Cybertelecom
Cybertelecom
Federal Internet Law & Policy
An Educational Project
Cloud Computing Dont be a FOOL; The Law is Not DIY
- Issues
- Definition
- Risks / Benefits
- Security
- Govt Activity
- Papers
- News
- Notes
- Intellectual Prop
- Privacy
- Security
- Geolocation
- ECommerce
- Internet History
- Google

- AT&T

"Cloud computing is an emerging form of computing that relies on Internet-based services and resources to provide computing services to customers, while freeing them from the burden and costs of maintaining the underlying infrastructure. Examples of cloud computing include Web-based e-mail applications and common business applications that are accessed online through a browser, instead of through a local computer." [GAO-10-513 p 2]

Cloud computing is nothing new. Remote computing, remote terminals, and accessing data and processing in the network goes back to the early days of computer networking. In 1970, Larry Roberts described the ARPANET as follows:

"The data sharing between data management systems or data retrieval systems will begin an important phase in the use of the Network. The concept of distributed databases and distributed access to the data is one of the most powerful and useful applications of the network for the general data processing community. As described above, if the Network is responsive in the human time frame, databases can be stored and maintained at a remote location rather than duplicating them at each site the data is needed. Not only can the data be accessed as if the user were local, but also as a Network user he can write programs on his own machine to collect data from a number of locations for comparison, merging or further analysis." [Roberts Wessler 1970]

See also Leonard Kleinrock, et. al., Realizing the Information Future: The Internet and Beyond, National Research Council 76 (1994) ("Thus a new paradigm is emerging in which location-independent access to personal and shared data, resources, and services will be the goal of our information processing infrastructure.")

Risks and Benefits

Issues

What is cloud computing, by USG

Definition

[FINAL] A NIST Definition of Cloud Computing Sept 2011 SP800-145.pdf | Press Release

According to the official NIST definition, "cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

DRAFT A NIST Definition of Cloud Computing NIST SP 800-145 restates the existing NIST cloud computing definition as a formal NIST publication. NIST requests comments and suggested changes to draft documents. Please submit the comments on the SP drafts to 800-145comments@nist.gov no later than February 28, 2011 .Draft-SP-800-145_cloud-definition.pdf (187 KB)

Derived From: Peter Mell and Tim Grance, The NIST Definition of Cloud Computing Version 15, 10-7-09

National Institute of Standards and Technology, Information Technology Laboratory

Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.

Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.

Definition of Cloud Computing:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction . This cloud model promotes availability and is composed of five essential characteristics, three service models , and four deployment models .

Essential Characteristics:

On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling. The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS) . The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models:

Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud . The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Note: Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.

Federal Cloud

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Cloud computing is a new name for an old concept: the delivery of computing services from a remote location, analogous to the way electricity, water, and other utilities are provided to most customers. Cloud computing services are delivered through a network, usually the Internet. Some cloud services are adaptations of familiar applic ations, such as e-mail and word processing. Others are new applications that never existed as a local application, such as online maps and social networks.

Since 2009, the federal government has been shifting its data storage needs to cloud-based services and away from agency-owned data centers. This shift is intended to reduce the total investment by the federal government in information technology (IT) (data centers), as well as realize other stated advantages of cloud adoption: efficiency, accessibility, collaboration, rapidity of innovation, reliability, and security.

In December 2010, the U.S. Chief Information Officer (CIO) released “A 25-Point Implementation Plan to Reform Federal IT Management” as part of a comprehensive effort to increase the operational efficiency of federal technology assets. One element of the 25-Point Plan is for agencies to shift to a “Cloud First” policy, which is being implemented through the Federal Cloud Computing Strategy. The Cloud First policy means that federal agencies must (1) implement cloud-based solutions whenever a secure, reliable, and cost-effective cloud option exists; and (2) begin reevaluating and modifying their individual IT budget strategies to include cloud computing.

However, there are challenges facing agencies as they make this shift. For example, some agency CIOs have stated that in spite of the stated security advantages of cloud computing, they are, in fact, concerned about moving their data from their data centers, which they manage and control, to outsourced cloud services. This and other concerns must be addressed to build an agency culture that trusts the cloud.

