Cybertelecom Federal Internet Law & Policy An Educational Project

Cloud Computing Notes

"Cloud computing is an emerging form of computing that relies on Internet-based services and resources to provide computing services to customers, while freeing them from the burden and costs of maintaining the underlying infrastructure. Examples of cloud computing include Web-based e-mail applications and common business applications that are accessed online through a browser, instead of through a local computer." [GAO-10-513 p 2]

Cloud computing is nothing new. Remote computing, remote terminals, and accessing data and processing in the network goes back to the early days of computer networking. In 1970, Larry Roberts described the ARPANET as follows:

"The data sharing between data management systems or data retrieval systems will begin an important phase in the use of the Network. The concept of distributed databases and distributed access to the data is one of the most powerful and useful applications of the network for the general data processing community. As described above, if the Network is responsive in the human time frame, databases can be stored and maintained at a remote location rather than duplicating them at each site the data is needed. Not only can the data be accessed as if the user were local, but also as a Network user he can write programs on his own machine to collect data from a number of locations for comparison, merging or further analysis." [Roberts Wessler 1970]

Issues

• Consumer
  • Notice / Disclosure to Consumer
  • 
    
  Consumer Trust in Cloud Service Necessary for Success (see Kevin Werbach Congressional Testimony)
• Intellectual Property:
  • Who Owns the data
• Security: Security of the Information
• Risk Assessment
• Data Breach
• Data Loss
• Encryption
  • Key Management
    • Who owns / controls keys
• Location of Data
  • Requirement that Data stay within jurisdiction
  • Assumption that location of data = control
  • Assumption that exportation of data = loss jobs
  • Laws of Jurisdiction where Data Resides, permitting different levels access
    • Ability of jurisdiction to coerce disclosure (including jailing local employees until disclosure)
• Outsourcing Security to Security Expert Firm
• Consumer Trust in Cloud Service Necessary for Success (see Kevin Werbach Congressional Testimony)
• Privacy:
  • Geolocation
  • Consumer Trust in Cloud Service Necessary for Success (see Kevin Werbach Congressional Testimony)
  • ECPA Reform
  • EU Data Directive
• Location
  • Jurisdiction: Who has jurisdiction over data
    • EU
  • Interoperability / Fragmentation / Cross Border Data Flows
    • Increase Cost of Doing Business / Barrier to Entry to Jurisdiction
    • Conflicts between jursidictions
  • Geolocation
• Business Advantages to Firms for Use of Cloud
  • Scale, Efficiency
    • Efficient information sharing
  • Data portability, availability
  • Outsource
    • Maintaining IT Infrastructure
    • Security
  • Business Case
• Termination of service
• Law enforcement: Wiretap, and search and seizure
  • eDiscovery
  • Data Retention Requirements
  • Forensics
  • International Cooperation
  • Liability of Host for Activities / Content of Customers
• Standards
• Government (Government as cloud consumer)
  • Privacy Act (see 5 U.S.C. § 552a(m) application of Privacy Act on Federal Contractors)
  • eGovernment (FOIA, Record Keeping)
  • Law Enforcement / Intelligence Community
  • Buy America Act
    
  • Federal Incident Reporting Guidelines, US CERT
  • FISMA
  • Privacy Impact Assessments
  • 26 U.S.C. § 6103 Tax Records
  • 13 U.S.C. § 5 Census Records
  • Sec. 508
  • Breach Notification
  • Risk Assessment

Definition

[FINAL] A NIST Definition of Cloud Computing Sept 2011 SP800-145.pdf | Press Release

According to the official NIST definition, "cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

DRAFT A NIST Definition of Cloud Computing NIST SP 800-145 restates the existing NIST cloud computing definition as a formal NIST publication. NIST requests comments and suggested changes to draft documents. Please submit the comments on the SP drafts to 800-145comments@nist.gov no later than February 28, 2011 .Draft-SP-800-145_cloud-definition.pdf (187 KB)

Derived From: Peter Mell and Tim Grance, The NIST Definition of Cloud Computing Version 15, 10-7-09

National Institute of Standards and Technology, Information Technology Laboratory

Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.

Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.

Definition of Cloud Computing:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction . This cloud model promotes availability and is composed of five essential characteristics, three service models , and four deployment models .

Essential Characteristics:

On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service's provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling. The provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS) . The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models:

Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud . The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Note: Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.

