Are the feds the first to a common cloud definition?
A recent draft of a government standard definition of cloud computing from the NIST is surprisingly workable. Could it be that the feds beat the commercial sector to the punch on this one?
Update: Corrected Reuven Cohen's title and added link to Chris Hoff's post.
Update 2:The NIST has added a Web page with links to the definition, and an email address where one can send comments.
Reuven Cohen, CTO of cloud infrastructure vendor Enomaly, recently posted a review of his trip to Washington, D.C. to speak to a variety of federal officials about the potential for cloud computing in government. Reuven points out that the enthusiasm with which the federal government is pursuing the cloud may in fact be putting the private sector to shame.
And it makes sense--my own trip to Cleveland for Collaboration Technology and Engaging the Campus 2009 at Case Western Reserve University showed me that the public sector is eager to get rid of data centers in order to focus funds and effort on delivering value to their respective "customers." For higher education, it appears that SaaS and collaborative technologies stand to benefit greatly from this trend. I would expect the same from most nondefense government agencies.
Reuven also notes that one of the most impressive artifacts from his trip was "a draft definition for federal use of cloud computing" from the National Institute of Technology and Standards, a nonregulatory arm of the Commerce Department. I'll include the definition in its entirety at the end of this post
Reuven argues (I think rightly) that the feds pretty much have this definition well in hand at this point:
...(The NIST's) definition of cloud computing will be the de facto standard definition that the entire US government will be given...In creating this definition, NIST consulted extensively with the private sector including a wide range of vendors, consultants and industry pundants including your truly. Below is the draft NIST working definition of Cloud Computing. I should note, this definition is a work in progress and therefore is open to public ratification & comment. The initial feedback was very positive from the federal CIO's who were presented it yesterday in DC. Baring any last minute lobbying I doubt we'll see many more major revisions.
Chris Hoff reviewed the definition on his Rational Survivability blog, and notes one key disappointment with Reuven's claim that the definition is open to public review:
...for being "...open to public ratification & comment," I can't seem to find it anywhere except for references to its creation as a deliverable in FY09 in a presentation from December, 2008. I searched NIST's site, but perhaps I'm just having a bad search day.
I went looking as well, and also failed to find the "public review" process and/or site. If anyone reading this knows where to find it, please comment below.
All in all, I love what I read here. It goes well against the definition we have been using at Cisco Systems (which you can read in an earlier post). It also sounds like it jibes well with Chris Hoff's work on the Cloud Security Alliance guidance paper. Both the fed and CSA definitions are a little long, but you know what? I can live with that if they can drive concensus and further the conversation past this marketing infighting the "cloud-o-sphere" has been experiencing for the last year.
The one thing I was initially concerned about was the introduction of the "community cloud" concept, which is defined as a cloud "shared by several organizations and support(ing) a specific community that has shared concerns." My unease was the same as the discomfort I had with Hoff's "Managed Cloud" concept--they are both just variants of "Private Clouds" targeted at specific types of implementations.
However, I'm beginning to believe that subdividing "private cloud" for a few specific use cases makes some sense. "Community cloud" is certainly something with a specific, useful connotation. I think "managed cloud" also fits that bill. As long as they are used consistently, I think both are valuable terms--and there probably are others.
Anyway, take a look at the NIST definition, and let me know what you think.
Draft NIST Working Definition of Cloud Computing
4-24-09
Peter Mell and Tim Grance - National Institute of Standards and Technology, Information Technology Laboratory
Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.
Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.
Definition of Cloud Computing:
Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models.
Key Characteristics:
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed without requiring human interaction with each service's provider.
Ubiquitous network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Location independent resource pooling. The provider's computing resources are pooled to serve all consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. The customer generally has no control or knowledge over the exact location of the provided resources. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned to quickly scale up and rapidly released to quickly scale down. To the consumer, the capabilities available for rent often appear to be infinite and can be purchased in any quantity at any time.
Pay per use. Capabilities are charged using a metered, fee-for-service, or advertising based billing model to promote optimization of resource use. Examples are measuring the storage, bandwidth, and computing resources consumed and charging for the number of active user accounts per month. Clouds within an organization accrue cost between business units and may or may not use actual currency.
Note: Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.
Delivery Models:
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created applications using programming languages and tools supported by the provider (e.g., java, python, .Net). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to rent processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers).
Deployment Models:
Private cloud. The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations).
Public cloud. The cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (internal, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting).
Each deployment model instance has one of two types: internal or external. Internal clouds reside within an organizations network security perimeter and external clouds reside outside the same perimeter.