NIST Cloud Computing Forum Nov. 2010

Costs

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

The potential financial benefits from cloud computing arise largely from the capability of this approach to provide far more efficient use of IT resources. Most commercial cloud services involve a different payment and cost model than local computing. Cloud providers make infrastructure investments that can lower cost barriers for IT end users, who can access services requiring expensive hardware or software without having to invest in it. Users pay only for the computing power that they consume. This approach to pricing is sometimes referred to as the “utility computing model” because of its similarity to how utilities such as electricity, water, and gas are provisioned. The model allows on-demand scalability that can meet a user’s peak service requirements without the user having to invest in infrastructure to meet such requirements. Such peak demand may be periodic, as in the case of seasonal changes in use, or episodic, as in the case of a software developer needing temporary increases in computing capability for application development or testing.

With local IT, in contrast, users must acquire and maintain sufficient hardware, software, and other local resources, such as personnel, to provide for usage that varies over time, often in an unpredictable way. For example, even on most desktop computers, much of the memory and hard drive, and many applications, are usually idle. That is often also true for local servers and is one of the arguments made by the Obama Administration for its Federal Data Center Consolidation Initiative (FDCCI). 15 For example, for FY2012 the Treasury Department projected that in most of its data centers, servers would be idle more than one-third of the time on average.

With cloud computing, in contrast, users need not invest in resources that will often remain idle, but can acquire and pay for services only as they use them. According to some economic analyses, cloud computing using a public cloud can produce savings over local computing when demand for a service varies significantly over time or cannot be predicted. 17 Also, as the cloud computing market continues to develop, it may result in a small number of large providers of cloud infrastructure most capable of taking advantage of the benefits of economies of scale. 18 Additional potential financial benefits of cloud computing include the savings cloud providers may realize from locating facilities in areas with lower-than-average energy and labor costs.

In addition, cloud computing shifts some financial risks from the user to the provider. For example, if a new application that requires significant computing power proves unsuccessful, the implementing business or government agency would lose only the cost of the cloud services required, rather than the major investment in loca l IT that would have been required to provide the equivalent computing power.

In at least some cases, however, costs associated with cloud computing may outweigh potential financial benefits. One commonly cited cost is migration. If a user needs to move resources such as data from its own local facilities to those of the cloud provider, there will be a cost for such migration. That cost will depend on a number of factors, such as the size of the resources being moved, the method by which they are moved, 20 and whether the resources will need to be modified. 21 Such costs are also a consideration with respect to a potential move from one cloud provider to another. If a provider uses a nonstandard, proprietary platform, that would likely increase the cost of switching to another provider.

The potential economic benefits of cloud computing are also expected to vary depending on the deployment model. Use of a public cloud is thought to create greater savings in general than use of a private cloud. Presumably, that is because the former can take more advantage of economies of scale and other efficiencies, and is more subject to the effects of market competition. In addition, costs associated with inefficient use of local IT may be transferred to the cloud environment in some cases. For example, some organizations that maintained unused software in their local environments have retained similar so ftware in switching to SaaS, incurring the costs associated with that inefficiency.

Although most observers appear to believe that cloud computing can offer substantial economic benefits, attempts to project the cost advantages vary widely, with cloud services estimated to cost anywhere from 10% to 250% as much as local IT, but with most estimates projecting savings of at least 50%. 23 The large variation appears to reflect uncertainties arising not only from imperfect understanding of the economics of cloud computing in general, but also from variations in need and circumstance among potential users and uses. For example, a large organization that has a highly efficient data center may not benefit economically by moving it to a public cloud, whereas a small one might benefit. 24 Also, migration costs are likely to vary among different local computing environments. Some observers also have expressed skepticism about the accuracy of analyses purporting to show significant cost adva ntages, cautioning that they may be outdated or incomplete.

