The Cloud Reference Architecture

The National Institute of Standards and Technology (NIST) has created a formal cloud reference architecture, which identifies the major actors, their activities, and functions in cloud computing. NIST identifies five different actors in cloud computing:

1. Cloud consumer — A person or organization that maintains a business relationship with and uses service from cloud providers.
2. Cloud provider — A person, organization, or entity responsible for making a service available to interested parties.
3. Cloud auditor — A party that can conduct an independent assessment of cloud service, information system operations, performance, and security of the cloud implementation.
4. Cloud broker — An entity that manages the use, performance, and delivery of cloud services and negotiates relationships between cloud providers and cloud consumers.
5. Cloud carrier — An intermediary that provides connectivity and transport of cloud services from cloud providers to cloud consumers.

The two most prevalent actors are the cloud consumer and the cloud provider. Providers are often referred to as CSPs (cloud service providers). Occasionally you will see a distinction made between a CSP and a specialized provider known as an MSP (managed service provider). A CSP dictates both the technology and operational procedures available to a cloud consumer. With an MSP, however, the cloud consumer is able to dictate the technology and operational procedures. Throughout this course, we’ll use the term CSP broadly to encompass both cloud service providers and managed service providers.

From a security standpoint, whether an organization uses a CSP, MSP, or something in between can greatly alter responsibilities and the ability to mitigate risk. For example, with an MSP, since the consumer is dictating the technology and operations (and likely paying a premium to do so), the consumer also takes on more responsibility and risk. It is important to recognize that in cloud computing, security is a shared responsibility between the consumer and provider. As a security professional, you need a clear and full understanding of the responsibilities of both actors so that a vulnerability does not “fall through the cracks” between them.

The graphic below reviews the five actors in cloud computing.

The NIST Cloud Reference Architecture defines five roles in cloud computing. Chief among them are the cloud consumer and the cloud services provider, which share several security responsibilities.

Recommended for you Cloud Environments – an overview