerns ............................................................................................... 5-5 5.4.1 Browser-based Risks and Risk Remediation ...............................................5-5 5.4.2 Network Dependence...................................................................................5-6 5.4.3 Isolation vs. Efficiency (Security vs. Cost Tradeoffs) ...................................5-6
5.5 Candidate Application Classes ................................................................................ 5-7 5.6 Recommendations for Software as a Service.......................................................... 5-8
6. Platform-as-a-Service Cloud Environments...................................................................6-1 6.1 Abstract Interaction Dynamics ................................................................................. 6-1 6.2 Software Stack and Provider/Subscriber Scopes of Control.................................... 6-3 6.3 Benefits .................................................................................................................... 6-3
6.3.1 Facilitated Scalable Application Development and Deployment ..................6-4 6.4 Issues and Concerns ............................................................................................... 6-4
6.4.1 Lack of Portability between PaaS Clouds ............................................