Risks and Benefits

• Benefits
  • Ubiquitious availability of services
  • Cost efficiencies
  • Outsource IT to IT experts
  • Services may be more secure and more robust
• Risks
  • Lose control of IT
  • Lose control over data
  • Data may be stored extra-territorially
  • Introduce new threats and vulnerabilities
  • Lock in to proprietary provider
  • Vulnerabible to proprietary provider's business plan (or failure)
  • Operate in new IT environment in which your staff has not been fully trained

Security

• SP 800-144 DRAFT Guidelines on Security and Privacy in Public Cloud Computing NIST SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment. NIST requests comments and suggested changes to draft documents. Please submit the comments on the SP drafts to 800-144comments@nist.gov no later than February 28, 2011 . Draft-SP-800-144_cloud-computing.pdf (505 KB)
• Appendix J: Privacy Control Catalog (Working Draft V.3) of NIST Special Pub 800-53 Security & Privacy Controls for Federal Information Systems & Organizations) (July 2011)

RFCs

• NIST Seeks Comments on Draft Guide to Cloud Computing From NIST  Tech Beat :  May 12, 2011
  Contact: Evelyn Brown (301) 975-5661
  

  The cloud computing research team at the National Institute of Standards and Technology (NIST) is requesting public comments on a draft of its most complete guide to cloud computing to date.

  NIST Cloud Computing Synopsis and Recommendations (Special Publication 800-146) explains cloud computing technology in plain terms and provides practical information for information technology decision makers interested in moving into the cloud. Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources-for example networks, servers, storage, applications and services-that can be rapidly provisioned and released with minimal management effort or service provider interaction.

  The Federal CIO has asked NIST to lead federal efforts on standards for data portability, cloud interoperability and security. The goal is to help the federal government reap the benefits of cloud computing.

  "Cloud computing is not a single kind of system," explains project leader Lee Badger. "Since cloud computing spans a spectrum of underlying technologies and configuration possibilities, each organization's requirements call for different cloud technologies and configurations." SP 800-146 provides that level of guidance.

  The new guide reviews the NIST definition of cloud computing, provides an overview of cloud environments with detailed discussions of each and then provides a section on each of the main cloud environments-Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service. Each of these sections looks at the environment's scope, its capabilities, benefits, and known issues and concerns. The publication also provides information on how organizations should consider the relative opportunities and risks of cloud computing. A section on Open Issues covers computing performance, reliability, economics, compliance and data and applications security. The final section discusses general recommendations. Appendices cover typical costs of cloud computing, roles and responsibilities, acronyms, terminology and resources for further investigation.

  NIST Cloud Computing Synopsis and Recommendations , SP 800-146, can be downloaded from the NIST Web site. Comments should be sent to 800-146comments@nist.gov by June 13, 2011.

Government Activity

• NIST
  • Draft Cloud Computing Technology Roadmap Released Nov. 1, 2011.  Comments Due Dec. 2, 2011
    
  • NIST Cloud Computing Program
  • NIST Cloud Computing Collaboration Site
  • NIST Cloud Computing Standards Roadmap, NIST CCSRWG-092, First Edition (July 5, 2011) []
  • NIST DRAFT Cloud Computing Synopsis and Recommendations, Spec. Pub. 800-146 May 2011 []
  • NIST Cloud Computing Program Overview
  • NIST May 20, 2010 Cloud Computing Forum & Workshop
• CIO Council
  • Federal CIO Council, Information Security and Identity Management Subcommittee (ISIMC), Network and Infrastructure Security Subcommittee (NISCC), Web 2.0 Security Working Group (W20SWG), Guidelines for Secure Use of Cloud Computing by Federal Departments and Agencies, Coordination Draft Version 0.20.
  • Proposed Security Assessment and Authorization for US Government Cloud Computing, CIO Council, Draft version 0.96 (Nov. 2, 2010) []
• Internet Governance Forum
• FCC CHAIRMAN JULIUS GENACHOWSKI, REMARKS AS PREPARED FOR DELIVERY, "THE CLOUD: UNLEASHING GLOBAL OPPORTUNITIES", ASPEN IDEA PROJECT, BRUSSELS, BELGIUM.  OCH .  MARCH 24, 2011 TXT
• Federal Guidance Needed to Address Control Issues with Implementing Cloud Computing, GAO Report to Congressional Requesters, GAO-10-513 May 2010
• Kundra, Vivek, State of Public Sector Cloud Computing, May 20, 2010
• European Network and Information Security Agency (ENISA). 2009. Cloud Computing: Benefits, risks and recommendations for information security . November 20.