Energy Efficiency

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Computers, servers, and related devices require large amounts of energy to manufacture, and they account for a growing share of world energy consumption. “Green computing” is often cited as a potential benefit of cloud computing. It makes heavy use of data centers, which can be specifically designed for efficient power usage and cooling. Taking advantage of economies of scale, cloud computing can potentially deliver computing power to many users much more efficiently than would be possible with local computing. 28 Google has projected that a small office of 50 workers would use only 1% as much energy per user if it used Gmail cloud-based e-mail service rather than relying on local servers, although this level of savings is diminished for larger businesses.

By using a utility business model, cloud computing can provide incentives for efficient use of computing resources. Users pay only for the power they consume, and thus have an incentive to consume only what they need.

Despite such potential, cloud computing is not neces sarily inherently efficient. According to some analyses, typical measures taken by providers to ensure reliability can be energy inefficient or have other negative environmental effects. More generally, to the extent that innovations arising from cloud computing result in increased demand for computing resources, cloud computing could drive an increase in overall use of information technology, just as the advent of the personal computing led to such an increase.

Also, potential benefits and costs may vary among users, depending on their particular needs. A Department of Energy (DOE) report on its Magellan project, which was designed to investigate the potential of cloud computing to meet the department’s scientific computing needs, concluded that switching from the current non-cloud approa ch to public- or private-cloud computing would be more expensive and no more efficient, in part because of the special needs associated with scientific computing.

Availability

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Cloud computing may provide both advantages and di sadvantages with respect to availability. It can improve availability by using Internet connectivity to provide mobile computing services, so that users can access data and applications wherever they can get an Internet connection. Its flexible capacity and scalability can also reduce the risk of downtime for a website or other service. Scalable cloud hosting sources may also make web-based services more resilient to denial of service and similar cyberattacks.

However, reliance on the Internet for cloud computin g means that, in contrast to local computing, an Internet connection failure would prevent a user from accessing computing services. In contrast, a local network could still function. Loss of Internet access could be especially significant if users rely on thin clients, which may not have sufficient computing power to run applications locally in the event of a connection failure. Nevertheless, Internet outages are commonly thought to be far less common than outag es of local networks, and even that risk can be reduced, for example by use of more than one provider.

Effective use of cloud computing depends on access to high-speed Internet or mobile telecommunications. Such broadband access is not evenly distributed within the United States. Rural access is significantly lower than that in urban areas, resulting in much greater access to cloud services in cities. 33 If the use of cloud computing accessed through thin clients continues to grow in market share, that “digital divide” be tween areas with and without high-speed network access could become more pronounced. The American Recovery and Reinvestment Act of 2009 (P.L. 111-5) included $7.2 billion for expansions to rural broadband infrastructure, 34 and some other countries have devoted resources to facilitate ubiquitous access to high speed Internet.

Agility

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Cloud computing can be more agile than local computing in at least two ways. It can permit faster and more efficient implementation of upgrades and other technological advances. It can also provide innovators with a broader range of scalable tools for research, development, and testing than they would be able to acquire cost-effectiv ely for a local computing environment. In some ways, agility can be more limited under cloud computing than local computing. Differences among providers may limit portability and interoperability . 36 If a user wishes to switch to a new provider, because of dissatisfaction or some other factor such as the original provider going out of business, portability may be a problem. The platform used by the new provider may require substantial modifications to data or other resources being moved or may even be incompatible. Provider variation may also hinder interoperability, which would be needed, for example, if users wish different providers to supply different services involving a common set of data or applications. This may be less of a problem with local computing, which usually employs standard hardware and software platforms so that data and applications can be used by different persons or moved to new hardware without a need for significant modification. These limitations might be addressed in the future by the creation and adoption of appropriate portability and interoperability standards for cloud computing.

Cloud computing may also be less capable than local computing in creating and implementing some specialized applications, such as in scientific research. For example, DOE’s report on its Magellan project found that cloud computing did not meet several requirements for the kinds of scientific data and applications used in research and development (R&D) at the department.

Privacy

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Privacy is a concern, especially for public and hybrid cloud services. The greater direct control that private clouds give to users over hardware and software may provide them more control over management of privacy.

