The NIST cloud definition and why it still matters

Mell and Grance (2011), in NIST Special Publication 800-145, defined cloud computing as a model with five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service), three service models (Infrastructure as a Service, Platform as a Service, Software as a Service), and four deployment models (private, community, public, hybrid). The document is two pages long and remains the most-cited US Government cloud-computing definition.

The definition matters for security work because the service-model distinction tells you who is responsible for what. In IaaS the cloud provider runs the hypervisor and the physical hardware; the customer runs the operating system and everything above it. In PaaS the provider extends responsibility up through the runtime; the customer owns the application code, data, and identity. In SaaS the provider runs almost everything; the customer keeps responsibility for identity, data classification, and configuration of the SaaS application. Almost every cloud-security incident maps to a misunderstanding at one of those seams.

NIST SP 500-292 (Liu et al. 2011) extended SP 800-145 with a reference architecture: five major actors (cloud consumer, cloud provider, cloud carrier, cloud auditor, cloud broker) with explicit role definitions and the security activities each performs. As a security engineer you read SP 500-292 to understand which controls are properly the customer's responsibility, which the provider's, and which are shared. AWS, Microsoft, and Google all publish 'shared-responsibility' diagrams that compress this into a single image; the NIST publications give you the underlying vocabulary to read those diagrams critically when a vendor's diagram leaves out an important seam.