Papers

• William Jeremy Robison , Free at What Cost?: Cloud Computing Privacy Under The Stored Communications Act , 98 GEO. L.J. 1195, 1199 (April, 2010).
• Ristenpart, Thomas, et al. 2009. "Hey, You, Get Off of My Cloud." Proceedings of the ACM Conference on Computer and Communications Security, Chicago , November 9-13, pp. 199-212
• Cachin, Christian. 2009. "Trusting the Cloud." ACM SIGACT News (40:2), June, pp.81-86.
• Nelson, Michael R. 2009. "Building an Open Cloud." Science , v.324, June 26, pp.1656-7.
• Armbrust, M., A. Fox, R. Griffith, A. Joseph, R. Katz, A. Konwinski, G. Lee, D. Patterson, A. Rabkin, I. Stoica, and M. Zaharia (2009), Above the Clouds: A Berkeley View of Cloud Computing , UC Berkeley Reliable Adaptive Distributed (RAD) Systems Laboratory, Berkeley, www.eecs. berkeley .edu/Pubs/TechRpts/2009/EECS-2009-28.pdf
• David A. Couillard, Note, Defogging the Cloud: Applying Fourth Amendment Principles to Evolving Privacy Expectations in Cloud Computing, 93 Minn. L. Rev. 2205 (2009)
• Etro, F. (2010) "The Economic Consequences of the Diffusion of Cloud Computing", in S. Dutta and I. Mia (eds.), The Global Information Technology Report 2009-2010, World Economic Forum, Geneva.
• Shahid Khan, "APPS.GOV": ASSESSING PRIVACY IN THE CLOUD COMPUTING, 11 N.C. J.L. & TECH. ON. 259 (2010)
• Kundra, V. (2010), State of Public Sector Cloud Computing , US Chief Information Officers Council, www.cio.gov/documents/StateOfCloudComputingReport-FINALv3_508.pdf .
• D Murley, What is Cloud Computing, Law Library Journal
• OECD (2009), ICCP Technology Foresight Forum - Cloud Computing: The Next Computing Paradigm? , OECD, 14 Octobre, www.oecd.org/sti/ict/cloudcomputing
• OECD (2009), "Briefing Paper for the ICCP Technology Foresight Forum - Cloud Computing and Public Policy", ICCP Technology Foresight Forum - Cloud Computing: The Next Computing Paradigm? , OECD, Paris.
• Schubert, L., Jefferey, K. and B. Neidecker-Lutz (2010), The Future of Cloud Computing: Opportunities for European Cloud Computing beyond 2010, Public Version 1.0, http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf
• West, D. (2010), Saving Money Through Cloud Computing , Governance Studies, The Brookings Institutions, Washington DC
• World Economic Forum and Accenture (2010), Exploring the Future of Cloud Computing: Riding the Next Wave of Technology-Driven Transformation , World Economic Forum, Geneva.

Links

• Cloud Security Alliance

News

• When a cloud service vanishes: How to protect your data, CW 8/10/2011
• Amazon cloud outage downs Netflix, Quora, CNET 8/10/2011
• So long computer overlords - how clouds can liberate research and transform discovery, Bill St Arnaud 8/5/2011
• Watch Out: The Feds Want to Regulate the Cloud, PC world 8/5/2011
• NIST Releases New DRAFT Cloud Computing Synopsis, Info Law Group 5/20/2011
• Amazon gets 'black eye' from cloud outage, CW 4/25/2011
• SP 800-144 DRAFT Guidelines on Security and Privacy in Public Cloud Computing, NIST 2/9/2011
• Paul Lanois, Caught in the Clouds: The Web 2.0, Cloud Computing, and Privacy? NW J. Tech and Intel Prop 2010, NW J Tech & IP 11/17/2010
• What is the 'true' cloud journey?, CNET 9/27/2010
• 
  
• 
  

Web services provided by

: Home : About Us : Contact Us : Sitemap : Discussion : Search : Newsletter : RSS : : ADA : Broadband : Crime : Copyright : DNS : ECommerce : EGovt : First Amendment : Digital Divide : : Network Neutrality : Intl : Privacy : Security : SPAM : Statistics : VoIP : Vote : And Much More! : :: Feedback : Disclaimer ::