Cloud computing is an evolving paradigm. The NIST definition characterizes important aspects of cloud computing and is intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion from what is cloud computing to how to best use cloud computing. The service and deployment models defined form a simple taxonomy that is not intended to prescribe or constrain any particular method of deployment, service delivery, or business operation.
Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress.
The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved. The document discusses the threats, technology risks, and safeguards for public cloud environments, and provides the insight needed to make informed information technology decisions on their treatment. The document does not prescribe or recommend any specific cloud computing service, service arrangement, service agreement, service provider, or deployment model. Each organization must perform its own analysis of its needs, and assess, select, engage, and oversee the public cloud services that can best fulfill those needs.
Big Data is a term used to describe the large amount of data in the networked, digitized, sensor-laden, information-driven world. The growth of data is outpacing scientific and technological advances in data analytics. Opportunities exist with Big Data to address the volume, velocity and variety of data through new scalable architectures. To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) is working to develop consensus on important, fundamental concepts related to Big Data. The results are reported in the NIST Big Data Interoperability Framework (NBDIF) series of volumes. This volume, Volume 1, contains a definition of Big Data and related terms necessary to lay the groundwork for discussions surrounding Big Data.
Big Data is a term used to describe the large amount of data in the networked, digitized, sensor- laden, information-driven world. While opportunities exist with Big Data, the data can overwhelm traditional technical approaches and the growth of data is outpacing scientific and technological advances in data analytics. To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) is working to develop consensus on important, fundamental concepts related to Big Data. The results are reported in the NIST Big Data Interoperability Framework (NBDIF) series of volumes. This volume, Volume 2, contains the Big Data taxonomies developed by the NBD-PWG. These taxonomies organize the reference architecture components, fabrics, and other topics to lay the groundwork for discussions surrounding Big Data.
Big Data is a term used to describe the large amount of data in the networked, digitized, sensor-laden, information-driven world. While opportunities exist with Big Data, the data can overwhelm traditional technical approaches and the growth of data is outpacing scientific and technological advances in data analytics. To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) worked to develop consensus on important fundamental concepts related to Big Data. The results are reported in the NIST Big Data Interoperability Framework series of volumes. This volume, Volume 3, contains the original 51 Version 1 use cases gathered by the NBD-PWG Use Cases and Requirements Subgroup and the requirements generated from those use cases. The use cases are presented in their original and summarized form. Requirements, or challenges, were extracted from each use case, and then summarized over all the use cases. These generalized requirements were used in the development of the NIST Big Data Reference Architecture (NBDRA), which is presented in Volume 6. During the development of Version 2 of the NBDIF, the Use Cases and Requirements Subgroup and the Security and Privacy Subgroup identified the need for additional use cases to strengthen work of the NBD-PWG in Stage 3. The subgroup accepted additional use case submissions using the more detailed Use Case Template 2. The three additional use case submissions collected using Use Case Template 2 are presented and summarized in this volume.
This public working group will focus on developing an approach to advancing the Federated Community Cloud, which falls under Requirement 5 of the U.S. Government Cloud Computing Technology Roadmap, USG-Wide Use of Cloud Computing Standards. Not to be confused with the concept of cloud deployment models, the focus of Federated Community clouds is to develop a framework to support seamless implementations of disparate community cloud environments. The future of cloud computing is where both internal and external cloud resources from multiple providers are deployed and managed in order to meet business needs. To achieve this industry and government will need to work together to develop frameworks, technologies, and methodologies that can support seamless implementation of various cloud computing environments through a focus on interoperability and portability standards.
The scope of the project is to fully understand and describe the elements of federated cloud computing. This will involve developing and gaining consensus on a common federated cloud computing vocabulary, as well as developing an underlying conceptual model of what federated cloud computing is, its major components, and users/stakeholders. The Working Group will then use that conceptual model to map out an implementation strategy including a gap analysis to identify the missing technologies and standards needed to cultivate a seamless system of systems. The anticipated results are:
The Working Group will work in a coordinated effort with the IEEE ICWG/2302 WG – Intercloud Working Group to produce an implementation of this reference material and create a compliant technical standard.
The formation of NIST Cloud Computing Security Working Group (NCC-SWG) is an integral part of the overall NIST effort to facilitate secure adoption of cloud services for United State Government (USG).
The Joint Task Force Transformation Initiative (JTFTI) is an Interagency Working Group working to produce a Unified Information Security Framework for the federal government. The JTFTI is made up of representatives from the Civil, Defense, and Intelligence Communities.
This document proposes a framework that identifies and characterizes the information and relationships needed to describe and measure properties of cloud services that are representative, accurate and reproducible. This information can be used in a variety of ways including, collection, comparison, gap analysis, and assessment or description of metrics at the technical or business levels. These metrics can connect information intended for decision-making, for the service agreements between provider and customer, for the runtime performance measurement and the underlying properties within the provider’s system.
The purpose of the guide is to discuss the security concerns associated with full virtualization technologies for server and desktop virtualization, and to provide recommendations for addressing these concerns. All forms of virtualization other than server and desktop full virtualization are outside the scope of this document.
Most existing recommended security practices remain applicable in virtual environments. The practices described in this document build on and assume the implementation of practices described in other NIST publications.
This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy.
The purpose of this document is to define a NIST Cloud Computing Security Reference Architecture (NCC-SRA)--a framework that: i) identifies a core set of Security Components that can be implemented in a Cloud Ecosystem to secure the environment, the operations, and the data migrated to the cloud; ii) provides, for each Cloud Actor, the core set of Security Components that fall under their responsibilities depending on the deployment and service models; iii) defines a security-centric formal architectural model that adds a security layer to the current NIST SP 500-292, "NIST Cloud Computing Reference Architecture"; and iv) provides several approaches for analyzing the collected and aggregated data.