Establishing an effective and appropriate legal structure for regulating cloud computing services is imperative, as cloud usage is expected to represent more than half of all Internet use by the end of this decade. Globally, advances in technology services such as cloud computing paired with how those services are used by consumers have increased the difficulty of maintaining the appropriate legal balance between individual rights and the needs of law enforcement. As the depth and breadth with which consumers incorporate cloud services into their daily lives increases, the need for balance becomes even more important, but also more difficult to attain.

In the United States, the Electronic Communications Privacy Act of 1986 (ECPA) governs the privacy of electronic communications. However, ECPA leaves gaps in how to treat certain now commonly used services, such as web-based e-mail and documents created and stored in the cloud (e.g., Google Docs); such services had not been created, nor even conceived, when the law was enacted. Many contend that ECPA is a difficult law to understand and apply, in part because the law is old and relies on a model of electronic mail and Internet activity that is generations behind current practice and technology. It is extremely difficult to interpret or predict the privacy protections available under ECPA for the wide range of cloud computing activities. 50 Companies offering communications and remote storage services (which were in their infancy in 1986), consumers, and law enforcement all seek uniformity in the law, but do not agree on how those changes should be made.

Security

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Some aspects of security in cloud computing are similar to those with local computing involving local networks. Both are potentially subject to attacks aimed at service disruption or theft of information, including espionage. Both are subject to threats from the Internet and from insiders. Vulnerabilities specific to particular operating systems and other applications need to be addressed whether those applications are provided through cloud or local computing.

However, some aspects of cloud computing have security implications that differ substantially from those for local computing. Differences in security of cloud and local computing mirror the differences between concentrated versus distributed resources in general. Thus, the economies of scale associated with cloud computing can permit providers to invest much more effectively in security than most users could with local computing. But such concentration of computing resources also makes cloud providers more inviting targets for potential attackers and increases the potential impact of an attack. With local compu ting, each user constitutes a point of attack that must be defended separately, but the impact of an attack is generally limited to that user. With cloud computing, both the points of attack and the defenses are concentrated, as is the value of the target.

Some other security issues are more specific to cloud computing. For example, the sharing of computing resources by different customers that permits the economies of scale in cloud computing creates unique security requirements associated with that multi-tenancy. Also, use of a public cloud provider creates a potential for ambiguity in how to assign security responsibilities to the provider and to the user. The user’s data and other resources are housed off-site and are therefore under the control of the cloud provider—the owner of the data effectively cedes control of it to the provider, and possibly even a third party that the cloud provider might use

In addition to direct concerns, other security-related factors may need to be considered. For example, the degree of legal protection afforded to information in the cloud may be significantly lower if it is stored in a public cloud rather than on a local computer. In addition, information could potentially be stored on servers in countries other than that in which the customer resides, thereby potentially subjecting the information to different or even conflicting legal requirements for privacy and auditability. Within the United States, different federal laws apply to different kinds of data, for example health and financial information. State requirements also vary.

Reliability

Derived From: Eric A. Fischer, Patricia Moloney Figliola, Overview and Issues for Implementation of the Federal Cloud Computing Initiative: Implications for Federal Information Technology Reform Management, CRS 7-5700 April 23, 2013

Services hosted in the cloud may be distributed among several different data centers. That distribution can potentially improve reliability over use of only a local data center, especially if combined with redundancy. However, there have been cases in recent years of downtime at the IaaS level that caused widespread service interruptions. Despite the publicity such disruptions received, service downtimes in cloud computing have been rare, and many observers consider cloud hosting to be more reliable than local hosting.

NIST has also raised the issue of the service-level agreements (SLAs) that customers sign when procuring cloud services. While reliability is a key element addressed by practically every SLA, how it is defined, what is being measured, and the associated guarantees vary. These leave customers to evaluate different SLAs with cloud providers that may define reliability using different—

  • terms (uptime, resilience, or availability);
  • resources (servers, HVAC systems, customer support);
  • time periods (hours, days, years); and
  • risk guarantees (response time versus resolution time).
  • RFCs

    Government Activity

    Legislation

    Papers

    Links

    News

    © Cybertelecom ::